b7c18eb1f6597734af890ebb5fa3345bc3c90ba6f60cb934025c3d56343a63da

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe
Size

354KB
MD5

23f62fe026e1632b60e9bb0dc7857537
SHA1

b790dbc0dd1bf407df7e92a65cc20ae1e76d487d
SHA256

b7c18eb1f6597734af890ebb5fa3345bc3c90ba6f60cb934025c3d56343a63da
SHA512

78e6cc5891d0f2f4e7b0b01a1837f8651157962c6535d6ed68a9d5f96fb4da879fb5058ea4990a021922e02ef1f59bab14c78959dfe89aa0a9634e5d593ba34b
SSDEEP

6144:gDCwfG1bnxLERR9saMDCwfG1bnxLERR9saah:g72bntEL9/M72bntEL9/ah

Score

10^/10

defense_evasion evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BISMIZHX = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BISMIZHX = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BISMIZHX = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
2580	avscan.exe
2508	avscan.exe
2520	hosts.exe
2556	hosts.exe
2792	avscan.exe
764	hosts.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	REG.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	REG.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	REG.exe

Loads dropped DLL 5 IoCs

pid	Process
1992	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe
1992	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe
2580	avscan.exe
2520	hosts.exe
2520	hosts.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe
File created	\??\c:\windows\W_X_C.bat	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe
File opened for modification	C:\Windows\hosts.exe	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
3028	REG.exe
2728	REG.exe
2452	REG.exe
1480	REG.exe
2940	REG.exe
2948	REG.exe
1484	REG.exe
2988	REG.exe
2032	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2580	avscan.exe
2520	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1992	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe
2580	avscan.exe
2508	avscan.exe
2520	hosts.exe
2792	avscan.exe
2556	hosts.exe
764	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2032	1992	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2032	1992	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2032	1992	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2032	1992	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe	28
PID 1992 wrote to memory of 2580	1992	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2580	1992	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2580	1992	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe	30
PID 1992 wrote to memory of 2580	1992	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe	30
PID 2580 wrote to memory of 2508	2580	avscan.exe	31
PID 2580 wrote to memory of 2508	2580	avscan.exe	31
PID 2580 wrote to memory of 2508	2580	avscan.exe	31
PID 2580 wrote to memory of 2508	2580	avscan.exe	31
PID 2580 wrote to memory of 1352	2580	avscan.exe	32
PID 2580 wrote to memory of 1352	2580	avscan.exe	32
PID 2580 wrote to memory of 1352	2580	avscan.exe	32
PID 2580 wrote to memory of 1352	2580	avscan.exe	32
PID 1992 wrote to memory of 2640	1992	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe	34
PID 1992 wrote to memory of 2640	1992	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe	34
PID 1992 wrote to memory of 2640	1992	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe	34
PID 1992 wrote to memory of 2640	1992	23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe	34
PID 1352 wrote to memory of 2520	1352	cmd.exe	36
PID 1352 wrote to memory of 2520	1352	cmd.exe	36
PID 1352 wrote to memory of 2520	1352	cmd.exe	36
PID 1352 wrote to memory of 2520	1352	cmd.exe	36
PID 2640 wrote to memory of 2556	2640	cmd.exe	37
PID 2640 wrote to memory of 2556	2640	cmd.exe	37
PID 2640 wrote to memory of 2556	2640	cmd.exe	37
PID 2640 wrote to memory of 2556	2640	cmd.exe	37
PID 2520 wrote to memory of 2792	2520	hosts.exe	38
PID 2520 wrote to memory of 2792	2520	hosts.exe	38
PID 2520 wrote to memory of 2792	2520	hosts.exe	38
PID 2520 wrote to memory of 2792	2520	hosts.exe	38
PID 1352 wrote to memory of 1772	1352	cmd.exe	39
PID 1352 wrote to memory of 1772	1352	cmd.exe	39
PID 1352 wrote to memory of 1772	1352	cmd.exe	39
PID 1352 wrote to memory of 1772	1352	cmd.exe	39
PID 2520 wrote to memory of 2140	2520	hosts.exe	40
PID 2520 wrote to memory of 2140	2520	hosts.exe	40
PID 2520 wrote to memory of 2140	2520	hosts.exe	40
PID 2520 wrote to memory of 2140	2520	hosts.exe	40
PID 2640 wrote to memory of 2568	2640	cmd.exe	42
PID 2640 wrote to memory of 2568	2640	cmd.exe	42
PID 2640 wrote to memory of 2568	2640	cmd.exe	42
PID 2640 wrote to memory of 2568	2640	cmd.exe	42
PID 2140 wrote to memory of 764	2140	cmd.exe	43
PID 2140 wrote to memory of 764	2140	cmd.exe	43
PID 2140 wrote to memory of 764	2140	cmd.exe	43
PID 2140 wrote to memory of 764	2140	cmd.exe	43
PID 2140 wrote to memory of 768	2140	cmd.exe	44
PID 2140 wrote to memory of 768	2140	cmd.exe	44
PID 2140 wrote to memory of 768	2140	cmd.exe	44
PID 2140 wrote to memory of 768	2140	cmd.exe	44
PID 2580 wrote to memory of 1484	2580	avscan.exe	45
PID 2580 wrote to memory of 1484	2580	avscan.exe	45
PID 2580 wrote to memory of 1484	2580	avscan.exe	45
PID 2580 wrote to memory of 1484	2580	avscan.exe	45
PID 2520 wrote to memory of 3028	2520	hosts.exe	47
PID 2520 wrote to memory of 3028	2520	hosts.exe	47
PID 2520 wrote to memory of 3028	2520	hosts.exe	47
PID 2520 wrote to memory of 3028	2520	hosts.exe	47
PID 2580 wrote to memory of 2728	2580	avscan.exe	51
PID 2580 wrote to memory of 2728	2580	avscan.exe	51
PID 2580 wrote to memory of 2728	2580	avscan.exe	51
PID 2580 wrote to memory of 2728	2580	avscan.exe	51

C:\Users\Admin\AppData\Local\Temp\23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\23f62fe026e1632b60e9bb0dc7857537_JaffaCakes118.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Impair Defenses: Safe Mode Boot
  - Modifies registry key
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2792
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2140
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:764
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:768
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:3028
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2452
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1480
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2948
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1772
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1484
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2728
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2988
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2556
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
757KB

MD5
a27e5d8c92fa8c13c12020e03a4807d9

SHA1
b8050ea87899a8b955cad2df055d4db7de6e465c

SHA256
a407fa91daba18747be6f348e8d8f1b814551a58d5cc37cffcf6edc9f71647d3

SHA512
5601e4565409423f7ad50d16536533d9e3fd8534d9967219d9ee82a418edf3f8df4a8ba6c8981cbf3040fc6ab8d7642768205e60ee5e8d713065dff56d4a66f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
769789adde82e420491147c536bfcecd

SHA1
50c5a415d151260608d15642ea7623c9509710a4

SHA256
8084d0c034dd6105ea7cbdca6988a0c53160529af166e1bc142e1eefdfc380f8

SHA512
a8420a148177625254e2c4c9b402999d904f5637bc62c2efcc9b3a22e8dbba012051bf2eb8e6ecdc126975b1ba233a1cbe05d4a83c8e7978c221486a1e528a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.4MB

MD5
7756c8ce2beee23c10e930f157f523e1

SHA1
9d5572499f6ff398ca12dfd87306e1f7fff7aeff

SHA256
3be6a514a99514d6d86a2a2bd3de2534fef4ba1e92b771fb98e7d193a8f5d291

SHA512
cbc55d468845bdcafb47d78789427173651fac96fbc932194be2ab3ca3b0907b0e80cfb100fbde09fff575c038a5c03fc3741cc809ea665957cae0a67cf941d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.8MB

MD5
5fe949d7cc5931c3059290b744b51e48

SHA1
a9774d33e655ccbd606fccb2ed1bd5e4c0b0dc83

SHA256
619790eb663bdb615ffbbe857d3726cbfa6e89172d705b74f3a53375d11e2c9b

SHA512
96b88823f69caabb274f4e8165f58a92aea3494d431e35cf6891682044b6ddf219b74c490d4987a0cbb66719b38c2bef59608d2fccaf5b5c5d9bbb5255efcca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.1MB

MD5
57f4aeea61c498b9757a2ac34c037360

SHA1
d30b76abd617a91419cb50d7a8e1af7a3bcdb71d

SHA256
46a51664ce36506a6b701ad6a04729d5a41c82086009e309cae1908b98ccb1fd

SHA512
e9d62d39bbc22a22ad00cf1969f19fb702b08dcd076d8e99704ee72330412e04dac370ef1c3534f64b2cf75d929c72533b25dc8f18adc23b08ea074644ea36f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.5MB

MD5
72f9e2b4ca024d473143ecbb869f9be8

SHA1
47b7528b2cae0096a29feca66588e3b203f897a8

SHA256
94679529d5bd732f5d9376e5bc560306b788871ac3e4d5d6607115ce4f74d2b3

SHA512
4264d0fbc35ea61e8ea50a8e58fa084a3a5c8a89b14b5e059e0e434d53fcf2292d9a6ea1629146cad4a5acafc996fefddf1a85458c6f6415200d85f657311eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.8MB

MD5
f08927f29cb4d42f88e46e5e12e06ecf

SHA1
fba217b258fe31f3bfec70630f598e5c003a7b95

SHA256
8a9de13041e61fdec28bd94a7d50cee665726d4174923311d8af5d5b8821887b

SHA512
1b7ca4ccbee3ce5ca18bad68fd45f6290f8d2b57e852091e87c1380237a6c0ee22b9140cc1adc0bf01d30c30730b802e568472fc2362e4d95a6f0c7ba99d3b96

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
7fd017e8c0f6e808ab92dd24fc015f50

SHA1
917f0c6f8588a70a1044dfd2b0dd94d2738ac705

SHA256
009ab8b53bde4a5b671cddc837eeab5e1023557db347ed33f355d75d230d0ae1

SHA512
91f7dc20c39ddb47221416ec3ffd8b91e1ccdfe2cb8b60294380df08c6e4edef19387da198107eedb47a75e7ad311cc5933095eeddfcb47d7d45d5a8b0a40ae3

Download Submit
C:\Windows\hosts.exe

Filesize
354KB

MD5
cced3a528d346f900f9aeb4d105e4a12

SHA1
f023300b62263c9c5adeb6d07d2d9409d26d889e

SHA256
3c025eb20b17c0cf80636674c30048e849ecec0d0d21fd7b5f761c426548abd2

SHA512
bbc6905d42382937b749bbc55b3fa7356f8dda997bfd634801499ba1619809c351fc2f1ffe0dd0e498b1cd6ab73396d06a5efa2b46886e33772dc7e39d2dc8ee

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
354KB

MD5
62ed18b2a3d928025cc85b04d1a8d199

SHA1
6416828bc3fef7da3629d8a94d81ec31a44e5dfb

SHA256
938f4c4b7aedd3f41f20b8440cce9eb050527d02539cdb63473ea32dc5202771

SHA512
96a82b1f7bd1f00c0d7d26a47d0d60e63ba4148ee3f11915da3e1af41130ab41d4a3c630c3b3d9f24e4ba00370532246be3da96077655a44225d53071f8d9d85

Download Submit
memory/1352-47-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/2792-49-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2792-46-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads