ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5

Analysis

max time kernel
126s
max time network
124s
platform
windows7_x64
resource
win7v20210410
submitted
13-05-2021 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe
Size

4.6MB
MD5

bc35686e5a3fa023fce77235322f5959
SHA1

31601fd24ddc04f04c0a6715863f3142b53cffe8
SHA256

ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5
SHA512

47bafb1f89e3401c42d5d670059e66ef46e6805bd32162edf335299f1741b8caa165bd2dba6a777c9b4d26d0560c71a1cab47031b482e2cd7c8e2ce2e197e2b3

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MRBKYMNO = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MRBKYMNO = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MRBKYMNO = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

Processes:

avscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid process

1212 avscan.exe
1888 avscan.exe
1204 hosts.exe
1536 hosts.exe
292 avscan.exe
1396 hosts.exe

pid	process
1212	avscan.exe
1888	avscan.exe
1204	hosts.exe
1536	hosts.exe
292	avscan.exe
1396	hosts.exe

Loads dropped DLL 5 IoCs

Processes:

ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exeavscan.exehosts.exe

pid	process
1088	ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe
1088	ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe
1212	avscan.exe
1204	hosts.exe
1204	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

avscan.exehosts.execa394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe

Drops file in Windows directory 5 IoCs

Processes:

ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exeavscan.exehosts.exe

description	ioc	process
File created	C:\windows\W_X_C.vbs	ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe
File created	\??\c:\windows\W_X_C.bat	ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe
File opened for modification	C:\Windows\hosts.exe	ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exe

pid process

1996 REG.exe
1540 REG.exe
1448 REG.exe
536 REG.exe
1888 REG.exe
1384 REG.exe
1300 REG.exe
472 REG.exe
2032 REG.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

avscan.exehosts.exe

pid process

1212 avscan.exe
1204 hosts.exe

pid	process
1996	REG.exe
1540	REG.exe
1448	REG.exe
536	REG.exe
1888	REG.exe
1384	REG.exe
1300	REG.exe
472	REG.exe
2032	REG.exe

pid	process
1212	avscan.exe
1204	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exeavscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid	process
1088	ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe
1212	avscan.exe
1888	avscan.exe
1536	hosts.exe
1204	hosts.exe
292	avscan.exe
1396	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exeavscan.execmd.execmd.exehosts.execmd.exe

description	pid	process	target process
PID 1088 wrote to memory of 1996	1088	ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe	REG.exe
PID 1088 wrote to memory of 1996	1088	ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe	REG.exe
PID 1088 wrote to memory of 1996	1088	ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe	REG.exe
PID 1088 wrote to memory of 1996	1088	ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe	REG.exe
PID 1088 wrote to memory of 1212	1088	ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe	avscan.exe
PID 1088 wrote to memory of 1212	1088	ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe	avscan.exe
PID 1088 wrote to memory of 1212	1088	ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe	avscan.exe
PID 1088 wrote to memory of 1212	1088	ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe	avscan.exe
PID 1212 wrote to memory of 1888	1212	avscan.exe	avscan.exe
PID 1212 wrote to memory of 1888	1212	avscan.exe	avscan.exe
PID 1212 wrote to memory of 1888	1212	avscan.exe	avscan.exe
PID 1212 wrote to memory of 1888	1212	avscan.exe	avscan.exe
PID 1212 wrote to memory of 1704	1212	avscan.exe	cmd.exe
PID 1212 wrote to memory of 1704	1212	avscan.exe	cmd.exe
PID 1212 wrote to memory of 1704	1212	avscan.exe	cmd.exe
PID 1212 wrote to memory of 1704	1212	avscan.exe	cmd.exe
PID 1088 wrote to memory of 1384	1088	ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe	cmd.exe
PID 1088 wrote to memory of 1384	1088	ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe	cmd.exe
PID 1088 wrote to memory of 1384	1088	ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe	cmd.exe
PID 1088 wrote to memory of 1384	1088	ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe	cmd.exe
PID 1704 wrote to memory of 1204	1704	cmd.exe	hosts.exe
PID 1704 wrote to memory of 1204	1704	cmd.exe	hosts.exe
PID 1704 wrote to memory of 1204	1704	cmd.exe	hosts.exe
PID 1704 wrote to memory of 1204	1704	cmd.exe	hosts.exe
PID 1384 wrote to memory of 1536	1384	cmd.exe	hosts.exe
PID 1384 wrote to memory of 1536	1384	cmd.exe	hosts.exe
PID 1384 wrote to memory of 1536	1384	cmd.exe	hosts.exe
PID 1384 wrote to memory of 1536	1384	cmd.exe	hosts.exe
PID 1384 wrote to memory of 524	1384	cmd.exe	WScript.exe
PID 1384 wrote to memory of 524	1384	cmd.exe	WScript.exe
PID 1384 wrote to memory of 524	1384	cmd.exe	WScript.exe
PID 1384 wrote to memory of 524	1384	cmd.exe	WScript.exe
PID 1704 wrote to memory of 332	1704	cmd.exe	WScript.exe
PID 1704 wrote to memory of 332	1704	cmd.exe	WScript.exe
PID 1704 wrote to memory of 332	1704	cmd.exe	WScript.exe
PID 1704 wrote to memory of 332	1704	cmd.exe	WScript.exe
PID 1204 wrote to memory of 292	1204	hosts.exe	avscan.exe
PID 1204 wrote to memory of 292	1204	hosts.exe	avscan.exe
PID 1204 wrote to memory of 292	1204	hosts.exe	avscan.exe
PID 1204 wrote to memory of 292	1204	hosts.exe	avscan.exe
PID 1204 wrote to memory of 1836	1204	hosts.exe	cmd.exe
PID 1204 wrote to memory of 1836	1204	hosts.exe	cmd.exe
PID 1204 wrote to memory of 1836	1204	hosts.exe	cmd.exe
PID 1204 wrote to memory of 1836	1204	hosts.exe	cmd.exe
PID 1836 wrote to memory of 1396	1836	cmd.exe	hosts.exe
PID 1836 wrote to memory of 1396	1836	cmd.exe	hosts.exe
PID 1836 wrote to memory of 1396	1836	cmd.exe	hosts.exe
PID 1836 wrote to memory of 1396	1836	cmd.exe	hosts.exe
PID 1836 wrote to memory of 1584	1836	cmd.exe	WScript.exe
PID 1836 wrote to memory of 1584	1836	cmd.exe	WScript.exe
PID 1836 wrote to memory of 1584	1836	cmd.exe	WScript.exe
PID 1836 wrote to memory of 1584	1836	cmd.exe	WScript.exe
PID 1212 wrote to memory of 1540	1212	avscan.exe	REG.exe
PID 1212 wrote to memory of 1540	1212	avscan.exe	REG.exe
PID 1212 wrote to memory of 1540	1212	avscan.exe	REG.exe
PID 1212 wrote to memory of 1540	1212	avscan.exe	REG.exe
PID 1204 wrote to memory of 1384	1204	hosts.exe	REG.exe
PID 1204 wrote to memory of 1384	1204	hosts.exe	REG.exe
PID 1204 wrote to memory of 1384	1204	hosts.exe	REG.exe
PID 1204 wrote to memory of 1384	1204	hosts.exe	REG.exe
PID 1212 wrote to memory of 1300	1212	avscan.exe	REG.exe
PID 1212 wrote to memory of 1300	1212	avscan.exe	REG.exe
PID 1212 wrote to memory of 1300	1212	avscan.exe	REG.exe
PID 1212 wrote to memory of 1300	1212	avscan.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe
"C:\Users\Admin\AppData\Local\Temp\ca394b6c6ccc2cc51985bafd4649ec6447aa75b2a842ed71a8b9917d5cc943f5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
2⤵
- Modifies registry key
PID:1996

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1888

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\windows\hosts.exe
C:\windows\hosts.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:292

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
5⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\windows\hosts.exe
C:\windows\hosts.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
6⤵
- Adds policy Run key to start application
PID:1584

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
5⤵
- Modifies registry key
PID:1384

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
5⤵
- Modifies registry key
PID:1448

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
5⤵
- Modifies registry key
PID:2032

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
5⤵
- Modifies registry key
PID:1888

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
4⤵
- Adds policy Run key to start application
PID:332

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:1540

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:1300

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:472

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:536

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\windows\hosts.exe
C:\windows\hosts.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1536

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
3⤵
- Adds policy Run key to start application
PID:524

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
2465362b1a4e993a16ff98d1e0057595

SHA1
278d766440bceb935577c2324a1c6984913ac3f0

SHA256
c0fde65617e2ddd454b513a49b36deb6bef878af94c1ffac924178883d7b356b

SHA512
662a2803a8c29a44af398f111d32fe6f1c512fc6235ac268380841d8f4cc7e643d3e8be73055be9910f91954d0c2ddbf52ec24e9d9765de646f61ab070031aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
fe77d5359368a0b3fc55845a4a4b4435

SHA1
078931c886f1fef60a231af1f4bae38591fc6c73

SHA256
6d33564baad0b71f9bfce1437637427adb024afd83b35ae2a6878f5d5d5355cf

SHA512
1cbbddd7a6cf33cdaa107ad52c9aded6580b01de273963d4f3dbbc074973be50de5eac52aa8534b20f4aecdfdc30e7ce978e5608ee4ca2c8a8dda6d1fef49173

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
aab063f1b4c5923897076807d30e5548

SHA1
4e89fc06b78c0af02a3e70fe800121649bfa8b3a

SHA256
50fef07bf5b33fe8003ac804fba7e57207efb6d6688a785707cda8c99afd0c71

SHA512
a54fdbeee685d6070bafed1b58686056ff10e295f661ae5d0292d308b2a7509c75b1a4c7b841600ef8f20adf07f6690fbf641848c3cc39fd7e19e2568eebaf33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
24b58e7a85967120a1c2185c20262b88

SHA1
4a98a3e93a7976400a6b641e268f28170f9f68db

SHA256
7edad2ccdcf56830a4652f3a07ceefb55db66169a605063f3280ae2e44f7588f

SHA512
5dd644154763c803a7efd5bfc305cdee1ea398245c92bc365176dd79743f5001ebc285c6c9735c46e50ab4a8318b2abe7aea5862ec5933df77b2bae0d88e3176

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
fc16559ded8559f1218ad1a4de2e3f2e

SHA1
2c3ceedf3296fb1531b77860a87d7f09678b7ed4

SHA256
5c39847876391def2c6a6c68eb61924f49a3dc2ba83a0d7a9b17e3ca4bdae14c

SHA512
67ba046dc748cf3bb1d4401876a19bb60c36a93368f74d3924297f696b977428f64be97aed1d1459fa04ece42ccdfdb8b5d6f8141cc27fc08049753503198244

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
db124fbbdd001a9a321d2f51e5fa827f

SHA1
7ca018ecf29a254033b7415b6e8749b819d99048

SHA256
cfc5a2e61f9f9c24d1ad18cf07600ca73c47c3b583d632eb30108edecd2cd99d

SHA512
86575df731cd447fb60d189800dc0e4703079cbd88dd2994854ac1722df8938c73cfb034fbea10ad6f09927f2d9761ecb94b8bccb22be7c376b7be381320db96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
def8dc9dc43d8a16a070a37b3b17bd66

SHA1
98599bdd3fe20c41ef786aad2cc200962c2adb58

SHA256
a4e7c09e781454a9ee613238c22fdd82c83f347872e59dcf551f21dfda91d4e1

SHA512
6c1c3882aae748f4d0f74e699261c5c7cd9b03e158d61566c7b47353bdfe2c37a77040e75ffe6bfa35395b47a70582d3bf1ea17aa69c70f282a0c2b2c8ab40fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
23b329843857a13e795a0cb1ad5870e6

SHA1
8a7a558d90425f17432c039b3ae5c532d5ae6120

SHA256
8ded11ae9f7b5e2d698defd224c1abe7b3ec88d01a0fe875207300b58f386847

SHA512
a6a16434fa5ed5985ca975ac0c1618318e083f490844454049ddf1bcd2067917e0e2f25339251f0eb396bc1999c0a18eac8e8604e48616b2fbff4f34e5e5a5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
23b329843857a13e795a0cb1ad5870e6

SHA1
8a7a558d90425f17432c039b3ae5c532d5ae6120

SHA256
8ded11ae9f7b5e2d698defd224c1abe7b3ec88d01a0fe875207300b58f386847

SHA512
a6a16434fa5ed5985ca975ac0c1618318e083f490844454049ddf1bcd2067917e0e2f25339251f0eb396bc1999c0a18eac8e8604e48616b2fbff4f34e5e5a5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
23b329843857a13e795a0cb1ad5870e6

SHA1
8a7a558d90425f17432c039b3ae5c532d5ae6120

SHA256
8ded11ae9f7b5e2d698defd224c1abe7b3ec88d01a0fe875207300b58f386847

SHA512
a6a16434fa5ed5985ca975ac0c1618318e083f490844454049ddf1bcd2067917e0e2f25339251f0eb396bc1999c0a18eac8e8604e48616b2fbff4f34e5e5a5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
23b329843857a13e795a0cb1ad5870e6

SHA1
8a7a558d90425f17432c039b3ae5c532d5ae6120

SHA256
8ded11ae9f7b5e2d698defd224c1abe7b3ec88d01a0fe875207300b58f386847

SHA512
a6a16434fa5ed5985ca975ac0c1618318e083f490844454049ddf1bcd2067917e0e2f25339251f0eb396bc1999c0a18eac8e8604e48616b2fbff4f34e5e5a5da

Download Submit
C:\Windows\W_X_C.vbs
MD5
9108c0449fe9e3514bbf43f1e50b5e3c

SHA1
1adc087f611d8972c59fa6ca0ec1096987211364

SHA256
a6e47d6fda384011688df584287255a418518bc3794b329abc78b783601806a0

SHA512
8cf7daf91ebb644210ffc80d6cf9dad9a8228db2ed1c6ad2ec925ce1af89bb88222537c64b22855c071cb936a6af2c1ee1c73a75a16a7a75ab9fadeb7842b8a7

Download Submit
C:\Windows\hosts.exe
MD5
85f621cb86e6c1f80ead1eb1145df4f6

SHA1
383d3b53028be4ff295a5499da1e55292935bc4e

SHA256
0b3032b049190610e8b288a54dc9d923ec4dae353b4e6c32a6fe693fe52a80c1

SHA512
d56043f1a1d6c870a7892f1f2e2aa23cdf23a3fe439ef2cac73ab461117cb58bf0d8cb8f71758e19509222bb15610b4937ca5fe13d3e056d8667d8145b34f909

Download Submit
C:\Windows\hosts.exe
MD5
85f621cb86e6c1f80ead1eb1145df4f6

SHA1
383d3b53028be4ff295a5499da1e55292935bc4e

SHA256
0b3032b049190610e8b288a54dc9d923ec4dae353b4e6c32a6fe693fe52a80c1

SHA512
d56043f1a1d6c870a7892f1f2e2aa23cdf23a3fe439ef2cac73ab461117cb58bf0d8cb8f71758e19509222bb15610b4937ca5fe13d3e056d8667d8145b34f909

Download Submit
C:\Windows\hosts.exe
MD5
85f621cb86e6c1f80ead1eb1145df4f6

SHA1
383d3b53028be4ff295a5499da1e55292935bc4e

SHA256
0b3032b049190610e8b288a54dc9d923ec4dae353b4e6c32a6fe693fe52a80c1

SHA512
d56043f1a1d6c870a7892f1f2e2aa23cdf23a3fe439ef2cac73ab461117cb58bf0d8cb8f71758e19509222bb15610b4937ca5fe13d3e056d8667d8145b34f909

Download Submit
C:\Windows\hosts.exe
MD5
85f621cb86e6c1f80ead1eb1145df4f6

SHA1
383d3b53028be4ff295a5499da1e55292935bc4e

SHA256
0b3032b049190610e8b288a54dc9d923ec4dae353b4e6c32a6fe693fe52a80c1

SHA512
d56043f1a1d6c870a7892f1f2e2aa23cdf23a3fe439ef2cac73ab461117cb58bf0d8cb8f71758e19509222bb15610b4937ca5fe13d3e056d8667d8145b34f909

Download Submit
C:\windows\hosts.exe
MD5
85f621cb86e6c1f80ead1eb1145df4f6

SHA1
383d3b53028be4ff295a5499da1e55292935bc4e

SHA256
0b3032b049190610e8b288a54dc9d923ec4dae353b4e6c32a6fe693fe52a80c1

SHA512
d56043f1a1d6c870a7892f1f2e2aa23cdf23a3fe439ef2cac73ab461117cb58bf0d8cb8f71758e19509222bb15610b4937ca5fe13d3e056d8667d8145b34f909

Download Submit
\??\c:\windows\W_X_C.bat
MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
23b329843857a13e795a0cb1ad5870e6

SHA1
8a7a558d90425f17432c039b3ae5c532d5ae6120

SHA256
8ded11ae9f7b5e2d698defd224c1abe7b3ec88d01a0fe875207300b58f386847

SHA512
a6a16434fa5ed5985ca975ac0c1618318e083f490844454049ddf1bcd2067917e0e2f25339251f0eb396bc1999c0a18eac8e8604e48616b2fbff4f34e5e5a5da

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
23b329843857a13e795a0cb1ad5870e6

SHA1
8a7a558d90425f17432c039b3ae5c532d5ae6120

SHA256
8ded11ae9f7b5e2d698defd224c1abe7b3ec88d01a0fe875207300b58f386847

SHA512
a6a16434fa5ed5985ca975ac0c1618318e083f490844454049ddf1bcd2067917e0e2f25339251f0eb396bc1999c0a18eac8e8604e48616b2fbff4f34e5e5a5da

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
23b329843857a13e795a0cb1ad5870e6

SHA1
8a7a558d90425f17432c039b3ae5c532d5ae6120

SHA256
8ded11ae9f7b5e2d698defd224c1abe7b3ec88d01a0fe875207300b58f386847

SHA512
a6a16434fa5ed5985ca975ac0c1618318e083f490844454049ddf1bcd2067917e0e2f25339251f0eb396bc1999c0a18eac8e8604e48616b2fbff4f34e5e5a5da

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
23b329843857a13e795a0cb1ad5870e6

SHA1
8a7a558d90425f17432c039b3ae5c532d5ae6120

SHA256
8ded11ae9f7b5e2d698defd224c1abe7b3ec88d01a0fe875207300b58f386847

SHA512
a6a16434fa5ed5985ca975ac0c1618318e083f490844454049ddf1bcd2067917e0e2f25339251f0eb396bc1999c0a18eac8e8604e48616b2fbff4f34e5e5a5da

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
23b329843857a13e795a0cb1ad5870e6

SHA1
8a7a558d90425f17432c039b3ae5c532d5ae6120

SHA256
8ded11ae9f7b5e2d698defd224c1abe7b3ec88d01a0fe875207300b58f386847

SHA512
a6a16434fa5ed5985ca975ac0c1618318e083f490844454049ddf1bcd2067917e0e2f25339251f0eb396bc1999c0a18eac8e8604e48616b2fbff4f34e5e5a5da

Download Submit
memory/292-119-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/292-115-0x0000000000000000-mapping.dmp

Download
memory/332-108-0x0000000000000000-mapping.dmp

Download
memory/472-147-0x0000000000000000-mapping.dmp

Download
memory/524-107-0x0000000000000000-mapping.dmp

Download
memory/536-151-0x0000000000000000-mapping.dmp

Download
memory/1088-61-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1088-65-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1088-71-0x0000000000401000-0x000000000041D000-memory.dmp

Filesize
112KB

Download
memory/1088-60-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/1088-62-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1204-96-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1204-93-0x0000000000000000-mapping.dmp

Download
memory/1212-69-0x0000000000000000-mapping.dmp

Download
memory/1212-72-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1300-143-0x0000000000000000-mapping.dmp

Download
memory/1384-91-0x0000000000000000-mapping.dmp

Download
memory/1384-141-0x0000000000000000-mapping.dmp

Download
memory/1396-130-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1396-127-0x0000000000000000-mapping.dmp

Download
memory/1448-145-0x0000000000000000-mapping.dmp

Download
memory/1536-101-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1536-97-0x0000000000000000-mapping.dmp

Download
memory/1540-139-0x0000000000000000-mapping.dmp

Download
memory/1584-136-0x0000000000000000-mapping.dmp

Download
memory/1704-89-0x0000000000000000-mapping.dmp

Download
memory/1836-126-0x0000000000000000-mapping.dmp

Download
memory/1888-82-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1888-153-0x0000000000000000-mapping.dmp

Download
memory/1888-80-0x0000000000000000-mapping.dmp

Download
memory/1996-66-0x0000000000000000-mapping.dmp

Download
memory/2032-149-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads