91cbcba2e9d24ca3f04610ad76c3b2265c1123d0f39f6a4c247d86df691e4659

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 12:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe
Size

632KB
MD5

226efc6b9339ba736515331f079c7b27
SHA1

b8be27931df25ce2748d83270b8ded2ed6334b9c
SHA256

91cbcba2e9d24ca3f04610ad76c3b2265c1123d0f39f6a4c247d86df691e4659
SHA512

61b8a5d076572649b8882896eb2d609c29114c21a2f0e173cc615515fc21722c43ab65b58dde8e9de832db7cbb001e85c040e83a19e832daf30c21af7a825e8b
SSDEEP

12288:g72bntEL9/bxSFjGMOtsg50nuGb6G3avG/a/erBG0xbdnH2B4bXCBVX9tX1n+poW:g72zus5HXitc

Score

10^/10

defense_evasion evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\UHRQKJCP = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\UHRQKJCP = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\UHRQKJCP = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1796	avscan.exe
2796	avscan.exe
2568	hosts.exe
2708	hosts.exe
1980	avscan.exe
2884	hosts.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	REG.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	REG.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	REG.exe

Loads dropped DLL 5 IoCs

pid	Process
2964	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe
2964	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe
1796	avscan.exe
2568	hosts.exe
2568	hosts.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe
File created	\??\c:\windows\W_X_C.bat	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe
File opened for modification	C:\Windows\hosts.exe	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
2076	REG.exe
1508	REG.exe
1872	REG.exe
1804	REG.exe
1556	REG.exe
2264	REG.exe
1708	REG.exe
2200	REG.exe
1772	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1796	avscan.exe
2568	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2964	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe
1796	avscan.exe
2796	avscan.exe
2568	hosts.exe
2708	hosts.exe
1980	avscan.exe
2884	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2200	2964	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2200	2964	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2200	2964	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe	28
PID 2964 wrote to memory of 2200	2964	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe	28
PID 2964 wrote to memory of 1796	2964	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe	30
PID 2964 wrote to memory of 1796	2964	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe	30
PID 2964 wrote to memory of 1796	2964	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe	30
PID 2964 wrote to memory of 1796	2964	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe	30
PID 1796 wrote to memory of 2796	1796	avscan.exe	31
PID 1796 wrote to memory of 2796	1796	avscan.exe	31
PID 1796 wrote to memory of 2796	1796	avscan.exe	31
PID 1796 wrote to memory of 2796	1796	avscan.exe	31
PID 1796 wrote to memory of 1540	1796	avscan.exe	32
PID 1796 wrote to memory of 1540	1796	avscan.exe	32
PID 1796 wrote to memory of 1540	1796	avscan.exe	32
PID 1796 wrote to memory of 1540	1796	avscan.exe	32
PID 2964 wrote to memory of 2788	2964	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe	33
PID 2964 wrote to memory of 2788	2964	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe	33
PID 2964 wrote to memory of 2788	2964	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe	33
PID 2964 wrote to memory of 2788	2964	226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe	33
PID 1540 wrote to memory of 2568	1540	cmd.exe	36
PID 1540 wrote to memory of 2568	1540	cmd.exe	36
PID 1540 wrote to memory of 2568	1540	cmd.exe	36
PID 1540 wrote to memory of 2568	1540	cmd.exe	36
PID 2788 wrote to memory of 2708	2788	cmd.exe	37
PID 2788 wrote to memory of 2708	2788	cmd.exe	37
PID 2788 wrote to memory of 2708	2788	cmd.exe	37
PID 2788 wrote to memory of 2708	2788	cmd.exe	37
PID 2568 wrote to memory of 1980	2568	hosts.exe	38
PID 2568 wrote to memory of 1980	2568	hosts.exe	38
PID 2568 wrote to memory of 1980	2568	hosts.exe	38
PID 2568 wrote to memory of 1980	2568	hosts.exe	38
PID 1540 wrote to memory of 2208	1540	cmd.exe	39
PID 1540 wrote to memory of 2208	1540	cmd.exe	39
PID 1540 wrote to memory of 2208	1540	cmd.exe	39
PID 1540 wrote to memory of 2208	1540	cmd.exe	39
PID 2568 wrote to memory of 2824	2568	hosts.exe	40
PID 2568 wrote to memory of 2824	2568	hosts.exe	40
PID 2568 wrote to memory of 2824	2568	hosts.exe	40
PID 2568 wrote to memory of 2824	2568	hosts.exe	40
PID 2824 wrote to memory of 2884	2824	cmd.exe	42
PID 2824 wrote to memory of 2884	2824	cmd.exe	42
PID 2824 wrote to memory of 2884	2824	cmd.exe	42
PID 2824 wrote to memory of 2884	2824	cmd.exe	42
PID 2788 wrote to memory of 2968	2788	cmd.exe	43
PID 2788 wrote to memory of 2968	2788	cmd.exe	43
PID 2788 wrote to memory of 2968	2788	cmd.exe	43
PID 2788 wrote to memory of 2968	2788	cmd.exe	43
PID 2824 wrote to memory of 1828	2824	cmd.exe	44
PID 2824 wrote to memory of 1828	2824	cmd.exe	44
PID 2824 wrote to memory of 1828	2824	cmd.exe	44
PID 2824 wrote to memory of 1828	2824	cmd.exe	44
PID 1796 wrote to memory of 1772	1796	avscan.exe	45
PID 1796 wrote to memory of 1772	1796	avscan.exe	45
PID 1796 wrote to memory of 1772	1796	avscan.exe	45
PID 1796 wrote to memory of 1772	1796	avscan.exe	45
PID 2568 wrote to memory of 2076	2568	hosts.exe	47
PID 2568 wrote to memory of 2076	2568	hosts.exe	47
PID 2568 wrote to memory of 2076	2568	hosts.exe	47
PID 2568 wrote to memory of 2076	2568	hosts.exe	47
PID 1796 wrote to memory of 1508	1796	avscan.exe	51
PID 1796 wrote to memory of 1508	1796	avscan.exe	51
PID 1796 wrote to memory of 1508	1796	avscan.exe	51
PID 1796 wrote to memory of 1508	1796	avscan.exe	51

C:\Users\Admin\AppData\Local\Temp\226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\226efc6b9339ba736515331f079c7b27_JaffaCakes118.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Impair Defenses: Safe Mode Boot
  - Modifies registry key
  PID:2200
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1980
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2884
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1828
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2076
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1872
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1556
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1708
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:2208
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1772
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1508
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1804
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2708
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.3MB

MD5
fee9bd4b8bf55ce382b5313ac066233e

SHA1
c5e726797e823472be44777d2733d8a98d9ddba3

SHA256
52b059ecfba9d2e703a6324e6cd3b4798e6157572ce656b65357f4d3dd6f2c4b

SHA512
d222a8d60138046b00aef10f771879936d906837d70ef2e1fa28f780980adc558cc7c4fa6560c87034ee17814bf4af5accecad5d5c37f6c78a8c7ebfa224b255

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.9MB

MD5
a57a5e8d591fd0992d0c7f3568d4b46d

SHA1
1d8b90a76e363c755c9431c7649bc5ca0328d864

SHA256
f099b6a66c4292def161d90536c65c9d0b00f89e604dbbb02f551e7719774989

SHA512
2fca628cca3f1ce08629c5b7e37aef7413f7573c833729c1b9337488ce9593ce63253e27093002e8e1434c1d2d4b765a0a3d9ff12aacf46574e84670fecacf72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.5MB

MD5
59ada6af7bcb5b661f5f48850e76a5e9

SHA1
686156f5ee2f5bc24d382354aea22c2089a6c9b3

SHA256
72590330f4f8d9a0cff0880b8b5692c515303c5c7af485b3b6469b205dd54e3c

SHA512
7a20c8c1c88f8b934428862bf97047c2796150a95f8a058ddaf69e8c3b1810b03d1596ab75f55d418e21f80449b2dd1b14193ad273607e2867421d4f02f0f15e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
3.1MB

MD5
107dfcdae22679e07162bded2a226896

SHA1
65672a71712c58ca2f8a730309bd6ad569ca0611

SHA256
8a741a5a7376188a1d830c8bac1699f5e658f238d9207c2550ded1ffd908903f

SHA512
61fba639417f9b7351e8e3fd8a868856e75ab6a49b105275b8f2c07478d223df36876ef9c55ccbbe0333c7f175684b4801b8bae414ff2025461a3d92d676751e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
3.8MB

MD5
23eb169c13010eb15c64e1ffb8f9bacd

SHA1
44bb0b8b1bdcf2eb23da9d2b281a3cea2f01d1df

SHA256
39389f16c665071edbd9a1b4087f111a5aa43dc3c4d64657a2b69b81cf26da13

SHA512
7793ea4550fea00d0be4947f4f689e91800a38817813ddd1f60b774d620f7facb93f1b0ce7968ff6a930ac553da7b256097c0b391e6a9adcb69bf320acdcd53c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
4.4MB

MD5
7d749e84b02f03c7c418abf35d918172

SHA1
865002a3e069b4a12b2f3f74607748f3d24fa95e

SHA256
53f0efb82129c00608a82ef919a84007e235ddec64fd87b76d629b9334da1e65

SHA512
fbfb3fcf9a38469f375e0d19a3ab026d80e7a21c331a1398cf88c7506e201c86ed7a29a3dcb60833cd3470973a8638eee65786bd257b474bdc17a22a0ac72fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
5.0MB

MD5
c6db82108c3d5f2ecfd3bcae406d8a22

SHA1
f1c7282bad3aa69a053c4306e954d3b4a05e764a

SHA256
cf5f234d10fae480f61906905b5ca505722e2cd86b533d5d801e3b6f4840c156

SHA512
00c323594dc772d8f6be492b437e8e0172dab0359f023054153c8d423d3bc4d4467336910533d9c6fed7b74686ae0db37b0f363300a03c45f77cfcbb70d6bfc6

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
720e658c4a42781ba26f9750387d273c

SHA1
dca608ac66fa745660ab4b74a254daeaaf780991

SHA256
e94e3e860999800c41e4717dc9d506bb1fef39e8e93432693a906738d925a4e1

SHA512
e5cd4c664d739f06a0f1dbc0a5f8704e3b869d0e0904540edd3c0cfdba158df383e08764de7e1a9bf0770bbe57e6fc226ef97e84cb41fafc792ba0e9df4e10ff

Download Submit
C:\Windows\hosts.exe

Filesize
632KB

MD5
85b9607569a40d19d90d0116cbe81140

SHA1
288861db358765c0adb473190daf31079d87ae17

SHA256
c2e621435c3aabf0cf87f8cc8409aa8c5f207270d2befe20e5d0a5e8ea2a719c

SHA512
be0fe221045af87098c4bcf7b049e9f120a64dca7987d58becb2a7c3b7d0ba0eb700f212b44545a4b024e822ff9d8b07b0e2eac62b467d6e04d12e8b2e7cb38f

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
632KB

MD5
def1d586099da4d600083d1cfac9ef4c

SHA1
71fdb5d8911cc9cd73a86e5eea00d192dfb184fb

SHA256
6a157d9f25c5a5429f1bc829532e74e291b234af02b472e9c75f1429756245dd

SHA512
3b68186cfe813edd7f8234c5d11b1fa7f7bda1e758934bcd996d6233009390bc4d3fbdd768ee6675900dc55528fe6409c8a42fa734bc74e3c639c5e34096ea1a

Download Submit
memory/2788-71-0x00000000024F0000-0x00000000025F0000-memory.dmp

Filesize
1024KB

Download
memory/2884-77-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads