1212e177454b1ffa0e50e35281f6061133b6707faada829852a408020fbba615

Analysis

max time kernel
10s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe
Size

38KB
MD5

ad7957ed9393e8548de6f18b2a665103
SHA1

61236345a9758b9f751ac00d7b99ddd7c8d3e34e
SHA256

1212e177454b1ffa0e50e35281f6061133b6707faada829852a408020fbba615
SHA512

f54a8881e04e0c84c4b40ca28441b4bff3610716557fc74ae85365f06989ec97abb01a70a593f53ad1c7bbf9ba72c6ecc92344b6932f7b7a7d367e1ff59265fb
SSDEEP

768:ecNnfawyp9q44b54VaSpalGg/o+pBBr8tyJ7OoW3KcW19:eA7ypI4qOCzJfJU3u9

Score

7^/10

adware discovery evasion execution stealer trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
1684	regsvr32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D5CFEFD-B746-58EA-C282-C970A5E9E068}	regsvr32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\LURA3OASZZ\U7BGMV8.EXE	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe
File opened for modification	C:\Program Files\LURA3OASZZ\U7BGMV8.EXE	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\BXRRMKYSBYCQOG.txt	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe
File created	C:\Windows\BXRRMKYSBYCQOG.dll	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D5CFEFD-B746-58EA-C282-C970A5E9E068}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D5CFEFD-B746-58EA-C282-C970A5E9E068}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D5CFEFD-B746-58EA-C282-C970A5E9E068}\InprocServer32\ = "C:\\Windows\\BXRRMKYSBYCQOG.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D5CFEFD-B746-58EA-C282-C970A5E9E068}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D5CFEFD-B746-58EA-C282-C970A5E9E068}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D5CFEFD-B746-58EA-C282-C970A5E9E068}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\HELPDIR\ = "C:\\Windows"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{4D5CFEFD-B746-58EA-C282-C970A5E9E068}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D5CFEFD-B746-58EA-C282-C970A5E9E068}\ = "xunlei Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D5CFEFD-B746-58EA-C282-C970A5E9E068}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D5CFEFD-B746-58EA-C282-C970A5E9E068}\VersionIndependentProgID\ = "Thunder.xunlei"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\ = "Thunder 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D5CFEFD-B746-58EA-C282-C970A5E9E068}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D5CFEFD-B746-58EA-C282-C970A5E9E068}\ProgID\ = "Thunder.xunlei.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D5CFEFD-B746-58EA-C282-C970A5E9E068}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\0\win32\ = "C:\\Windows\\BXRRMKYSBYCQOG.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{4D5CFEFD-B746-58EA-C282-C970A5E9E068}"	regsvr32.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1796	reg.exe
4032	reg.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1420	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe
1420	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe
1420	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe
1420	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe
1420	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1684	1420	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	93
PID 1420 wrote to memory of 1684	1420	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	93
PID 1420 wrote to memory of 1684	1420	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	93
PID 1420 wrote to memory of 4248	1420	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	94
PID 1420 wrote to memory of 4248	1420	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	94
PID 1420 wrote to memory of 4248	1420	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	94
PID 1420 wrote to memory of 3756	1420	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	95
PID 1420 wrote to memory of 3756	1420	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	95
PID 1420 wrote to memory of 3756	1420	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	95
PID 4248 wrote to memory of 1668	4248	cmd.exe	98
PID 4248 wrote to memory of 1668	4248	cmd.exe	98
PID 4248 wrote to memory of 1668	4248	cmd.exe	98
PID 3756 wrote to memory of 3192	3756	cmd.exe	99
PID 3756 wrote to memory of 3192	3756	cmd.exe	99
PID 3756 wrote to memory of 3192	3756	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\BXRRMKYSBYCQOG.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\SOSLDHUIG.BAT" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s msvidctl.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1668
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Modifies registry key
    PID:1796
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    PID:4048
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    PID:4768
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    PID:4136
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    PID:3760
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    PID:912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\SOSLDHUIG.BAT
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s msvidctl.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3192
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Modifies registry key
    PID:4032
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    PID:456
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    PID:3272
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SOSLDHUIG.BAT

Filesize
1KB

MD5
39738ae0a11bb14a55dc0b4c915dd712

SHA1
4dbba6ec5c40a5ba477ed53af9b1a6a43d67c1ed

SHA256
8bbeab6abb20ca78e75ca611e0617b2d5364df2742f0bb6011fdd7b56b07a533

SHA512
87b2e24aa2446cfae60e1266d37e2696a6d633bd056c64be15b90d38fb1573e88d35dbcb4ebafef5ea58def118fbeb3a8979a0d918a7b95c247b998a842c181a

Download Submit
C:\Windows\BXRRMKYSBYCQOG.dll

Filesize
28KB

MD5
6bac5f7e22a8ff799e0f1c4f8d7b457f

SHA1
a6d290d7eed0aebdca77607e4e1bf170b73c1c21

SHA256
e59bcdf77a7167979f63b3a0e26320c30d469d8e26a2197ae8f15f1726c747f6

SHA512
368a2f7dc137c6766867c2b04dc6017228a43238748b061bd36c18b25a60d0ad943b4d4b0598fc40bd568b9ab274dd87e49a518a1e9149ccd0284b28b408b40c

Download Submit
C:\Windows\BXRRMKYSBYCQOG.txt

Filesize
38KB

MD5
feac69776b79259a45af2f2098c778c8

SHA1
3f6a7f1673078d306f439b17f983837917f5b707

SHA256
1d296e72810ea2d3c74f48f2fc9242416f3a4353201cb61bd5a29dbb2cc52b1c

SHA512
671d58071f0c8778a41689b9ad34426c940dad0d282025a1f1e0b2ae4a15b0c5b4c036c19c76099375f06a0e40503a0f9eb34ebe21133b4586c101ae3158366f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads