30bc4b2410e5caa5cd4675c884e2010eab617f4860bddf0959d62d620d62025f

Analysis

max time kernel
114s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe
Size

350KB
MD5

2619f1bcec24666f7ba94f5077474d88
SHA1

f1596187510b18584d56c8f9f861cb87f62fe0fe
SHA256

30bc4b2410e5caa5cd4675c884e2010eab617f4860bddf0959d62d620d62025f
SHA512

252e70ae912b61528cd0904d8974e6a33b69de05c423e532d76c5c6679f970c1a2eab8b7978f46b415746ec0fa1306e689c66ce28df77e662f7206960c15c37f
SSDEEP

6144:gDCwfG1bnxLERR9sadDCwfG1bnxLERR9sat:g72bntEL9/d72bntEL9/t

Score

10^/10

defense_evasion evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exeavscan.exehosts.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exeavscan.exehosts.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MVFYZPLM = "W_X_C.bat"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MVFYZPLM = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MVFYZPLM = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

Processes:

avscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid process

2784 avscan.exe
2760 avscan.exe
2684 hosts.exe
2628 hosts.exe
2704 avscan.exe
2372 hosts.exe

pid	process
2784	avscan.exe
2760	avscan.exe
2684	hosts.exe
2628	hosts.exe
2704	avscan.exe
2372	hosts.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

REG.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	REG.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	REG.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	REG.exe

Loads dropped DLL 5 IoCs

Processes:

2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exeavscan.exehosts.exe

pid process

2556 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe
2556 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe
2784 avscan.exe
2684 hosts.exe
2684 hosts.exe

pid	process
2556	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe
2556	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe
2784	avscan.exe
2684	hosts.exe
2684	hosts.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exeavscan.exehosts.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

Processes:

2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exeavscan.exehosts.exe

description	ioc	process
File opened for modification	C:\Windows\hosts.exe	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe
File created	\??\c:\windows\W_X_C.bat	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exe

pid process

1692 REG.exe
1472 REG.exe
2284 REG.exe
956 REG.exe
2900 REG.exe
1400 REG.exe
1752 REG.exe
2312 REG.exe
1564 REG.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

avscan.exehosts.exe

pid process

2784 avscan.exe
2684 hosts.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exeavscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid process

2556 2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe
2784 avscan.exe
2760 avscan.exe
2684 hosts.exe
2628 hosts.exe
2704 avscan.exe
2372 hosts.exe

pid	process
1692	REG.exe
1472	REG.exe
2284	REG.exe
956	REG.exe
2900	REG.exe
1400	REG.exe
1752	REG.exe
2312	REG.exe
1564	REG.exe

pid	process
2784	avscan.exe
2684	hosts.exe

pid	process
2556	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe
2784	avscan.exe
2760	avscan.exe
2684	hosts.exe
2628	hosts.exe
2704	avscan.exe
2372	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exeavscan.execmd.execmd.exehosts.execmd.exe

description	pid	process	target process
PID 2556 wrote to memory of 2900	2556	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe	REG.exe
PID 2556 wrote to memory of 2900	2556	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe	REG.exe
PID 2556 wrote to memory of 2900	2556	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe	REG.exe
PID 2556 wrote to memory of 2900	2556	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe	REG.exe
PID 2556 wrote to memory of 2784	2556	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe	avscan.exe
PID 2556 wrote to memory of 2784	2556	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe	avscan.exe
PID 2556 wrote to memory of 2784	2556	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe	avscan.exe
PID 2556 wrote to memory of 2784	2556	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe	avscan.exe
PID 2784 wrote to memory of 2760	2784	avscan.exe	avscan.exe
PID 2784 wrote to memory of 2760	2784	avscan.exe	avscan.exe
PID 2784 wrote to memory of 2760	2784	avscan.exe	avscan.exe
PID 2784 wrote to memory of 2760	2784	avscan.exe	avscan.exe
PID 2784 wrote to memory of 2848	2784	avscan.exe	cmd.exe
PID 2784 wrote to memory of 2848	2784	avscan.exe	cmd.exe
PID 2784 wrote to memory of 2848	2784	avscan.exe	cmd.exe
PID 2784 wrote to memory of 2848	2784	avscan.exe	cmd.exe
PID 2556 wrote to memory of 2748	2556	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe	cmd.exe
PID 2556 wrote to memory of 2748	2556	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe	cmd.exe
PID 2556 wrote to memory of 2748	2556	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe	cmd.exe
PID 2556 wrote to memory of 2748	2556	2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe	cmd.exe
PID 2748 wrote to memory of 2684	2748	cmd.exe	hosts.exe
PID 2748 wrote to memory of 2684	2748	cmd.exe	hosts.exe
PID 2748 wrote to memory of 2684	2748	cmd.exe	hosts.exe
PID 2748 wrote to memory of 2684	2748	cmd.exe	hosts.exe
PID 2848 wrote to memory of 2628	2848	cmd.exe	hosts.exe
PID 2848 wrote to memory of 2628	2848	cmd.exe	hosts.exe
PID 2848 wrote to memory of 2628	2848	cmd.exe	hosts.exe
PID 2848 wrote to memory of 2628	2848	cmd.exe	hosts.exe
PID 2684 wrote to memory of 2704	2684	hosts.exe	avscan.exe
PID 2684 wrote to memory of 2704	2684	hosts.exe	avscan.exe
PID 2684 wrote to memory of 2704	2684	hosts.exe	avscan.exe
PID 2684 wrote to memory of 2704	2684	hosts.exe	avscan.exe
PID 2684 wrote to memory of 596	2684	hosts.exe	cmd.exe
PID 2684 wrote to memory of 596	2684	hosts.exe	cmd.exe
PID 2684 wrote to memory of 596	2684	hosts.exe	cmd.exe
PID 2684 wrote to memory of 596	2684	hosts.exe	cmd.exe
PID 2848 wrote to memory of 2052	2848	cmd.exe	WScript.exe
PID 2848 wrote to memory of 2052	2848	cmd.exe	WScript.exe
PID 2848 wrote to memory of 2052	2848	cmd.exe	WScript.exe
PID 2848 wrote to memory of 2052	2848	cmd.exe	WScript.exe
PID 2748 wrote to memory of 2528	2748	cmd.exe	WScript.exe
PID 2748 wrote to memory of 2528	2748	cmd.exe	WScript.exe
PID 2748 wrote to memory of 2528	2748	cmd.exe	WScript.exe
PID 2748 wrote to memory of 2528	2748	cmd.exe	WScript.exe
PID 596 wrote to memory of 2372	596	cmd.exe	hosts.exe
PID 596 wrote to memory of 2372	596	cmd.exe	hosts.exe
PID 596 wrote to memory of 2372	596	cmd.exe	hosts.exe
PID 596 wrote to memory of 2372	596	cmd.exe	hosts.exe
PID 596 wrote to memory of 2700	596	cmd.exe	WScript.exe
PID 596 wrote to memory of 2700	596	cmd.exe	WScript.exe
PID 596 wrote to memory of 2700	596	cmd.exe	WScript.exe
PID 596 wrote to memory of 2700	596	cmd.exe	WScript.exe
PID 2784 wrote to memory of 1400	2784	avscan.exe	REG.exe
PID 2784 wrote to memory of 1400	2784	avscan.exe	REG.exe
PID 2784 wrote to memory of 1400	2784	avscan.exe	REG.exe
PID 2784 wrote to memory of 1400	2784	avscan.exe	REG.exe
PID 2684 wrote to memory of 1752	2684	hosts.exe	REG.exe
PID 2684 wrote to memory of 1752	2684	hosts.exe	REG.exe
PID 2684 wrote to memory of 1752	2684	hosts.exe	REG.exe
PID 2684 wrote to memory of 1752	2684	hosts.exe	REG.exe
PID 2684 wrote to memory of 2312	2684	hosts.exe	REG.exe
PID 2684 wrote to memory of 2312	2684	hosts.exe	REG.exe
PID 2684 wrote to memory of 2312	2684	hosts.exe	REG.exe
PID 2684 wrote to memory of 2312	2684	hosts.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2619f1bcec24666f7ba94f5077474d88_JaffaCakes118.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
2⤵
- Impair Defenses: Safe Mode Boot
- Modifies registry key
PID:2900

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\windows\hosts.exe
C:\windows\hosts.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2628

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
4⤵
- Adds policy Run key to start application
PID:2052

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:1400

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:1692

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:1472

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\windows\hosts.exe
C:\windows\hosts.exe
3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2704

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:596

C:\windows\hosts.exe
C:\windows\hosts.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2372

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
5⤵
- Adds policy Run key to start application
PID:2700

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
4⤵
- Modifies registry key
PID:1752

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
4⤵
- Modifies registry key
PID:2312

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
4⤵
- Modifies registry key
PID:2284

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
4⤵
- Modifies registry key
PID:956

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
3⤵
- Adds policy Run key to start application
PID:2528

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
2.4MB

MD5
46ebaa9a2201cd34ae888953117b1255

SHA1
3fe87a5838f8d090e60cbc59dca7e77b4d8a1cb3

SHA256
eaf949752d2d82348dc830552bc3e4592e28b603a65747219825ecea31a0f840

SHA512
469dbf4191322e96d5b1105eaed3b20a72e9db446567b1a6e38ad3ebd849ae08e0c438d4793cc415440e7146e2f2389211ce7c23d3ede690f0886cdfb66e17a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
749KB

MD5
3dd39c319aa0364b25ad3d695a0339b8

SHA1
45753a3acd4610ad422b75ac1b1c2a3a227a8e36

SHA256
37fe299b5f6ef89dcb7557ba30b64c08f09d647594ab95c91b2cc6f87057a26c

SHA512
5119748d96b8af9a0b4107a9091eeca5571f8422a11ecd8ed9cf8f7a0c6eba2f8e6302fcaf5cd6880f0f213538f078b6044c42759c4e68988cc9009365034b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
1.4MB

MD5
79618f896dd57bc1a06969f52c0dc595

SHA1
c8a666558528c1e6b0a448bb2ae91df42e393118

SHA256
475f8e51d233fc2d0c42b0dd22288c18512141837b035cce6b1926e16778e1be

SHA512
6ce2e9118306ee6bd10803311ab7f976fe3ed064861722ac3adb08864269cea92738994900883b42db8eb22e96d7b054be7cc8ad69a2de28e5e77000b6cc3836

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
1.8MB

MD5
4e95a0bcce580d162ff04a48336d81de

SHA1
62f095f1c9198d40f0a6a72956145af48861527f

SHA256
366044039e7fe0c7494472dac8c2bf782cba6a7b7c8ba2e041cb744b3f578f82

SHA512
254d5051087b0f46e4888678dad7e4b892f6899484aca43b265e29191cc75a4090eaf20ab717e3555ca68838667355baa84a80fc9fecc3d6e797eef77ce1939b

Download Submit
C:\Windows\W_X_C.vbs
Filesize
195B

MD5
3866db84dfa462e410c0f1441287ebb4

SHA1
40913aea459b1cbc64340e6c6e6442c769404d98

SHA256
39adfcf7668397709c8fb37051e563530b71166d9c59e7e6957a1a2d46e4a162

SHA512
5ede5b6e876e05c9262ba682937a5ae9a55c4cacd7940b1a5ba7c622d473b19858b8df4f3fb60ca7fb4d8cf1f0cd6f3f1e84aa1c9a2697643276e4fcf4a818ec

Download Submit
C:\Windows\hosts.exe
Filesize
350KB

MD5
9706cddbe3c1c93d290851a1c4af7cb7

SHA1
2e9b2bfb095b5fb0a2a63336951aa6152bbeaa24

SHA256
874b8b7b460fb11f92cba922269036a4302fb6c6f0290bbb496b6aaf9d74f670

SHA512
d13723589492fe050c358bee0eb7f23bc79bf629e76c3a39502e591684fb8cbef07968cd2389a26ad81289cb61e791129da16f44182944be2194f3a5028a90f6

Download Submit
\??\c:\windows\W_X_C.bat
Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe
Filesize
350KB

MD5
dc6da22864eaeac09cbb7344a0937fa2

SHA1
54b86fb4c81b4794a1cc9113c31e7fb515ba0e41

SHA256
5af7c082d59a78e593bee9638d030d5e0c83e065527262857785377301d0b0c3

SHA512
44b560f10224c91cdc95bb4034491c503f60166ea7b7f7eccfee31af04a38e399bc144e5ecbd9f2918b896d96dc92d7b9a2856a245cc1bfa30bff7bdf048dec8

Download Submit
memory/2372-68-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2748-62-0x00000000021E0000-0x00000000022E0000-memory.dmp

Filesize
1024KB

Download
memory/2748-63-0x00000000021E0000-0x00000000022E0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads