strrat | 3cdadd4d8492cfe342f9f74529566ed6c1b451ba669509b59ffaf2965bce0750

Resubmissions

09-08-2024 08:38

240809-kjxr2sycnr 10

27-07-2020 18:35

200727-l5jrnfh3sx 8

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ACCORD POUR COMMISSION A PRELEVER.PDF.vbs
Size

246KB
MD5

6b23cda6ddc86713d63e5b6bb853a909
SHA1

7c12556e23a5b283846572fc9a1d70b01d306c1d
SHA256

3cdadd4d8492cfe342f9f74529566ed6c1b451ba669509b59ffaf2965bce0750
SHA512

9bd88a406202b539ec6cfb271c7c02b0ac2659d3c925aed20d1680d919f841fbef89566d33f29cca2fd1ebd5641b5a7ee17562eaa5dce447f89256cc470f1eeb
SSDEEP

3072:aUo5/dXbshimRExcL2RXdoAhhI/Q7fgv1fJ5N3+OKFX8bQrzEbM0TC1I+M8IqeCa:arjPmR96gAjI4S1+ybAIA9jdye9Bi

Score

10^/10

strrat wshrat persistence stealer trojan

Malware Config

Extracted

Family

strrat

chance2021.ddns.net:8887

tasklistmgr.duckdns.org:7188

Attributes

license_id
XXMC-VBCA-4RWE-KGDF-XX7X
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
scheduled_task
true
secondary_startup
true
startup
true

Extracted

Family

wshrat

http://pluginsrv2.duckdns.org:8899

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 25 IoCs

flow	pid	Process
2	3232	WScript.exe
31	3232	WScript.exe
44	3232	WScript.exe
46	3232	WScript.exe
53	3232	WScript.exe
55	3232	WScript.exe
74	3232	WScript.exe
77	3232	WScript.exe
80	3232	WScript.exe
83	3232	WScript.exe
86	3232	WScript.exe
90	3232	WScript.exe
97	3232	WScript.exe
101	3232	WScript.exe
104	3232	WScript.exe
107	3232	WScript.exe
109	3232	WScript.exe
117	3232	WScript.exe
120	3232	WScript.exe
123	3232	WScript.exe
126	3232	WScript.exe
129	3232	WScript.exe
132	3232	WScript.exe
137	3232	WScript.exe
140	3232	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mZIHvZJhYf.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntfsmgr.jar	java.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mZIHvZJhYf.vbs	WScript.exe

Loads dropped DLL 3 IoCs

pid	Process
2152	java.exe
868	java.exe
1304	java.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mZIHvZJhYf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\mZIHvZJhYf.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mZIHvZJhYf = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\mZIHvZJhYf.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plugins = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\plugins.jar\" mp"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plugins = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\plugins.jar\" mp"	java.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
48	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
41	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
316	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1068	WMIC.exe
Token: SeSecurityPrivilege	1068	WMIC.exe
Token: SeTakeOwnershipPrivilege	1068	WMIC.exe
Token: SeLoadDriverPrivilege	1068	WMIC.exe
Token: SeSystemProfilePrivilege	1068	WMIC.exe
Token: SeSystemtimePrivilege	1068	WMIC.exe
Token: SeProfSingleProcessPrivilege	1068	WMIC.exe
Token: SeIncBasePriorityPrivilege	1068	WMIC.exe
Token: SeCreatePagefilePrivilege	1068	WMIC.exe
Token: SeBackupPrivilege	1068	WMIC.exe
Token: SeRestorePrivilege	1068	WMIC.exe
Token: SeShutdownPrivilege	1068	WMIC.exe
Token: SeDebugPrivilege	1068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1068	WMIC.exe
Token: SeRemoteShutdownPrivilege	1068	WMIC.exe
Token: SeUndockPrivilege	1068	WMIC.exe
Token: SeManageVolumePrivilege	1068	WMIC.exe
Token: 33	1068	WMIC.exe
Token: 34	1068	WMIC.exe
Token: 35	1068	WMIC.exe
Token: 36	1068	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1068	WMIC.exe
Token: SeSecurityPrivilege	1068	WMIC.exe
Token: SeTakeOwnershipPrivilege	1068	WMIC.exe
Token: SeLoadDriverPrivilege	1068	WMIC.exe
Token: SeSystemProfilePrivilege	1068	WMIC.exe
Token: SeSystemtimePrivilege	1068	WMIC.exe
Token: SeProfSingleProcessPrivilege	1068	WMIC.exe
Token: SeIncBasePriorityPrivilege	1068	WMIC.exe
Token: SeCreatePagefilePrivilege	1068	WMIC.exe
Token: SeBackupPrivilege	1068	WMIC.exe
Token: SeRestorePrivilege	1068	WMIC.exe
Token: SeShutdownPrivilege	1068	WMIC.exe
Token: SeDebugPrivilege	1068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1068	WMIC.exe
Token: SeRemoteShutdownPrivilege	1068	WMIC.exe
Token: SeUndockPrivilege	1068	WMIC.exe
Token: SeManageVolumePrivilege	1068	WMIC.exe
Token: 33	1068	WMIC.exe
Token: 34	1068	WMIC.exe
Token: 35	1068	WMIC.exe
Token: 36	1068	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4460	WMIC.exe
Token: SeSecurityPrivilege	4460	WMIC.exe
Token: SeTakeOwnershipPrivilege	4460	WMIC.exe
Token: SeLoadDriverPrivilege	4460	WMIC.exe
Token: SeSystemProfilePrivilege	4460	WMIC.exe
Token: SeSystemtimePrivilege	4460	WMIC.exe
Token: SeProfSingleProcessPrivilege	4460	WMIC.exe
Token: SeIncBasePriorityPrivilege	4460	WMIC.exe
Token: SeCreatePagefilePrivilege	4460	WMIC.exe
Token: SeBackupPrivilege	4460	WMIC.exe
Token: SeRestorePrivilege	4460	WMIC.exe
Token: SeShutdownPrivilege	4460	WMIC.exe
Token: SeDebugPrivilege	4460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4460	WMIC.exe
Token: SeRemoteShutdownPrivilege	4460	WMIC.exe
Token: SeUndockPrivilege	4460	WMIC.exe
Token: SeManageVolumePrivilege	4460	WMIC.exe
Token: 33	4460	WMIC.exe
Token: 34	4460	WMIC.exe
Token: 35	4460	WMIC.exe
Token: 36	4460	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4460	WMIC.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 3232	1736	WScript.exe	83
PID 1736 wrote to memory of 3232	1736	WScript.exe	83
PID 1736 wrote to memory of 2476	1736	WScript.exe	84
PID 1736 wrote to memory of 2476	1736	WScript.exe	84
PID 2476 wrote to memory of 1248	2476	cmd.exe	86
PID 2476 wrote to memory of 1248	2476	cmd.exe	86
PID 1736 wrote to memory of 2952	1736	WScript.exe	89
PID 1736 wrote to memory of 2952	1736	WScript.exe	89
PID 2952 wrote to memory of 2152	2952	javaw.exe	92
PID 2952 wrote to memory of 2152	2952	javaw.exe	92
PID 2152 wrote to memory of 2372	2152	java.exe	94
PID 2152 wrote to memory of 2372	2152	java.exe	94
PID 2152 wrote to memory of 868	2152	java.exe	95
PID 2152 wrote to memory of 868	2152	java.exe	95
PID 2372 wrote to memory of 316	2372	cmd.exe	98
PID 2372 wrote to memory of 316	2372	cmd.exe	98
PID 868 wrote to memory of 1304	868	java.exe	99
PID 868 wrote to memory of 1304	868	java.exe	99
PID 868 wrote to memory of 4456	868	java.exe	101
PID 868 wrote to memory of 4456	868	java.exe	101
PID 4456 wrote to memory of 1068	4456	cmd.exe	103
PID 4456 wrote to memory of 1068	4456	cmd.exe	103
PID 868 wrote to memory of 3812	868	java.exe	104
PID 868 wrote to memory of 3812	868	java.exe	104
PID 3812 wrote to memory of 4460	3812	cmd.exe	106
PID 3812 wrote to memory of 4460	3812	cmd.exe	106
PID 868 wrote to memory of 3580	868	java.exe	107
PID 868 wrote to memory of 3580	868	java.exe	107
PID 3580 wrote to memory of 4424	3580	cmd.exe	109
PID 3580 wrote to memory of 4424	3580	cmd.exe	109
PID 868 wrote to memory of 860	868	java.exe	110
PID 868 wrote to memory of 860	868	java.exe	110
PID 860 wrote to memory of 4676	860	cmd.exe	112
PID 860 wrote to memory of 4676	860	cmd.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ACCORD POUR COMMISSION A PRELEVER.PDF.vbs"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\mZIHvZJhYf.vbs"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Adds Run key to start application
  PID:3232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -version
    3⤵
    PID:1248
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\ntfsmgr.jar"
    3⤵
    - Drops startup file
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:316
  - - C:\Program Files\Java\jre-1.8\bin\java.exe
      "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:868
    - - C:\Program Files\Java\jre-1.8\bin\java.exe
        
        "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\plugins.jar" mp
        5⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1304
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4456
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3812
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3580
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
        6⤵
        
        PID:4424
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:860
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
        6⤵
        
        PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
3d740e4583c84be82c96b00055debcd3

SHA1
487ae1e4801db12cc6f0e4b673a7038ac15f672c

SHA256
08a9adba511ea28750fa7d61cb122799bc20a0a7466037d80ef9f9745f2d8567

SHA512
586813a34d475c9f194a9edb40ef7ba9d59a00287f04b5dda3dddebf631ce2c3da3f673fe11a3b23e94921ce72f110a781d447c2e44ccdf9bd765d7d4d4ff0ed

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
528e4a9b421435f04bbc41d9f680c395

SHA1
a5e90e1efcdfeb4dcc789e2a809f87fdbfef88b4

SHA256
fe0d1e333869fdf95d29184eda7ed30916437469a479511f6f50033ee63a26b0

SHA512
7cbc9b10d837d277045e2d3a9473801af5e7c34f737fd2a281727c81175a5b2ca23b8e1be7deef2d2b5ad299fb57d8f5192695d74dc41a3bb736568f47f2dd00

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
578f49dd15f25ff82e62567efad7b7d2

SHA1
f5098fd7a9b8882f856e0dd230a50b76d4e0dfb3

SHA256
80b6eca6a7502c4e867a9e10c0cd2df4fe23f94abb50bcc57e4406ef04658731

SHA512
831b44ca640acacbc3943e3a72a2aabcac2385121717a37a394eba9e98456f006fbc29b11298401f186e297c20c68c53b46ed4d32ffe876963a7a6ba2ed4ccaa

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
297f293ca6187298ab9f9c0f1bec3ea3

SHA1
837e164e2371a411e3418272d4e41033be593655

SHA256
72ff67e553c1b1cb30c24fe4ba411c7612631bd218e1faf508b5c299756e6a0f

SHA512
a44fbd31e84de2abda0168369d25f1c1bd7f674449e0c345bbcae40ee490b42552de8fb42e571bb152bd91f147402bb54236d35afde5fbbf55ddffb53db2fdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna7321703700185537216.dll

Filesize
241KB

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
147B

MD5
878f394e749aeb94775a31acccc09414

SHA1
4255a663fa9b4c141fde96869071d1d29450ced8

SHA256
afdd2e30a49d992e02746954a658ca1d8af5460c2f70607ecdb2b68883cfc421

SHA512
23637278397943d779cab6b6f3730d5708c8374ac18bed4f4e6b69a63a7e5304d39c5c2c8c48206812d0a2f0cc209620c92c57a39bb489ec9fad63a323f5d12d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-355097885-2402257403-2971294179-1000\83aa4cc77f591dfc2374580bbd95f6ba_30dd1cc1-5c25-4745-b2f5-cffa52b1a886

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\mZIHvZJhYf.vbs

Filesize
37KB

MD5
78146f57fb9a52ba473cea3f64bd9f9c

SHA1
5fda29f8a4ad72435fa7fb5ec607e83e5a213991

SHA256
b8179abe3ff542c5ac1655b427a79acaa3d507d2164aebaf1f0b004f08137077

SHA512
ef5828fa60a7a3994e6e1d5f2c2c5974731828d7d913d5a6fa2636d8505645d57b54feceadf8dd6e541daa7003c2298c923dd09557e884e32f01a5f61d3691a0

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar

Filesize
91KB

MD5
6800ec9e36cb278f357fae3eca55e12b

SHA1
18126c7b1bb2349195563803e0415fe09ae4b98c

SHA256
4b01737ef8dcb9de21994b5b675d59aa7ebbd11eb7f4efeffa1c181b303e8f1c

SHA512
81b48082632eb8327ca0037790f36fbefe9f0c2f9288d06fb708535cee1cb20c99e0ec9c871e6edd3c115fa27dc5164f28d8e4c953f63b0d0363ed03616d47e0

Download Submit
C:\Users\Admin\lib\jna-5.5.0.jar

Filesize
1.4MB

MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\lib\jna-platform-5.5.0.jar

Filesize
2.6MB

MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar

Filesize
4.1MB

MD5
b33387e15ab150a7bf560abdc73c3bec

SHA1
66b8075784131f578ef893fd7674273f709b9a4c

SHA256
2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

SHA512
25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Download Submit
C:\Users\Admin\lib\system-hook-3.5.jar

Filesize
772KB

MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
memory/868-186-0x000001EF86480000-0x000001EF86481000-memory.dmp

Filesize
4KB

Download
memory/868-228-0x000001EF86480000-0x000001EF86481000-memory.dmp

Filesize
4KB

Download
memory/1248-18-0x000001D384380000-0x000001D384381000-memory.dmp

Filesize
4KB

Download
memory/1304-224-0x000002AA58640000-0x000002AA58641000-memory.dmp

Filesize
4KB

Download
memory/1304-239-0x000002AA58640000-0x000002AA58641000-memory.dmp

Filesize
4KB

Download
memory/2152-137-0x0000028B88770000-0x0000028B88771000-memory.dmp

Filesize
4KB

Download
memory/2152-153-0x0000028B88770000-0x0000028B88771000-memory.dmp

Filesize
4KB

Download
memory/2952-100-0x0000023E63D50000-0x0000023E63D51000-memory.dmp

Filesize
4KB

Download
memory/2952-90-0x0000023E63D50000-0x0000023E63D51000-memory.dmp

Filesize
4KB

Download
memory/2952-81-0x0000023E63D50000-0x0000023E63D51000-memory.dmp

Filesize
4KB

Download
memory/2952-78-0x0000023E63D50000-0x0000023E63D51000-memory.dmp

Filesize
4KB

Download
memory/2952-59-0x0000023E63D50000-0x0000023E63D51000-memory.dmp

Filesize
4KB

Download
memory/2952-47-0x0000023E63D50000-0x0000023E63D51000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads