570610d2f1528a084e353bd021555828071bfb53dd468cf2f3c4376de4a907e3

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe
Size

2.8MB
MD5

efeaf61884f24bbeaa102f6e0db825c2
SHA1

f2bbe1945df6d24bacfe26023b755d9bf2aef13a
SHA256

570610d2f1528a084e353bd021555828071bfb53dd468cf2f3c4376de4a907e3
SHA512

e23830729108830ee38cfe3cb35ddcc6de40bc28df9de439591b361d29722819ca09960c33e0782055225a18025241d805fe45c7f39d0a83cdad5bc8613f6c53
SSDEEP

49152:F/mU3ZPXAC0yRsjssRnFPCoz1rYZe0JKKyJkuDNZfjLu37sPV1shP7qbkz7F:FOYZPQOKSSYZlJEhZf87hD1p

Score

7^/10

discovery persistence privilege_escalation upx

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DFJPBHTNX.lnk	efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 2 IoCs

pid	Process
2108	KDMADV
1124	uninstall.exe

Loads dropped DLL 5 IoCs

pid	Process
2420	efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe
2420	efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe
2108	KDMADV
1124	uninstall.exe
1124	uninstall.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000015cd1-22.dat	upx
behavioral1/memory/2108-24-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2108-133-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Winrar\Formats\7zxa.dll	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\uninstall.lng	KDMADV
File created	C:\Program Files (x86)\Winrar\Themes\WinRAR_Money 48x48.theme.rar	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Rar.txt	KDMADV
File created	C:\Program Files (x86)\Winrar\RarExt64.dll	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\winrar.lng	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Themes\Vista_Ultimate_48x48.theme.rar	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\File_Id.diz	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Order.htm	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Formats\iso.fmt	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Themes\WinRAR_Jr_48x48.1_01.theme.rar	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\WinCon.SFX	KDMADV
File created	C:\Program Files (x86)\Winrar\Formats\iso.fmt	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Themes\WinRAR_Noia_Bogart_48x48.theme.rar	KDMADV
File created	C:\Program Files (x86)\Winrar\Uninstall.lst	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Uninstall.lst	KDMADV
File created	C:\Program Files (x86)\Winrar\Formats\arj.fmt	KDMADV
File created	C:\Program Files (x86)\Winrar\Themes\RARaddin_48x48.theme.rar	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Themes\WinRAR_Objects 48x48.theme.rar	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Formats\7zxa.dll	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\RarExt64.dll	KDMADV
File created	C:\Program Files (x86)\Winrar\Formats\ace.fmt	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Formats\lzh.fmt	KDMADV
File created	C:\Program Files (x86)\Winrar\rarreg.key	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Themes	KDMADV
File created	C:\Program Files (x86)\Winrar\Themes\WinRAR_Design 48x48.theme.rar	KDMADV
File created	C:\Program Files (x86)\Winrar\Leame.txt	KDMADV
File created	C:\Program Files (x86)\Winrar\Licencia.txt	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Rar.exe	KDMADV
File created	C:\Program Files (x86)\Winrar\Formats\7z.fmt	KDMADV
File created	C:\Program Files (x86)\Winrar\Order.htm	KDMADV
File created	C:\Program Files (x86)\Winrar\winrar.lng	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Themes\WinRAR_JOM_48x48.1_0.theme.rar	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Zip.SFX	KDMADV
File created	C:\Program Files (x86)\Winrar\Themes\WinRAR_Smile_d_48x48.1_00.theme.rar	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Descript.ion	KDMADV
File created	C:\Program Files (x86)\Winrar\NotasTec.txt	KDMADV
File created	C:\Program Files (x86)\Winrar\Formats\gz.fmt	KDMADV
File created	C:\Program Files (x86)\Winrar\Formats\z.fmt	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Uninstall.exe	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\setup.s	KDMADV
File created	C:\Program Files (x86)\Winrar\Zip.SFX	KDMADV
File created	C:\Program Files (x86)\Winrar\WinRAR.exe	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\RarExt.dll	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\rarext.lng	KDMADV
File created	C:\Program Files (x86)\Winrar\Dos.SFX	KDMADV
File created	C:\Program Files (x86)\Winrar\uninstall.lng	KDMADV
File created	C:\Program Files (x86)\Winrar\WinCon.SFX	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\NotasTec.txt	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Themes\WinRAR_Smile_d_48x48.1_00.theme.rar	KDMADV
File created	C:\Program Files (x86)\Winrar\rarnew.dat	uninstall.exe
File opened for modification	C:\Program Files (x86)\Winrar\Dos.SFX	KDMADV
File created	C:\Program Files (x86)\Winrar\__tmp_rar_sfx_access_check_259437384	KDMADV
File created	C:\Program Files (x86)\Winrar\Rar.exe	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\RarExtLoader.exe	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Formats\UNACEV2.DLL	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\WhatsNew.txt	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\WinRAR.exe	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Licencia.txt	KDMADV
File created	C:\Program Files (x86)\Winrar\Formats\bz2.fmt	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Themes\WinRAR_Design 48x48.theme.rar	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\rar.lng	KDMADV
File opened for modification	C:\Program Files (x86)\Winrar\Leame.txt	KDMADV
File created	C:\Program Files (x86)\Winrar\Rar.txt	KDMADV

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KDMADV
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninstall.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r06\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r02\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r04	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r26\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ace\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WRTE.Document.1\UID	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r24\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r10	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r02	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "Archivo WinRAR ZIP"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r03\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r22	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WRTE.Document.1	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r20	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ace	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r07\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files (x86)\\Winrar\\WinRAR.exe,0"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files (x86)\\Winrar\\rarext64.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r28	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r00	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r04\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r05\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r11\ = "WinRAR"	uninstall.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2108	2420	efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2108	2420	efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2108	2420	efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2108	2420	efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe	30
PID 2108 wrote to memory of 1124	2108	KDMADV	31
PID 2108 wrote to memory of 1124	2108	KDMADV	31
PID 2108 wrote to memory of 1124	2108	KDMADV	31
PID 2108 wrote to memory of 1124	2108	KDMADV	31
PID 2108 wrote to memory of 1124	2108	KDMADV	31
PID 2108 wrote to memory of 1124	2108	KDMADV	31
PID 2108 wrote to memory of 1124	2108	KDMADV	31

C:\Users\Admin\AppData\Local\Temp\efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\KDMADV
  "C:\Users\Admin\AppData\Local\Temp\KDMADV"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Program Files (x86)\Winrar\uninstall.exe
    "C:\Program Files (x86)\Winrar\uninstall.exe" /setup /s
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Winrar\Rar.txt

Filesize
79KB

MD5
02895529cf23198acc7a4b5e49ce9f4b

SHA1
b9a871086b8aafa46b26cb538bc2fef796b2dbdb

SHA256
3cecdd7b52cb758265ff3212c753e559f2805a1aea83c52b160e051a172b2434

SHA512
cd85593d0e3dbe9ef8e4a90f8282e95f02bd1b0262543ceb07200814a7127810b7ba9bb22b460195ac1258d90d3d1ff9d1c4d434c785c68b2afe8074c8c72a63

Download Submit
C:\Program Files (x86)\Winrar\WinRAR.exe

Filesize
946KB

MD5
1191d84c20f70bb4d84ae689e3e57f07

SHA1
1ba1d6d6a3d66cf9472df63434ec7ca17ac3d951

SHA256
c075e812f293f1dcfce5dc4f8bcf3cd42f8a526deb9251c9af27726a85e969e2

SHA512
13660b8060c0cbd3fe7c7eb6677c058266e8a8658dd66a01c01300f75bb3cd14abf0f97375b3a1242904954255e1639bd6f2d0cace51899eac5ac9bea88ea16e

Download Submit
C:\Program Files (x86)\Winrar\uninstall.lng

Filesize
3KB

MD5
e03e107021c4e5b5a3bb87858aaabce3

SHA1
6d0251244b74e9fbe1358cd10936735a4eda1d82

SHA256
358fe6ea647eab82e3b2282b234c2a44fd5912067e51d1ef0f0c739d37f3ecb7

SHA512
e51857ae5d9d25f02d1789fdde3607124e981ccbda2c4372089bb915224849fb2a2b9aad129c33f134d14283d29f81eb52716d350463dcf169c4ba78d5d22dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\KDMADV

Filesize
2.7MB

MD5
0205797fc7e324f9c76dc0cea939ef7c

SHA1
29d3f0677e307c53c2e7ec4b6387c6578a867f6d

SHA256
cb81891482eb031146f8c3b41915145eb90ccc2506b91e8bd311ca2af722d465

SHA512
668b58415d6d8ba2fa3bda59ef529b29c67b415289dac9afebf2f6fcc25c37a67c9ae94443e4f1ca89692bf5724fb794e49739737dbf24aee064482fc795487b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\NRCXZEHQY.exe

Filesize
102KB

MD5
78b36b9806bb69ea0b6f19290e75f382

SHA1
324ab16611cd6dfc44d21eb35fc56fa06bd6fd26

SHA256
70b1df6c46f61e09a04eac922f7adc436b5c8fd40fc14d3fc0fbcd11a3151e49

SHA512
45f89fb8ece46cf86568eee95da1ae6880c21c5d60f3666010dba6020d7251ce887542a911d42e006c24b3c9269ebd97511142e4fecfbfd99edbf2e2a960ee81

Download Submit
\Program Files (x86)\Winrar\Uninstall.exe

Filesize
98KB

MD5
3e20c4b85982e3cbd7655659a6800fc7

SHA1
c47a37416ac19089e8cbfd1b7bfc397d3f51fc51

SHA256
88b1f1f7cbf71d539908a91359264cc7a78f786db33447af5b0bd35f33f82833

SHA512
c0bf182c80a715602674f2771bfea4af2ff31182d0dcbce1f9fd70a829134eb2226e6614e9b40a3f33646e499f421ed6e5157f0fd1b8418f4430496e3ef4c2ff

Download Submit
memory/1124-146-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2108-24-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2108-133-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2420-23-0x0000000002690000-0x00000000026B7000-memory.dmp

Filesize
156KB

Download
memory/2420-147-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads