8551076256854d724484fad6fa2156f3529ba5bd6074ede64a8f77c4843643fc

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe
Size

217KB
MD5

23fbdff109d7dc6d51b7747f94ab3373
SHA1

830401e58c42a95c7b823c3bf60760c88fbab5dd
SHA256

8551076256854d724484fad6fa2156f3529ba5bd6074ede64a8f77c4843643fc
SHA512

4c6fa36dc60b496fbd7d2e4e2ebc293311e99e6cc35a79cdfb7bbc1437e5fc365346b6a9ecc0ed5e852c72ee55ce0c635f10f92cd632d8a42549f733dd66ea8b
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQB17lgVUInUpmsPssU9I:gDCwfG1bnxLERRMlmjUosPsdI

Score

10^/10

defense_evasion evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TICCAUTD = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TICCAUTD = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TICCAUTD = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1036	avscan.exe
2848	avscan.exe
2876	hosts.exe
2676	hosts.exe
2472	avscan.exe
1812	hosts.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	REG.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	REG.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	REG.exe

Loads dropped DLL 5 IoCs

pid	Process
2264	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe
2264	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe
1036	avscan.exe
2876	hosts.exe
2876	hosts.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe
File created	\??\c:\windows\W_X_C.bat	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe
File opened for modification	C:\Windows\hosts.exe	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1484	REG.exe
2424	REG.exe
960	REG.exe
2928	REG.exe
1972	REG.exe
1284	REG.exe
2764	REG.exe
1488	REG.exe
1920	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1036	avscan.exe
2876	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2264	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe
1036	avscan.exe
2848	avscan.exe
2876	hosts.exe
2676	hosts.exe
2472	avscan.exe
1812	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 1972	2264	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe	28
PID 2264 wrote to memory of 1972	2264	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe	28
PID 2264 wrote to memory of 1972	2264	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe	28
PID 2264 wrote to memory of 1972	2264	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe	28
PID 2264 wrote to memory of 1036	2264	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe	30
PID 2264 wrote to memory of 1036	2264	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe	30
PID 2264 wrote to memory of 1036	2264	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe	30
PID 2264 wrote to memory of 1036	2264	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe	30
PID 1036 wrote to memory of 2848	1036	avscan.exe	31
PID 1036 wrote to memory of 2848	1036	avscan.exe	31
PID 1036 wrote to memory of 2848	1036	avscan.exe	31
PID 1036 wrote to memory of 2848	1036	avscan.exe	31
PID 1036 wrote to memory of 2632	1036	avscan.exe	32
PID 1036 wrote to memory of 2632	1036	avscan.exe	32
PID 1036 wrote to memory of 2632	1036	avscan.exe	32
PID 1036 wrote to memory of 2632	1036	avscan.exe	32
PID 2264 wrote to memory of 2664	2264	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe	33
PID 2264 wrote to memory of 2664	2264	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe	33
PID 2264 wrote to memory of 2664	2264	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe	33
PID 2264 wrote to memory of 2664	2264	23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe	33
PID 2664 wrote to memory of 2876	2664	cmd.exe	37
PID 2664 wrote to memory of 2876	2664	cmd.exe	37
PID 2664 wrote to memory of 2876	2664	cmd.exe	37
PID 2664 wrote to memory of 2876	2664	cmd.exe	37
PID 2632 wrote to memory of 2676	2632	cmd.exe	36
PID 2632 wrote to memory of 2676	2632	cmd.exe	36
PID 2632 wrote to memory of 2676	2632	cmd.exe	36
PID 2632 wrote to memory of 2676	2632	cmd.exe	36
PID 2876 wrote to memory of 2472	2876	hosts.exe	38
PID 2876 wrote to memory of 2472	2876	hosts.exe	38
PID 2876 wrote to memory of 2472	2876	hosts.exe	38
PID 2876 wrote to memory of 2472	2876	hosts.exe	38
PID 2664 wrote to memory of 2572	2664	cmd.exe	39
PID 2664 wrote to memory of 2572	2664	cmd.exe	39
PID 2664 wrote to memory of 2572	2664	cmd.exe	39
PID 2664 wrote to memory of 2572	2664	cmd.exe	39
PID 2632 wrote to memory of 2784	2632	cmd.exe	40
PID 2632 wrote to memory of 2784	2632	cmd.exe	40
PID 2632 wrote to memory of 2784	2632	cmd.exe	40
PID 2632 wrote to memory of 2784	2632	cmd.exe	40
PID 2876 wrote to memory of 2420	2876	hosts.exe	41
PID 2876 wrote to memory of 2420	2876	hosts.exe	41
PID 2876 wrote to memory of 2420	2876	hosts.exe	41
PID 2876 wrote to memory of 2420	2876	hosts.exe	41
PID 2420 wrote to memory of 1812	2420	cmd.exe	43
PID 2420 wrote to memory of 1812	2420	cmd.exe	43
PID 2420 wrote to memory of 1812	2420	cmd.exe	43
PID 2420 wrote to memory of 1812	2420	cmd.exe	43
PID 2420 wrote to memory of 1296	2420	cmd.exe	44
PID 2420 wrote to memory of 1296	2420	cmd.exe	44
PID 2420 wrote to memory of 1296	2420	cmd.exe	44
PID 2420 wrote to memory of 1296	2420	cmd.exe	44
PID 1036 wrote to memory of 1284	1036	avscan.exe	45
PID 1036 wrote to memory of 1284	1036	avscan.exe	45
PID 1036 wrote to memory of 1284	1036	avscan.exe	45
PID 1036 wrote to memory of 1284	1036	avscan.exe	45
PID 2876 wrote to memory of 2764	2876	hosts.exe	47
PID 2876 wrote to memory of 2764	2876	hosts.exe	47
PID 2876 wrote to memory of 2764	2876	hosts.exe	47
PID 2876 wrote to memory of 2764	2876	hosts.exe	47
PID 1036 wrote to memory of 1488	1036	avscan.exe	51
PID 1036 wrote to memory of 1488	1036	avscan.exe	51
PID 1036 wrote to memory of 1488	1036	avscan.exe	51
PID 1036 wrote to memory of 1488	1036	avscan.exe	51

C:\Users\Admin\AppData\Local\Temp\23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\23fbdff109d7dc6d51b7747f94ab3373_JaffaCakes118.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Impair Defenses: Safe Mode Boot
  - Modifies registry key
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2676
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:2784
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1284
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1488
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2424
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2472
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2420
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1812
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:1296
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:2764
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1484
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1920
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:2928
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
482KB

MD5
d7866a82ebd62946c0255fed27c0f388

SHA1
0829b60e57cfbd0c6be734f969ce3ff836cc7b5c

SHA256
a80a281b312461471241b293b2188842b505e9631b75a33c908fd8ac4f46121d

SHA512
1a7f79b0c2df95d2b961a42561bb18df74b40e5c9287cd9a48562a827b2c1204b26babecb87479757ef96ffa487b6edfe067dcf898ad94431216379357f881ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
699KB

MD5
0dd667e706d11224de04260b4b93889a

SHA1
bb95c67562e572c0f7f747c873af3634af08d106

SHA256
c68129a0b5b491ac2d98f5c28aa6e6a94d52ba991cee1dca85dc1e10be4260b9

SHA512
6cdadcdb84ba02835929e34c3baa592dc5dbc8e1ee7077c48e4a51c55c7b9c78f9f77fd1673ef4e91c4e43a9ed5b534e58eeacb67f867ee968b2fb787f61f72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
916KB

MD5
433dbf2f984010bbbd9310e044efccbc

SHA1
892dcc4bd22f8d789909e0c2cf15bb717945ca22

SHA256
04e274ba9239e9af7fc31dcdbbd23ebc387be90996c2d224e9b66a48a1378c76

SHA512
461cd64c58979bfb465a862b025289353c468d0ee85cdd0f14d6d162d0bd337776e8b7dec94e56da793eeed44cd93b95ecbda1130faf2f3f0070a2b173bfca8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
5ec2cc84823fddac850ee22b58793d43

SHA1
b7558e96cc495a6dfef4d703f9584b3091c1caf9

SHA256
a74c48c9b492bcc7c6fa4854d814a402127e160e963a8233be1b36d02d6ab877

SHA512
6340ee743e2a8980055bbc7150724345566ec6578ce08fa066b1c65d168281f874e7038e9c62c330c3aa177d8deb0ddd102385d38340c6f307e1040c7b188197

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.3MB

MD5
ba62f311ea20015b4498cf03b431735e

SHA1
509d9cde98339fe421b1ee808d6abc6e581687ce

SHA256
2f2422349fd90aeade91a35df23ab7d1b1622bf93ec23cf17e95693d7e1733a5

SHA512
a659dcc50f4f61610c3f9adb8675d4ab4a9497469e69743033fe37d6b9fc4fd433b0febfd45bac1a0c729b813dc86b524bf8f667c35c123a8b5a616200de8d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.5MB

MD5
fab97ccfc5fd81a84fa786bdeb1b2d8a

SHA1
ef2b3d43a1b321d46f4e0ff4bc2f9abbdd3c41c2

SHA256
c356e8f8fb2e19e3cb9fbf65b2c63801c9c5eb5c1db71fc43a23136f249d398c

SHA512
5fac6c951edbf4205d2e6c46e5b7ba8609d9cb838be3c5f50ce1ba64bcdcb1664501b8a11769db5db022976f7b2d05d091bf600c49d0764b09aa8a860ef05c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.7MB

MD5
a3ac1eda6a16525ce538be5bee451ea4

SHA1
a1d4049445347a0e96daa42ad899cf8f6c5aeaeb

SHA256
7f33caa2b41e3ca710a1e32bb4e6055a8e9614885723778c52f7fde5eb0fc18f

SHA512
31da8b7c66c26b6e28eb9a3c8b381e09675fda384fdeef6e9e993d1e96158330cfbbed2f8e00ed560421198bd99a63874e7b454fec7f91abfbf0ce4dc85dd42e

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
07204ce2e98e2fe32bc7ce8c0537d778

SHA1
f9eec1ca531b47435bc146c4c136e8538d63cde1

SHA256
3f906c02a40064768e49d23db4a4b9d912149f9e32668364e59b0a8d78dd2892

SHA512
3cc00d5c66c9e99eb0b8cc91b0c58e0006ad091114e929accd5e2f0023195a75f1621a849a366b74b20b90b36213429e1629d11da24fa27a82a3b06bafe39746

Download Submit
C:\Windows\hosts.exe

Filesize
217KB

MD5
cc5a28e6ce7238fde7abd1c3231121d9

SHA1
55e74189d65c58d5d54da8d85610b8061e6838a4

SHA256
616589bb956720dd1a09b32f3656cbd5739d2adb995669177420c9d8f7db38f6

SHA512
09e39ea1f9b4421c357e6f2f3c79e3d4fcb313a084e70cee9d609d59af9929fb9821125f5ce8d521c6dbde012036733fdd606af38749e3ba826ea1e1594de1a1

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
217KB

MD5
ccedcfaaa837da7de335ddfa69cc9db7

SHA1
f33fea760cb9ae3f809f766941bc8ee092a48087

SHA256
070f00f687c703994597a906cfd6cd502136b32c1bddf4775c4e8fecef768eb7

SHA512
6031ff16dcf0b3ec57649f0230c33eb724812048e532f256649f113664c9d8d6626c9f693cf013529d0a8ede19e848cd799c09cfd9cb0d40b8fc6c56f7fba9b8

Download Submit
memory/2472-61-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2472-63-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2664-55-0x0000000002430000-0x0000000002530000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads