f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3

Analysis

max time kernel
128s
max time network
25s
platform
windows7_x64
resource
win7v20210408
submitted
13-05-2021 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe
Size

414KB
MD5

bf1583e63f772d707c116cc80c76e3d7
SHA1

7442f1317aeb7fdd6da7274e8abe115f20a5958b
SHA256

f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3
SHA512

b0770e6edeebd12e19a6facb14b7537a88ecfbd5f670cf80a6c4a55ff5bb3f9268e9c7f786b2c6aaffecec663a3b457e8aefbfcc24d05fbec0d542e17d4e04e7

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exeWScript.exeWScript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\QWOCTUPM = "W_X_C.bat"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\QWOCTUPM = "W_X_C.bat"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\QWOCTUPM = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

Processes:

avscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid process

780 avscan.exe
1656 avscan.exe
1104 hosts.exe
848 hosts.exe
1336 avscan.exe
2004 hosts.exe

pid	process
780	avscan.exe
1656	avscan.exe
1104	hosts.exe
848	hosts.exe
1336	avscan.exe
2004	hosts.exe

Loads dropped DLL 5 IoCs

Processes:

f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exeavscan.exehosts.exe

pid	process
756	f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe
756	f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe
780	avscan.exe
1104	hosts.exe
1104	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hosts.exef48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exeavscan.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe

Drops file in Windows directory 5 IoCs

Processes:

f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exeavscan.exehosts.exe

description	ioc	process
File opened for modification	C:\Windows\hosts.exe	f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe
File created	\??\c:\windows\W_X_C.bat	f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exe

pid process

1168 REG.exe
1432 REG.exe
1720 REG.exe
1524 REG.exe
1884 REG.exe
1340 REG.exe
1336 REG.exe
768 REG.exe
1708 REG.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

avscan.exehosts.exe

pid process

780 avscan.exe
1104 hosts.exe

pid	process
1168	REG.exe
1432	REG.exe
1720	REG.exe
1524	REG.exe
1884	REG.exe
1340	REG.exe
1336	REG.exe
768	REG.exe
1708	REG.exe

pid	process
780	avscan.exe
1104	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exeavscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid	process
756	f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe
780	avscan.exe
1656	avscan.exe
1104	hosts.exe
848	hosts.exe
1336	avscan.exe
2004	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exeavscan.execmd.execmd.exehosts.execmd.exe

description	pid	process	target process
PID 756 wrote to memory of 1168	756	f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe	REG.exe
PID 756 wrote to memory of 1168	756	f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe	REG.exe
PID 756 wrote to memory of 1168	756	f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe	REG.exe
PID 756 wrote to memory of 1168	756	f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe	REG.exe
PID 756 wrote to memory of 780	756	f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe	avscan.exe
PID 756 wrote to memory of 780	756	f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe	avscan.exe
PID 756 wrote to memory of 780	756	f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe	avscan.exe
PID 756 wrote to memory of 780	756	f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe	avscan.exe
PID 780 wrote to memory of 1656	780	avscan.exe	avscan.exe
PID 780 wrote to memory of 1656	780	avscan.exe	avscan.exe
PID 780 wrote to memory of 1656	780	avscan.exe	avscan.exe
PID 780 wrote to memory of 1656	780	avscan.exe	avscan.exe
PID 780 wrote to memory of 1740	780	avscan.exe	cmd.exe
PID 780 wrote to memory of 1740	780	avscan.exe	cmd.exe
PID 780 wrote to memory of 1740	780	avscan.exe	cmd.exe
PID 780 wrote to memory of 1740	780	avscan.exe	cmd.exe
PID 756 wrote to memory of 1780	756	f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe	cmd.exe
PID 756 wrote to memory of 1780	756	f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe	cmd.exe
PID 756 wrote to memory of 1780	756	f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe	cmd.exe
PID 756 wrote to memory of 1780	756	f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe	cmd.exe
PID 1740 wrote to memory of 848	1740	cmd.exe	hosts.exe
PID 1780 wrote to memory of 1104	1780	cmd.exe	hosts.exe
PID 1780 wrote to memory of 1104	1780	cmd.exe	hosts.exe
PID 1780 wrote to memory of 1104	1780	cmd.exe	hosts.exe
PID 1780 wrote to memory of 1104	1780	cmd.exe	hosts.exe
PID 1740 wrote to memory of 848	1740	cmd.exe	hosts.exe
PID 1740 wrote to memory of 848	1740	cmd.exe	hosts.exe
PID 1740 wrote to memory of 848	1740	cmd.exe	hosts.exe
PID 1104 wrote to memory of 1336	1104	hosts.exe	avscan.exe
PID 1104 wrote to memory of 1336	1104	hosts.exe	avscan.exe
PID 1104 wrote to memory of 1336	1104	hosts.exe	avscan.exe
PID 1104 wrote to memory of 1336	1104	hosts.exe	avscan.exe
PID 1780 wrote to memory of 1844	1780	cmd.exe	WScript.exe
PID 1780 wrote to memory of 1844	1780	cmd.exe	WScript.exe
PID 1780 wrote to memory of 1844	1780	cmd.exe	WScript.exe
PID 1780 wrote to memory of 1844	1780	cmd.exe	WScript.exe
PID 1740 wrote to memory of 1548	1740	cmd.exe	WScript.exe
PID 1740 wrote to memory of 1548	1740	cmd.exe	WScript.exe
PID 1740 wrote to memory of 1548	1740	cmd.exe	WScript.exe
PID 1740 wrote to memory of 1548	1740	cmd.exe	WScript.exe
PID 1104 wrote to memory of 1020	1104	hosts.exe	cmd.exe
PID 1104 wrote to memory of 1020	1104	hosts.exe	cmd.exe
PID 1104 wrote to memory of 1020	1104	hosts.exe	cmd.exe
PID 1104 wrote to memory of 1020	1104	hosts.exe	cmd.exe
PID 1020 wrote to memory of 2004	1020	cmd.exe	hosts.exe
PID 1020 wrote to memory of 2004	1020	cmd.exe	hosts.exe
PID 1020 wrote to memory of 2004	1020	cmd.exe	hosts.exe
PID 1020 wrote to memory of 2004	1020	cmd.exe	hosts.exe
PID 1020 wrote to memory of 2028	1020	cmd.exe	WScript.exe
PID 1020 wrote to memory of 2028	1020	cmd.exe	WScript.exe
PID 1020 wrote to memory of 2028	1020	cmd.exe	WScript.exe
PID 1020 wrote to memory of 2028	1020	cmd.exe	WScript.exe
PID 780 wrote to memory of 1884	780	avscan.exe	REG.exe
PID 780 wrote to memory of 1884	780	avscan.exe	REG.exe
PID 780 wrote to memory of 1884	780	avscan.exe	REG.exe
PID 780 wrote to memory of 1884	780	avscan.exe	REG.exe
PID 1104 wrote to memory of 1340	1104	hosts.exe	REG.exe
PID 1104 wrote to memory of 1340	1104	hosts.exe	REG.exe
PID 1104 wrote to memory of 1340	1104	hosts.exe	REG.exe
PID 1104 wrote to memory of 1340	1104	hosts.exe	REG.exe
PID 780 wrote to memory of 1336	780	avscan.exe	REG.exe
PID 780 wrote to memory of 1336	780	avscan.exe	REG.exe
PID 780 wrote to memory of 1336	780	avscan.exe	REG.exe
PID 780 wrote to memory of 1336	780	avscan.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe
"C:\Users\Admin\AppData\Local\Temp\f48a7dd16b186a612101118825d9149e5bdbdd73686c30a8fc05352a3e20bcb3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
2⤵
- Modifies registry key
PID:1168

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1656

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\windows\hosts.exe
C:\windows\hosts.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:848

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
4⤵
- Adds policy Run key to start application
PID:1548

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:1884

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:1336

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:1720

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:768

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\windows\hosts.exe
C:\windows\hosts.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1336

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\windows\hosts.exe
C:\windows\hosts.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
5⤵
- Adds policy Run key to start application
PID:2028

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
4⤵
- Modifies registry key
PID:1340

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
4⤵
- Modifies registry key
PID:1432

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
4⤵
- Modifies registry key
PID:1524

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
4⤵
- Modifies registry key
PID:1708

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
3⤵
- Adds policy Run key to start application
PID:1844

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
3a31a03b0fe2814063c5a846dfe4cd42

SHA1
4940a6f95955716072452ec9d688c1fd46c64aaa

SHA256
71778cdb17ad6a0588d2f0eaf376b80c3cd8eeff2e3eba308327306cde1a320c

SHA512
1ef5dd08203b13bd84ad3dd38fa2ed16e947ade68b34d7de9ea19ef6a30cabb55807f6fc1ffb364a5394003cec656819fb6040fb7c24807571e11b2d77baa542

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
8383e2e67e4bbcddb432011702496516

SHA1
f998b5344f0a04ac084d2844e9fa0e784e00815b

SHA256
4cdd3f62bad89532f440822a81c960e5db8d3bdab2ac1f6e1c29a45654f6a93a

SHA512
df3c0db5398b19e5cb06983cd46068acbea774c3942fa59f8aabaafce14fdd1208add4e157a9d664688bf52674fb5c4265345c519702a100bfe92cbc88f205d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
e1afdce322b68dd362267cd95e0a7c62

SHA1
fd1a085a9ca7b0a2ada92d4911305a811b16152d

SHA256
65908d6c1328f422f49dacd30868685c9e0cedce3e9ccff800559fa5128e1bb0

SHA512
1b191bd281cca34d2471fa7c48f23f8ca9a7b02d97546cd0e822d491319a5082059485154d887c261cb6c13f5ec6a4263361282f89e939218dbcf93ee9ee3a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
13ef1d35fee628fc0f9a27c101007992

SHA1
375e88b809c4fe81548278f293e26ad4019c3fbd

SHA256
d362ec8e11a2ecc482e514a7a2bc23ed86bb4ea193ff6eb1ea850c4402530af5

SHA512
748db8ff3dbb7039df1c76e85141e58b73c6f8c3b86b16e1cff4e48a79be7dbd448bb7fe297c3e63b264ea59587a67dcbbcf9f3629b1909afcb39f2995213c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
1132e361bf16351512c5a5284ec36948

SHA1
f61956e243a73f1748ced2acf9cfa93132232a3b

SHA256
196825a18612c395a9f930a31aeed98355f921f3e6b6b54b53456fa8e75bea6b

SHA512
7de1f8b1fd6f40faa269c2ff4697b51f33356fbf055ef5109111419f71082f1067ca173a33ec4526e9123ac8ab5467e364047298e96c0c1493e38dfb515650bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
8ddaabe3f19d736cd56e3f0dfad84a56

SHA1
7dd1268e0508c57d8cb9c2da13457d1dc9cffa2b

SHA256
207d7f6dc2575bd38b216e76d884b8d38d7bd7655603adda5ad9aecdd6148b31

SHA512
4770c6688312b8fb3224ff9394ea60944bc1a353669bc8d6d064be63c36933078bff4ae786ee8b8004414fbd520bbdb1ffe674725f523ad2c18ece0aecd141b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
d0441194abf18fea3a1918079daa6800

SHA1
cd1d2eade1f1d2bad4d54e4c3c093f1f9fd38521

SHA256
33a99dad92073bf8d5b02eb8ff28eaf758cd10df71295594f5908df695edf654

SHA512
a22377d7d6b06d58ffdf37581ef88f4043125cc10c151848465db0a55824fa4f2eb2cf63f1bc7faa93b96712054ec0a97ae15f584c18805054c66aa5ae60377c

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
ca0a82a7661e3eccbfe0d904aef2e514

SHA1
77e39cc6ad3a33efe75092d53bbf5ccc18ad21fa

SHA256
b55cef85d28e92e9b46ce3b8e9d3a20e6c8e63365223a48be198bcb174af9dce

SHA512
6a4239796592b9616b6146426e6561b41f4967f306a071e622cdcb83e1801a0871591fced35660a66a27c45ed837bbb7fe731991ac2c25e0538d4bccca6406f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
ca0a82a7661e3eccbfe0d904aef2e514

SHA1
77e39cc6ad3a33efe75092d53bbf5ccc18ad21fa

SHA256
b55cef85d28e92e9b46ce3b8e9d3a20e6c8e63365223a48be198bcb174af9dce

SHA512
6a4239796592b9616b6146426e6561b41f4967f306a071e622cdcb83e1801a0871591fced35660a66a27c45ed837bbb7fe731991ac2c25e0538d4bccca6406f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
ca0a82a7661e3eccbfe0d904aef2e514

SHA1
77e39cc6ad3a33efe75092d53bbf5ccc18ad21fa

SHA256
b55cef85d28e92e9b46ce3b8e9d3a20e6c8e63365223a48be198bcb174af9dce

SHA512
6a4239796592b9616b6146426e6561b41f4967f306a071e622cdcb83e1801a0871591fced35660a66a27c45ed837bbb7fe731991ac2c25e0538d4bccca6406f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
ca0a82a7661e3eccbfe0d904aef2e514

SHA1
77e39cc6ad3a33efe75092d53bbf5ccc18ad21fa

SHA256
b55cef85d28e92e9b46ce3b8e9d3a20e6c8e63365223a48be198bcb174af9dce

SHA512
6a4239796592b9616b6146426e6561b41f4967f306a071e622cdcb83e1801a0871591fced35660a66a27c45ed837bbb7fe731991ac2c25e0538d4bccca6406f6

Download Submit
C:\Windows\W_X_C.vbs
MD5
c07e50e3569474ee860ffae64b53eb63

SHA1
9e01a9296097458ce32dbbe440e26f6050f1c807

SHA256
aada8080235b5cce6e29aee4c46056ca82494483751a4126d8beddc476bcfb89

SHA512
19b8a39bd143ef58f12263a811ea2fb016596898deb7a63cd7a38373f1d111474a6d7666e4d7e3921f11ea012b9f96501631ada353e065d3d1313ef4ebdb1888

Download Submit
C:\Windows\hosts.exe
MD5
29d244d586512316755eb86aed61380f

SHA1
4a65dc9d609dbfd0c67e66d481dbc2dc34c13216

SHA256
f4f04390e31eb25ec99f26d2199ca12e766e1f8c50f47ec7c4152c64d61e16cb

SHA512
ddb932244301ae821db23c4ba7179d6277bb9732983bc2890bb0be87e7da64a6c7d1df7ccb43de9881bf1c8deaea9d7de2f140f5085775a27cc92837467744ae

Download Submit
C:\Windows\hosts.exe
MD5
29d244d586512316755eb86aed61380f

SHA1
4a65dc9d609dbfd0c67e66d481dbc2dc34c13216

SHA256
f4f04390e31eb25ec99f26d2199ca12e766e1f8c50f47ec7c4152c64d61e16cb

SHA512
ddb932244301ae821db23c4ba7179d6277bb9732983bc2890bb0be87e7da64a6c7d1df7ccb43de9881bf1c8deaea9d7de2f140f5085775a27cc92837467744ae

Download Submit
C:\Windows\hosts.exe
MD5
29d244d586512316755eb86aed61380f

SHA1
4a65dc9d609dbfd0c67e66d481dbc2dc34c13216

SHA256
f4f04390e31eb25ec99f26d2199ca12e766e1f8c50f47ec7c4152c64d61e16cb

SHA512
ddb932244301ae821db23c4ba7179d6277bb9732983bc2890bb0be87e7da64a6c7d1df7ccb43de9881bf1c8deaea9d7de2f140f5085775a27cc92837467744ae

Download Submit
C:\Windows\hosts.exe
MD5
29d244d586512316755eb86aed61380f

SHA1
4a65dc9d609dbfd0c67e66d481dbc2dc34c13216

SHA256
f4f04390e31eb25ec99f26d2199ca12e766e1f8c50f47ec7c4152c64d61e16cb

SHA512
ddb932244301ae821db23c4ba7179d6277bb9732983bc2890bb0be87e7da64a6c7d1df7ccb43de9881bf1c8deaea9d7de2f140f5085775a27cc92837467744ae

Download Submit
C:\windows\hosts.exe
MD5
29d244d586512316755eb86aed61380f

SHA1
4a65dc9d609dbfd0c67e66d481dbc2dc34c13216

SHA256
f4f04390e31eb25ec99f26d2199ca12e766e1f8c50f47ec7c4152c64d61e16cb

SHA512
ddb932244301ae821db23c4ba7179d6277bb9732983bc2890bb0be87e7da64a6c7d1df7ccb43de9881bf1c8deaea9d7de2f140f5085775a27cc92837467744ae

Download Submit
\??\c:\windows\W_X_C.bat
MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
ca0a82a7661e3eccbfe0d904aef2e514

SHA1
77e39cc6ad3a33efe75092d53bbf5ccc18ad21fa

SHA256
b55cef85d28e92e9b46ce3b8e9d3a20e6c8e63365223a48be198bcb174af9dce

SHA512
6a4239796592b9616b6146426e6561b41f4967f306a071e622cdcb83e1801a0871591fced35660a66a27c45ed837bbb7fe731991ac2c25e0538d4bccca6406f6

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
ca0a82a7661e3eccbfe0d904aef2e514

SHA1
77e39cc6ad3a33efe75092d53bbf5ccc18ad21fa

SHA256
b55cef85d28e92e9b46ce3b8e9d3a20e6c8e63365223a48be198bcb174af9dce

SHA512
6a4239796592b9616b6146426e6561b41f4967f306a071e622cdcb83e1801a0871591fced35660a66a27c45ed837bbb7fe731991ac2c25e0538d4bccca6406f6

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
ca0a82a7661e3eccbfe0d904aef2e514

SHA1
77e39cc6ad3a33efe75092d53bbf5ccc18ad21fa

SHA256
b55cef85d28e92e9b46ce3b8e9d3a20e6c8e63365223a48be198bcb174af9dce

SHA512
6a4239796592b9616b6146426e6561b41f4967f306a071e622cdcb83e1801a0871591fced35660a66a27c45ed837bbb7fe731991ac2c25e0538d4bccca6406f6

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
ca0a82a7661e3eccbfe0d904aef2e514

SHA1
77e39cc6ad3a33efe75092d53bbf5ccc18ad21fa

SHA256
b55cef85d28e92e9b46ce3b8e9d3a20e6c8e63365223a48be198bcb174af9dce

SHA512
6a4239796592b9616b6146426e6561b41f4967f306a071e622cdcb83e1801a0871591fced35660a66a27c45ed837bbb7fe731991ac2c25e0538d4bccca6406f6

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
ca0a82a7661e3eccbfe0d904aef2e514

SHA1
77e39cc6ad3a33efe75092d53bbf5ccc18ad21fa

SHA256
b55cef85d28e92e9b46ce3b8e9d3a20e6c8e63365223a48be198bcb174af9dce

SHA512
6a4239796592b9616b6146426e6561b41f4967f306a071e622cdcb83e1801a0871591fced35660a66a27c45ed837bbb7fe731991ac2c25e0538d4bccca6406f6

Download Submit
memory/756-66-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/756-65-0x0000000000401000-0x000000000041D000-memory.dmp

Filesize
112KB

Download
memory/756-61-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/756-64-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/756-60-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/768-151-0x0000000000000000-mapping.dmp

Download
memory/780-70-0x0000000000000000-mapping.dmp

Download
memory/780-72-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/848-103-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/848-94-0x0000000000000000-mapping.dmp

Download
memory/1020-122-0x0000000000000000-mapping.dmp

Download
memory/1104-93-0x0000000000000000-mapping.dmp

Download
memory/1104-97-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1168-67-0x0000000000000000-mapping.dmp

Download
memory/1336-107-0x0000000000000000-mapping.dmp

Download
memory/1336-143-0x0000000000000000-mapping.dmp

Download
memory/1336-110-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1340-141-0x0000000000000000-mapping.dmp

Download
memory/1432-145-0x0000000000000000-mapping.dmp

Download
memory/1524-149-0x0000000000000000-mapping.dmp

Download
memory/1548-128-0x0000000000000000-mapping.dmp

Download
memory/1656-79-0x0000000000000000-mapping.dmp

Download
memory/1656-81-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1708-153-0x0000000000000000-mapping.dmp

Download
memory/1720-147-0x0000000000000000-mapping.dmp

Download
memory/1740-86-0x0000000000000000-mapping.dmp

Download
memory/1780-87-0x0000000000000000-mapping.dmp

Download
memory/1844-127-0x0000000000000000-mapping.dmp

Download
memory/1884-139-0x0000000000000000-mapping.dmp

Download
memory/2004-126-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2004-123-0x0000000000000000-mapping.dmp

Download
memory/2028-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads