Edit tour

Windows Analysis Report
https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yL

Overview

General Information

Sample URL:	https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yL
Analysis ID:	1540444
Infos:

Detection

Ratty

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Sigma detected: Register Jar In Run Key

Suricata IDS alerts for network traffic

Yara detected Ratty

Creates autostart registry keys with suspicious names

Installs a global keyboard hook

Sigma detected: Suspicious Startup Folder Persistence

Uses cmd line tools excessively to alter registry or file data

Creates a process in suspended mode (likely to inject code)

Drops PE files

Found dropped PE file which has not been started or loaded

Installs a global mouse hook

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses cacls to modify the permissions of files

Uses reg.exe to modify the Windows registry

Yara signature match

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 4308 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6780 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1964,i,9689604194511644785,8244454053316013783,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

javaw.exe (PID: 8124 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Downloads\CompliantReport-10-23-2024-DocumP-D-F.jar" MD5: 6E0F4F812AE02FBCB744A929E74A04B8)

icacls.exe (PID: 8176 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 2840 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "CompliantReport-10-23-2024-DocumP-D-F.jar" /d "C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 4896 cmdline: attrib +H C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar MD5: 0E938DD280E83B1596EC6AA48729C2B0)

conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 5404 cmdline: attrib +H C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompliantReport-10-23-2024-DocumP-D-F.jar MD5: 0E938DD280E83B1596EC6AA48729C2B0)

conhost.exe (PID: 2712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 7004 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yL" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar	JoeSecurity_Ratty	Yara detected Ratty	Joe Security
C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar	MALWARE_Win_Ratty	Detects Ratty Java RAT	ditekshen	0x1d809c:$s1: /rat/RattyClient.class 0x226470:$s1: /rat/RattyClient.class 0x1d9029:$s2: /rat/ActiveConnection.class 0x2264e1:$s2: /rat/ActiveConnection.class 0x1d999b:$s3: /rat/attack/ 0x1d99ce:$s3: /rat/attack/ 0x2265d0:$s3: /rat/attack/ 0x226637:$s3: /rat/attack/ 0x1dd2a9:$s4: /rat/gui/swing/Ratty 0x1dd5d8:$s4: /rat/gui/swing/Ratty 0x226e7d:$s4: /rat/gui/swing/Ratty 0x226efc:$s4: /rat/gui/swing/Ratty 0x1ddd30:$s5: /rat/packet/PasswordPacket 0x1ddf98:$s5: /rat/packet/PasswordPacket 0x22705d:$s5: /rat/packet/PasswordPacket 0x2270e1:$s5: /rat/packet/PasswordPacket 0x1dd8c4:$s6: /rat/packet/ 0x1dd8f7:$s6: /rat/packet/ 0x1ddd30:$s6: /rat/packet/ 0x1ddf98:$s6: /rat/packet/ 0x1de538:$s6: /rat/packet/

Memory Dumps

Source	Rule	Description	Author
0000000B.00000003.1310479031.0000000015F49000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ratty	Yara detected Ratty	Joe Security
0000000B.00000002.2450918680.00000000163BC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ratty	Yara detected Ratty	Joe Security
0000000B.00000002.2441656654.0000000005069000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Ratty	Yara detected Ratty	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe, ProcessId: 8124, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompliantReport-10-23-2024-DocumP-D-F.jar

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 2840, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CompliantReport-10-23-2024-DocumP-D-F.jar

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "CompliantReport-10-23-2024-DocumP-D-F.jar" /d "C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar" /f, CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "CompliantReport-10-23-2024-DocumP-D-F.jar" /d "C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar" /f, CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Downloads\CompliantReport-10-23-2024-DocumP-D-F.jar" , ParentImage: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe, ParentProcessId: 8124, ParentProcessName: javaw.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "CompliantReport-10-23-2024-DocumP-D-F.jar" /d "C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar" /f, ProcessId: 2840, ProcessName: reg.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "CompliantReport-10-23-2024-DocumP-D-F.jar" /d "C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar" /f, CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "CompliantReport-10-23-2024-DocumP-D-F.jar" /d "C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar" /f, CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Downloads\CompliantReport-10-23-2024-DocumP-D-F.jar" , ParentImage: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe, ParentProcessId: 8124, ParentProcessName: javaw.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "CompliantReport-10-23-2024-DocumP-D-F.jar" /d "C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar" /f, ProcessId: 2840, ProcessName: reg.exe

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe, ProcessId: 8124, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompliantReport-10-23-2024-DocumP-D-F.jar

Persistence and Installation Behavior

Sigma detected: Register Jar In Run Key

Source: Process started

Author: Joe Security: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "CompliantReport-10-23-2024-DocumP-D-F.jar" /d "C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar" /f, CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "CompliantReport-10-23-2024-DocumP-D-F.jar" /d "C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar" /f, CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Downloads\CompliantReport-10-23-2024-DocumP-D-F.jar" , ParentImage: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe, ParentProcessId: 8124, ParentProcessName: javaw.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "CompliantReport-10-23-2024-DocumP-D-F.jar" /d "C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar" /f, ProcessId: 2840, ProcessName: reg.exe

Suricata Signatures

ETPRO MALWARE Java/Ratty Windows Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-23T19:19:49.211640+0200	2842821	1	Malware Command and Control Activity Detected	192.168.2.16	49721	191.96.207.80	1030	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.16:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.16:49722 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2842821 - Severity 1 - ETPRO MALWARE Java/Ratty Windows Checkin : 192.168.2.16:49721 -> 191.96.207.80:1030

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: www.google.la
Source: global traffic	DNS traffic detected: DNS query: mail.ccuk.edu.ng
Source: global traffic	DNS traffic detected: DNS query: en.intmissioncenter.org

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.16:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.16:49722 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Windows user hook set: 0 mouse low level C:\Users\user\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Windows user hook set: 0 mouse low level C:\Users\user\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Windows user hook set: 0 mouse low level C:\Users\user\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Windows user hook set: 0 mouse low level C:\Users\user\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Windows user hook set: 0 mouse low level C:\Users\user\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Windows user hook set: 0 mouse low level C:\Users\user\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Windows user hook set: 0 mouse low level C:\Users\user\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Windows user hook set: 0 mouse low level C:\Users\user\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dll

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Windows user hook set: 0 mouse low level C:\Users\user\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dll

System Summary

Malicious sample detected (through community Yara rule)

Source: C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar, type: DROPPED

Matched rule: Detects Ratty Java RAT Author: ditekshen

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "CompliantReport-10-23-2024-DocumP-D-F.jar" /d "C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar" /f

Source: C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar, type: DROPPED

Matched rule: MALWARE_Win_Ratty author = ditekshen, description = Detects Ratty Java RAT

Source: classification engine

Classification label: mal88.troj.spyw.win@33/12@8/133

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2712:120:WilError_03

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

File read: C:\Users\desktop.ini

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1964,i,9689604194511644785,8244454053316013783,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yL"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1964,i,9689604194511644785,8244454053316013783,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Downloads\CompliantReport-10-23-2024-DocumP-D-F.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "CompliantReport-10-23-2024-DocumP-D-F.jar" /d "C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar" /f
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +H C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +H C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompliantReport-10-23-2024-DocumP-D-F.jar
Source: C:\Windows\SysWOW64\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Downloads\CompliantReport-10-23-2024-DocumP-D-F.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "CompliantReport-10-23-2024-DocumP-D-F.jar" /d "C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar" /f
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +H C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +H C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompliantReport-10-23-2024-DocumP-D-F.jar

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dpapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kbdsg.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kbdgr.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: opengl32.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: glu32.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: networkexplorer.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: thumbcache.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: policymanager.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: msvcp110_win.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: drprov.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: ntlanman.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: davclnt.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: davhlpr.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: cscapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dlnashext.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: playtodevice.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: devdispitemprovider.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mmdevapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wpdshext.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: portabledeviceapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: audiodev.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wmvcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wmasf.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mfperfhelper.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: linkinfo.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: samlib.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dataexchange.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: d3d11.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dcomp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dxgi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

File opened: C:\Program Files (x86)\Java\jre-1.8\lib\i386\jvm.cfg

Source: Window Recorder

Window detected: More than 3 window changes detected

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: reg.exe
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: attrib.exe
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: attrib.exe
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: reg.exe
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: attrib.exe
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: attrib.exe

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

File created: C:\Users\user\AppData\Local\Temp\JNativeHook-5896838096140362776.dll

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Windows\SysWOW64\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CompliantReport-10-23-2024-DocumP-D-F.jar

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompliantReport-10-23-2024-DocumP-D-F.jar
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompliantReport-10-23-2024-DocumP-D-F.jar\:Zone.Identifier:$DATA

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CompliantReport-10-23-2024-DocumP-D-F.jar
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CompliantReport-10-23-2024-DocumP-D-F.jar

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\JNativeHook-5896838096140362776.dll

Jump to dropped file

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000807
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000407

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Memory protected: page read and write | page guard

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "CompliantReport-10-23-2024-DocumP-D-F.jar" /d "C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar" /f
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +H C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +H C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompliantReport-10-23-2024-DocumP-D-F.jar

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\8124 VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\Downloads\CompliantReport-10-23-2024-DocumP-D-F.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\Downloads\CompliantReport-10-23-2024-DocumP-D-F.jar VolumeInformation

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Ratty

Source: Yara match	File source: 0000000B.00000003.1310479031.0000000015F49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar, type: DROPPED
Source: Yara match	File source: 0000000B.00000002.2450918680.00000000163BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2441656654.0000000005069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Ratty

Source: Yara match	File source: 0000000B.00000003.1310479031.0000000015F49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar, type: DROPPED
Source: Yara match	File source: 0000000B.00000002.2450918680.00000000163BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2441656654.0000000005069000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	211 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	111 Input Capture	1 File and Directory Discovery	Remote Services	111 Input Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Services File Permissions Weakness	211 Registry Run Keys / Startup Folder	1 Modify Registry	LSASS Memory	22 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Services File Permissions Weakness	1 Disable or Modify Tools	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Services File Permissions Weakness	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\JNativeHook-5896838096140362776.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
ccuk.edu.ng	31.220.53.231	true	false	unknown
en.intmissioncenter.org	128.65.195.91	true	false	unknown
www.google.com	142.250.186.100	true	false	unknown
www.google.la	142.250.185.131	true	false	unknown
mail.ccuk.edu.ng	unknown	unknown	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.181.227	unknown	United States	15169	GOOGLEUS	false
142.250.185.206	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
128.65.195.91	en.intmissioncenter.org	Switzerland	29222	INFOMANIAK-ASCH	false
142.250.185.131	www.google.la	United States	15169	GOOGLEUS	false
142.251.5.84	unknown	United States	15169	GOOGLEUS	false
142.250.186.100	www.google.com	United States	15169	GOOGLEUS	false
31.220.53.231	ccuk.edu.ng	Lithuania	47583	AS-HOSTINGERLT	false
191.96.207.80	unknown	Chile	60458	ASN-XTUDIONETES	true

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1540444
Start date and time:	2024-10-23 19:18:59 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yL
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.spyw.win@33/12@8/133

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.181.227, 142.251.5.84, 142.250.185.206, 34.104.35.123
Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, clientservices.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yL

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.842186055004734
Encrypted:	false
SSDEEP:
MD5:	75A945790D44CE6E60EF6E6CBDDE5DF7
SHA1:	D87ECCA8D9AF3561121484089511C3C8D1789E80
SHA-256:	FC8EC394DF90CD30ED93E03AE61A2D4C6E0EC5BAB990D17AE93B36C90A6A55A1
SHA-512:	18692FCF4578E77D6935C62D478638162A28AB4ABD34CFEDBE35497375BE251E6ED0ED1F4E53C402DD0012E43DBD7900F6EB4847E473626538135FBFBCEE5702
Malicious:	false
Reputation:	unknown
Preview:	C:\Program Files (x86)\Java\jre-1.8..1729703986887..

C:\Users\user\AppData\Local\Temp\JNativeHook-5896838096140362776.dll

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	modified
Size (bytes):	78601
Entropy (8bit):	5.664059269802135
Encrypted:	false
SSDEEP:
MD5:	B4CE035F926531D6B4DFA8477C6477E4
SHA1:	FCBC1DC5993F3B7C153159E29CD4364927BC9517
SHA-256:	F6FFEAD3B5F3DB5A7A00D1FEF874C3D3ED7ECF095DA2D981EBD691FDFA685716
SHA-512:	7AAAE326A307B0E2D636400573D5A383D6F1A361BFB06847EE090813E38FA029A83F1BD0F29C9E2AD325116430CBE2003D228F6FBCF7A9ED5725C1108521642D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....7V...........#.....t..........(..............m.........................0......9z........ .................................$............................ ..P...................................................t................................text...$s.......t..................`.P`.data...0............x..............@.0..rdata.. %.......&...z..............@.p@.bss....,.............................p..edata..............................@.0@.idata..$...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..P.... ......................@.0B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dll (copy)

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	B4CE035F926531D6B4DFA8477C6477E4
SHA1:	FCBC1DC5993F3B7C153159E29CD4364927BC9517
SHA-256:	F6FFEAD3B5F3DB5A7A00D1FEF874C3D3ED7ECF095DA2D981EBD691FDFA685716
SHA-512:	7AAAE326A307B0E2D636400573D5A383D6F1A361BFB06847EE090813E38FA029A83F1BD0F29C9E2AD325116430CBE2003D228F6FBCF7A9ED5725C1108521642D
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....7V...........#.....t..........(..............m.........................0......9z........ .................................$............................ ..P...................................................t................................text...$s.......t..................`.P`.data...0............x..............@.0..rdata.. %.......&...z..............@.p@.bss....,.............................p..edata..............................@.0@.idata..$...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..P.... ......................@.0B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: 7-Zip (x64 edition) Package, Author: Igor Pavlov, Keywords: Installer, Comments: 7-Zip (x64 edition) Package, Template: x64;1033, Revision Number: {23170F69-40C1-2702-2301-000002000000}, Number of Pages: 200, Number of Words: 2, Security: 2, Create Time/Date: Tue Jun 20 14:39:41 2023, Last Saved Time/Date: Tue Jun 20 14:39:41 2023, Name of Creating Application: Windows Installer XML v2.0.3719.0 (candle/light)
Category:	dropped
Size (bytes):	2274039
Entropy (8bit):	7.975391005807958
Encrypted:	false
SSDEEP:
MD5:	7425EDE3792A66C7B9B6919EB677DD28
SHA1:	896A20B5C166F0F970E371801BA1D356FA4D559E
SHA-256:	FB5C1228AC13DE3535E67B57D05171AC7113A6A74F0B6862E0E98317B0DA12BF
SHA-512:	60A7BD57D9B26EA3A19D5054FF83E7CDC5D0B003BB54AB160966FFA8BD7D922FFA06B94B7DAA5EB8A50AEFDA32277BCE0032E25A804B54BB359436BB245F927A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Ratty, Description: Yara detected Ratty, Source: C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar, Author: Joe Security Rule: MALWARE_Win_Ratty, Description: Detects Ratty Java RAT, Source: C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar, Author: ditekshen
Reputation:	unknown
Preview:	......................>........................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...`.......................................................................................................................................................................................................................................................................................................................................................................................^...]...............................................................................................................................................................8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
File Type:	data
Category:	dropped
Size (bytes):	45
Entropy (8bit):	0.9111711733157262
Encrypted:	false
SSDEEP:
MD5:	C8366AE350E7019AEFC9D1E6E6A498C6
SHA1:	5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61
SHA-256:	11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
SHA-512:	33C980D5A638BFC791DE291EBF4B6D263B384247AB27F261A54025108F2F85374B579A026E545F81395736DD40FA4696F2163CA17640DD47F1C42BC9971B18CD
Malicious:	false
Reputation:	unknown
Preview:	........................................J2SE.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 23 16:19:37 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9742888571039705
Encrypted:	false
SSDEEP:
MD5:	58165400D396CC8DC20C4A88FCAF12CC
SHA1:	C8296BED40083DFC78EC4ADA1146AF8EDD98E198
SHA-256:	DC0D694786247C2634270047DB5B74B57592CDC21648ED010705D715C5D9C2CA
SHA-512:	62B9967B9B67FF5974ECF79D9E181B68177CC431BB821F40B9368F1B79E80BBCF69C5FE1456CF5BB563E01994E60EC82FDB18295DF985F9A5CFC9AA8177B8C2E
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....V..o%..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IWYg.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VWYr.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VWYr.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VWYr............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VWYs............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........L.A......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 23 16:19:37 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	3.989707530635477
Encrypted:	false
SSDEEP:
MD5:	2F4C42E77E27197719634BB9B6EC5FC8
SHA1:	B91BA2814096E79DC5262F4756FCF4365387FF75
SHA-256:	7D3E0C0640EF992DCD434FB1B15F2E18F5993177BE7C20C9664ABD00781CC0C1
SHA-512:	1E4FCB5D533512ED444177986952CFD5E695A11D422150D4C8AA288B9D5BE3DAEE7FE7FCB217AD03110377D169D3F19D368621C5B3C0179F0D4861BEF49C2340
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....NE.o%..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IWYg.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VWYr.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VWYr.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VWYr............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VWYs............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........L.A......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.000955794856097
Encrypted:	false
SSDEEP:
MD5:	C47BE201180DB129C6477778915F57FA
SHA1:	1A544520942D49F36FE0671AB509D21923C561A6
SHA-256:	1D8A3AF9872A683D7D58A85C20AEB0B8BA9972A22DE31B07E070B45BC3A83C41
SHA-512:	EAEC01BF91D5B40C6628AA5F5EE28D71FF10ADDC5E2DA7DF809772E5996B14B9C893851EDC5859198ECBD2471B349F2DE50E42138A23B4A68D30B017AA613D6D
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IWYg.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VWYr.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VWYr.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VWYr............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........L.A......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 23 16:19:37 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9900448047126003
Encrypted:	false
SSDEEP:
MD5:	96B26CA78FDC6EC5E661DA722784384C
SHA1:	2D3A1CA77523721F064F6956FAA7B1AEA7439819
SHA-256:	DEF208C18A9F877B15B61A3B515259C1086414642016887E38FDB7248430033E
SHA-512:	4ECA99E9541DEEBDFC38E6F06B7C561A344A3EC4E614BD00A8C39FD77F3988102256077FFE0093059D9743A4D5EDB46AE6F93692AC48D4F01EA88062328A77D1
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....Z..o%..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IWYg.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VWYr.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VWYr.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VWYr............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VWYs............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........L.A......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 23 16:19:37 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9774531665673987
Encrypted:	false
SSDEEP:
MD5:	E8B494AA5B5445D66DAE7B8F88AE393F
SHA1:	5DFE2501E4CE889A1A263D34464F529BB2ECC94C
SHA-256:	76CA2E90D8F7B4DB90CD3C5FF18FA1ABEE4DBD5004A487AB01CFA073B87A8D48
SHA-512:	8BA3A04D075E1BDA5C965BC6CC55E4999C404F7709DC12EC420B29BA6879A1816442D4998CE336B6F5B200D719785BB2FF548933445D80FCB6E651C180A9FB0C
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,......o%..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IWYg.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VWYr.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VWYr.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VWYr............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VWYs............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........L.A......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 23 16:19:37 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9859587259985454
Encrypted:	false
SSDEEP:
MD5:	4CF8BD3B960042150A528CEC02AA9081
SHA1:	23BC50C0D5281D5C12CE78A7A6988F97BF516F02
SHA-256:	6CCC1ED18F9411CE77D235D3BAE097DDB9EAE5ED62688454BC9466FB89882FC5
SHA-512:	0F5122CF530FD45614086214F2D5E751F15659AD4678C51B5623E14E6AC3A9C3A6DEC4F57B83685EDAB29D4019AF9B39FF0C6CBE9DF9737EC7CD32078225F52A
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.......o%..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IWYg.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VWYr.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VWYr.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VWYr............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VWYs............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........L.A......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompliantReport-10-23-2024-DocumP-D-F.jar:Zone.Identifier

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	148
Entropy (8bit):	5.02648344242478
Encrypted:	false
SSDEEP:
MD5:	4495C86FE4F21D678E2FFCB1921C278F
SHA1:	CA152A1BCFEA95BB7F831A8352188F12AFA06768
SHA-256:	D2D1C9032F424615B526A76208F5105F3C57FEC09EE2C8833F8791BF63657ADE
SHA-512:	351CDEF974979B6B96945281D2DF037DFB328FD8C75ECD7148B9EE29C5F2C4465F816E6483C58CF0F1492A7E6251C715BA2ACE28A630546AE112AB9250E0BA12
Malicious:	false
Reputation:	unknown
Preview:	[ZoneTransfer]..ZoneId=3..ReferrerUrl=https://mail.ccuk.edu.ng/..HostUrl=https://en.intmissioncenter.org/CompliantReport-10-23-2024-DocumP-D-F.jar..

C:\Users\user\Downloads\751748de-a796-47bc-8ffc-9cf9ce4700ee.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Composite Document File V2 Document, Can't read SAT
Category:	dropped
Size (bytes):	32319
Entropy (8bit):	4.719768180405431
Encrypted:	false
SSDEEP:
MD5:	9CDC12354BAD07AF8FDD47DA1B4BC679
SHA1:	AEB2C20D5D70C9482C44D7C18F4DF88B66AB6DA4
SHA-256:	C01AA1D307A0C3FB133478C738AD59AC2848E2EB15BED59EC711DCA859A2E901
SHA-512:	D901922A040A8A616858249648F8670F66B14464BE3BD740441642127A34BF49A72E63F18E494569C9E824BE323F878A1F13388B2E5E10A559601FF90FFF66C4
Malicious:	false
Reputation:	unknown
Preview:	......................>........................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...`.......................................................................................................................................................................................................................................................................................................................................................................................^...]...............................................................................................................................................................8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Downloads\CompliantReport-10-23-2024-DocumP-D-F.jar (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Composite Document File V2 Document, Can't read SAT
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	9CDC12354BAD07AF8FDD47DA1B4BC679
SHA1:	AEB2C20D5D70C9482C44D7C18F4DF88B66AB6DA4
SHA-256:	C01AA1D307A0C3FB133478C738AD59AC2848E2EB15BED59EC711DCA859A2E901
SHA-512:	D901922A040A8A616858249648F8670F66B14464BE3BD740441642127A34BF49A72E63F18E494569C9E824BE323F878A1F13388B2E5E10A559601FF90FFF66C4
Malicious:	false
Reputation:	unknown
Preview:	......................>........................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...`.......................................................................................................................................................................................................................................................................................................................................................................................^...]...............................................................................................................................................................8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Downloads\Unconfirmed 259067.crdownload (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Composite Document File V2 Document, Can't read SAT
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	9CDC12354BAD07AF8FDD47DA1B4BC679
SHA1:	AEB2C20D5D70C9482C44D7C18F4DF88B66AB6DA4
SHA-256:	C01AA1D307A0C3FB133478C738AD59AC2848E2EB15BED59EC711DCA859A2E901
SHA-512:	D901922A040A8A616858249648F8670F66B14464BE3BD740441642127A34BF49A72E63F18E494569C9E824BE323F878A1F13388B2E5E10A559601FF90FFF66C4
Malicious:	false
Reputation:	unknown
Preview:	......................>........................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...`.......................................................................................................................................................................................................................................................................................................................................................................................^...]...............................................................................................................................................................8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

Static File Info

⊘No static file info

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yL

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp

C:\Users\user\AppData\Local\Temp\JNativeHook-5896838096140362776.dll

C:\Users\user\AppData\Local\Temp\JNativeHook-FCBC1DC5993F3B7C153159E29CD4364927BC9517.dll (copy)

C:\Users\user\AppData\Roaming\CompliantReport-10-23-2024-DocumP-D-F.jar

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompliantReport-10-23-2024-DocumP-D-F.jar:Zone.Identifier

C:\Users\user\Downloads\751748de-a796-47bc-8ffc-9cf9ce4700ee.tmp

C:\Users\user\Downloads\CompliantReport-10-23-2024-DocumP-D-F.jar (copy)

C:\Users\user\Downloads\Unconfirmed 259067.crdownload (copy)

Static File Info

Windows Analysis Report
https://www.google.com/url?q=https://www.google.la/amp/s/mail.ccuk.edu.ng/home/&ust=1729769376151000&usg=AOvVaw1rOQXXFFFEiE_w3hFls1yL