570610d2f1528a084e353bd021555828071bfb53dd468cf2f3c4376de4a907e3

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe
Size

2.8MB
MD5

efeaf61884f24bbeaa102f6e0db825c2
SHA1

f2bbe1945df6d24bacfe26023b755d9bf2aef13a
SHA256

570610d2f1528a084e353bd021555828071bfb53dd468cf2f3c4376de4a907e3
SHA512

e23830729108830ee38cfe3cb35ddcc6de40bc28df9de439591b361d29722819ca09960c33e0782055225a18025241d805fe45c7f39d0a83cdad5bc8613f6c53
SSDEEP

49152:F/mU3ZPXAC0yRsjssRnFPCoz1rYZe0JKKyJkuDNZfjLu37sPV1shP7qbkz7F:FOYZPQOKSSYZlJEhZf87hD1p

Score

7^/10

discovery persistence privilege_escalation upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	CCNRDT

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WNQAIHITT.lnk	efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 2 IoCs

pid	Process
2020	CCNRDT
60	uninstall.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023435-17.dat	upx
behavioral2/memory/2020-19-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral2/memory/2020-130-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Winrar\Uninstall.exe	CCNRDT
File created	C:\Program Files (x86)\Winrar\Themes\WinRAR_Noia_Bogart_48x48.theme.rar	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\UnRAR.exe	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\Themes\WinRAR_Smile_d_48x48.1_00.theme.rar	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\NotasTec.txt	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\Rar.exe	CCNRDT
File created	C:\Program Files (x86)\Winrar\UnRAR.exe	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\WinCon.SFX	CCNRDT
File created	C:\Program Files (x86)\Winrar\Formats\bz2.fmt	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\Formats\z.fmt	CCNRDT
File created	C:\Program Files (x86)\Winrar\WinCon.SFX	CCNRDT
File created	C:\Program Files (x86)\Winrar\uninstall.lng	CCNRDT
File created	C:\Program Files (x86)\Winrar\Themes\WinRAR_JOM_48x48.1_0.theme.rar	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\Formats\UNACEV2.DLL	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\Formats\lzh.fmt	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\Themes\WinRAR_Artistic 48x48.theme.rar	CCNRDT
File created	C:\Program Files (x86)\Winrar\Order.htm	CCNRDT
File created	C:\Program Files (x86)\Winrar\Uninstall.lst	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\Formats	CCNRDT
File created	C:\Program Files (x86)\Winrar\Formats\7zxa.dll	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\Formats\bz2.fmt	CCNRDT
File created	C:\Program Files (x86)\Winrar\Formats\lzh.fmt	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\Zip.SFX	CCNRDT
File created	C:\Program Files (x86)\Winrar\Themes\WinRAR_Artistic 48x48.theme.rar	CCNRDT
File created	C:\Program Files (x86)\Winrar\Themes\WinRAR_Jr_48x48.1_01.theme.rar	CCNRDT
File created	C:\Program Files (x86)\Winrar\rarnew.dat	uninstall.exe
File opened for modification	C:\Program Files (x86)\Winrar\Order.htm	CCNRDT
File created	C:\Program Files (x86)\Winrar\RarExt.dll	CCNRDT
File created	C:\Program Files (x86)\Winrar\Formats\ace.fmt	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\Formats\tar.fmt	CCNRDT
File created	C:\Program Files (x86)\Winrar\zipnew.dat	uninstall.exe
File created	C:\Program Files (x86)\Winrar\Leame.txt	CCNRDT
File created	C:\Program Files (x86)\Winrar\RarFiles.lst	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\RarExt.dll	CCNRDT
File created	C:\Program Files (x86)\Winrar\WinRAR.exe	CCNRDT
File created	C:\Program Files (x86)\Winrar\rarreg.key	CCNRDT
File created	C:\Program Files (x86)\Winrar\setup.s	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\Default.SFX	CCNRDT
File created	C:\Program Files (x86)\Winrar\Themes\RARaddin_48x48.theme.rar	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\Themes\Vista_Ultimate_48x48.theme.rar	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\Themes\WinRAR_JOM_48x48.1_0.theme.rar	CCNRDT
File created	C:\Program Files (x86)\Winrar\WhatsNew.txt	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\Formats\ace.fmt	CCNRDT
File created	C:\Program Files (x86)\Winrar\Formats\gz.fmt	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\Formats\7zxa.dll	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\Formats\gz.fmt	CCNRDT
File created	C:\Program Files (x86)\Winrar\winrar.lng	CCNRDT
File created	C:\Program Files (x86)\Winrar\File_Id.diz	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\winrar.lng	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\Themes	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\Formats\iso.fmt	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\rarreg.key	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\Themes\WinRAR_Jr_48x48.1_01.theme.rar	CCNRDT
File created	C:\Program Files (x86)\Winrar\Rar.txt	CCNRDT
File created	C:\Program Files (x86)\Winrar\Themes\Vista_Ultimate_48x48.theme.rar	CCNRDT
File created	C:\Program Files (x86)\Winrar\Themes\WinRAR_Objects 48x48.theme.rar	CCNRDT
File created	C:\Program Files (x86)\Winrar\Themes\WinRAR_Smile_d_48x48.1_00.theme.rar	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\WhatsNew.txt	CCNRDT
File created	C:\Program Files (x86)\Winrar\RarExtLoader.exe	CCNRDT
File created	C:\Program Files (x86)\Winrar\RarExt64.dll	CCNRDT
File opened for modification	C:\Program Files (x86)\Winrar\Formats\cab.fmt	CCNRDT
File created	C:\Program Files (x86)\Winrar\Formats\iso.fmt	CCNRDT
File created	C:\Program Files (x86)\Winrar\Formats\z.fmt	CCNRDT

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCNRDT
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninstall.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ace	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "Volumen RAR de recuperación"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r13\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r14	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r21	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r09\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.z\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r01\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r22\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r10\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r09	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r25	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r29\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r05\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r20\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files (x86)\\Winrar\\rarext.dll"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r10	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r25\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r00	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r02\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files (x86)\\Winrar\\rarnew.dat"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r16\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r26\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files (x86)\\Winrar\\WinRAR.exe,0"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r26	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r11\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r16	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Program Files (x86)\\Winrar\\zipnew.dat"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WRTE.Document.1\UID\Frame13 = "setup"	uninstall.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2020	3028	efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe	82
PID 3028 wrote to memory of 2020	3028	efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe	82
PID 3028 wrote to memory of 2020	3028	efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe	82
PID 2020 wrote to memory of 60	2020	CCNRDT	83
PID 2020 wrote to memory of 60	2020	CCNRDT	83
PID 2020 wrote to memory of 60	2020	CCNRDT	83

C:\Users\Admin\AppData\Local\Temp\efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efeaf61884f24bbeaa102f6e0db825c2_JaffaCakes118.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\CCNRDT
  "C:\Users\Admin\AppData\Local\Temp\CCNRDT"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Program Files (x86)\Winrar\uninstall.exe
    "C:\Program Files (x86)\Winrar\uninstall.exe" /setup /s
    3⤵
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Winrar\Rar.txt

Filesize
79KB

MD5
02895529cf23198acc7a4b5e49ce9f4b

SHA1
b9a871086b8aafa46b26cb538bc2fef796b2dbdb

SHA256
3cecdd7b52cb758265ff3212c753e559f2805a1aea83c52b160e051a172b2434

SHA512
cd85593d0e3dbe9ef8e4a90f8282e95f02bd1b0262543ceb07200814a7127810b7ba9bb22b460195ac1258d90d3d1ff9d1c4d434c785c68b2afe8074c8c72a63

Download Submit
C:\Program Files (x86)\Winrar\Uninstall.exe

Filesize
98KB

MD5
3e20c4b85982e3cbd7655659a6800fc7

SHA1
c47a37416ac19089e8cbfd1b7bfc397d3f51fc51

SHA256
88b1f1f7cbf71d539908a91359264cc7a78f786db33447af5b0bd35f33f82833

SHA512
c0bf182c80a715602674f2771bfea4af2ff31182d0dcbce1f9fd70a829134eb2226e6614e9b40a3f33646e499f421ed6e5157f0fd1b8418f4430496e3ef4c2ff

Download Submit
C:\Program Files (x86)\Winrar\WinRAR.exe

Filesize
946KB

MD5
1191d84c20f70bb4d84ae689e3e57f07

SHA1
1ba1d6d6a3d66cf9472df63434ec7ca17ac3d951

SHA256
c075e812f293f1dcfce5dc4f8bcf3cd42f8a526deb9251c9af27726a85e969e2

SHA512
13660b8060c0cbd3fe7c7eb6677c058266e8a8658dd66a01c01300f75bb3cd14abf0f97375b3a1242904954255e1639bd6f2d0cace51899eac5ac9bea88ea16e

Download Submit
C:\Program Files (x86)\Winrar\uninstall.lng

Filesize
3KB

MD5
e03e107021c4e5b5a3bb87858aaabce3

SHA1
6d0251244b74e9fbe1358cd10936735a4eda1d82

SHA256
358fe6ea647eab82e3b2282b234c2a44fd5912067e51d1ef0f0c739d37f3ecb7

SHA512
e51857ae5d9d25f02d1789fdde3607124e981ccbda2c4372089bb915224849fb2a2b9aad129c33f134d14283d29f81eb52716d350463dcf169c4ba78d5d22dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCNRDT

Filesize
2.7MB

MD5
0205797fc7e324f9c76dc0cea939ef7c

SHA1
29d3f0677e307c53c2e7ec4b6387c6578a867f6d

SHA256
cb81891482eb031146f8c3b41915145eb90ccc2506b91e8bd311ca2af722d465

SHA512
668b58415d6d8ba2fa3bda59ef529b29c67b415289dac9afebf2f6fcc25c37a67c9ae94443e4f1ca89692bf5724fb794e49739737dbf24aee064482fc795487b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\AJHZHFZGP.exe

Filesize
98KB

MD5
f28ea5b33cbbc2f2045d3e144878889d

SHA1
f91a0ead49f51d7aa8f6b07351993cb7a91273be

SHA256
5d57b07296e32c0ec2e85c6c2367f6138c04253b76e4ecaef08e9f39153cfea1

SHA512
07987b37911f4a29df99440f1e69e6814d8f9a32ffd8be30ea76a79c9a8d153a46ada85557f46e1f170ec0101ea0adad5b4b4a2c936a37c56fc93c363915dc02

Download Submit
memory/60-141-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2020-19-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2020-130-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3028-142-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads