a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761

Analysis

max time kernel
131s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe
Size

1.0MB
MD5

6dfbfd3efd9eb2a1b9f39b161191c6e0
SHA1

320d332f817b4d770c672021dae574ee82a95c4d
SHA256

a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761
SHA512

90ef1fb5d192bade98e58aa38294a110cd0561f39ffda222ed23198b68acf310fc3ab62a2d265e2be644e0532ab1dddc5b532da252690b7f1dadefd3e15b5c01
SSDEEP

12288:g72bn2Yp72bn2Yr72bn2Yp72bn2YC72bn2Yp72bn2Yw:g72zF72zf72zF72zm72zF72zs

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
2044	avscan.exe
1448	avscan.exe
1044	hosts.exe
1816	hosts.exe
704	avscan.exe
1776	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1620	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe
1620	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe
2044	avscan.exe
1044	hosts.exe
1044	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe
File created	\??\c:\windows\W_X_C.bat	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe
File opened for modification	C:\Windows\hosts.exe	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1648	REG.exe
1496	REG.exe
1104	REG.exe
1624	REG.exe
1604	REG.exe
1132	REG.exe
944	REG.exe
940	REG.exe
1488	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2044	avscan.exe
1044	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1620	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe
2044	avscan.exe
1448	avscan.exe
1044	hosts.exe
1816	hosts.exe
704	avscan.exe
1776	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1104	1620	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe	27
PID 1620 wrote to memory of 1104	1620	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe	27
PID 1620 wrote to memory of 1104	1620	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe	27
PID 1620 wrote to memory of 1104	1620	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe	27
PID 1620 wrote to memory of 2044	1620	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe	29
PID 1620 wrote to memory of 2044	1620	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe	29
PID 1620 wrote to memory of 2044	1620	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe	29
PID 1620 wrote to memory of 2044	1620	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe	29
PID 2044 wrote to memory of 1448	2044	avscan.exe	30
PID 2044 wrote to memory of 1448	2044	avscan.exe	30
PID 2044 wrote to memory of 1448	2044	avscan.exe	30
PID 2044 wrote to memory of 1448	2044	avscan.exe	30
PID 2044 wrote to memory of 472	2044	avscan.exe	31
PID 2044 wrote to memory of 472	2044	avscan.exe	31
PID 2044 wrote to memory of 472	2044	avscan.exe	31
PID 2044 wrote to memory of 472	2044	avscan.exe	31
PID 1620 wrote to memory of 656	1620	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe	32
PID 1620 wrote to memory of 656	1620	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe	32
PID 1620 wrote to memory of 656	1620	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe	32
PID 1620 wrote to memory of 656	1620	a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe	32
PID 472 wrote to memory of 1816	472	cmd.exe	36
PID 472 wrote to memory of 1816	472	cmd.exe	36
PID 472 wrote to memory of 1816	472	cmd.exe	36
PID 472 wrote to memory of 1816	472	cmd.exe	36
PID 656 wrote to memory of 1044	656	cmd.exe	35
PID 656 wrote to memory of 1044	656	cmd.exe	35
PID 656 wrote to memory of 1044	656	cmd.exe	35
PID 656 wrote to memory of 1044	656	cmd.exe	35
PID 1044 wrote to memory of 704	1044	hosts.exe	37
PID 1044 wrote to memory of 704	1044	hosts.exe	37
PID 1044 wrote to memory of 704	1044	hosts.exe	37
PID 1044 wrote to memory of 704	1044	hosts.exe	37
PID 1044 wrote to memory of 1696	1044	hosts.exe	38
PID 1044 wrote to memory of 1696	1044	hosts.exe	38
PID 1044 wrote to memory of 1696	1044	hosts.exe	38
PID 1044 wrote to memory of 1696	1044	hosts.exe	38
PID 1696 wrote to memory of 1776	1696	cmd.exe	40
PID 1696 wrote to memory of 1776	1696	cmd.exe	40
PID 1696 wrote to memory of 1776	1696	cmd.exe	40
PID 1696 wrote to memory of 1776	1696	cmd.exe	40
PID 1696 wrote to memory of 1308	1696	cmd.exe	41
PID 1696 wrote to memory of 1308	1696	cmd.exe	41
PID 1696 wrote to memory of 1308	1696	cmd.exe	41
PID 1696 wrote to memory of 1308	1696	cmd.exe	41
PID 656 wrote to memory of 1976	656	cmd.exe	42
PID 656 wrote to memory of 1976	656	cmd.exe	42
PID 656 wrote to memory of 1976	656	cmd.exe	42
PID 656 wrote to memory of 1976	656	cmd.exe	42
PID 472 wrote to memory of 1884	472	cmd.exe	43
PID 472 wrote to memory of 1884	472	cmd.exe	43
PID 472 wrote to memory of 1884	472	cmd.exe	43
PID 472 wrote to memory of 1884	472	cmd.exe	43
PID 2044 wrote to memory of 944	2044	avscan.exe	44
PID 2044 wrote to memory of 944	2044	avscan.exe	44
PID 2044 wrote to memory of 944	2044	avscan.exe	44
PID 2044 wrote to memory of 944	2044	avscan.exe	44
PID 1044 wrote to memory of 1624	1044	hosts.exe	45
PID 1044 wrote to memory of 1624	1044	hosts.exe	45
PID 1044 wrote to memory of 1624	1044	hosts.exe	45
PID 1044 wrote to memory of 1624	1044	hosts.exe	45
PID 2044 wrote to memory of 940	2044	avscan.exe	48
PID 2044 wrote to memory of 940	2044	avscan.exe	48
PID 2044 wrote to memory of 940	2044	avscan.exe	48
PID 2044 wrote to memory of 940	2044	avscan.exe	48

C:\Users\Admin\AppData\Local\Temp\a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe
"C:\Users\Admin\AppData\Local\Temp\a0c5e39b6bafe3193e0b3e8787b32b3d5d2de6b5f34e5df7830d1c729d192761.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1104
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:472
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1816
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1884
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:944
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:940
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1648
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:704
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1776
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:1308
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1624
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1604
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1496
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1132
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
88b316d8ebe69316739b23b12dae9fe0

SHA1
bb14062cb4c0561a6003190cae6acf6b2d9039ec

SHA256
62626f46abb10c783b407e6896189de2c1a1e8b4d786f8b23cb331e400bdcf1d

SHA512
fee76f33a85b7dc05c83779e99cd638abbc0ee2eda7fb72f2832e274cdde394dff36d7bc137fa74f134a19261f429f32db52e83b9bffd79585dffb0b45870810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.1MB

MD5
148f3e19554f8ebc63d18bb0c84766de

SHA1
c74eccf04326b3367e31f4b5bac74e99cdeae1ef

SHA256
bd2b40723641a66f8e6bd45598cdbf3d4e6fb7dc8d5f4b80341e911a8eb72f9e

SHA512
46c0d4eb74b53a6a346faede99729c402d5731a9db5a1dc33d0f15d3b4bfb82f887254f8f6f66120087205f3e740d90b1063df60877dbd2b28b218dc9717a72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
3.1MB

MD5
3249210bdd48e3c7a528b186f2ae7e16

SHA1
4b8d821b12274ac94064c3daeea31872b34dbcd6

SHA256
ce297ddf4d01ed99da8d2158c4b14680bb939abdf52a67364ea5ca596a4938a0

SHA512
4641e3cdf3cd2ea1c52bbe2fa89738b1f741bc461f7da3e9a389cba8c0ad3ed08c6ac20adf46c84f0acc940aa8b65f1794268a771d639103c2dd7aa94eafcae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
5.2MB

MD5
23691d0b1f4b38f446bcb784ab2f2b64

SHA1
9a488ac1d0f300c1db48f91c0b81146c383d23cd

SHA256
a7489eaa3d29eb3ee0f2b00ead7a96949666c7e6865400e00b7a6ca550888dba

SHA512
8e157bde3bee4a23411d0dd6f86cc5c01e76f7a0d6fc9091f73c811a542e5786e172f4658085aa42f1e262d28214f863e5b26a79d73464a1138f7031ab6416cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
5.2MB

MD5
311323d54859652c17e8e2937773a2bc

SHA1
b5e0d944d734dd983313a1cb84ac778585057074

SHA256
1e62e61be7798551468c121cd9be3fe1f7ade3718b77249ecf07d53c06dd28f6

SHA512
b53b12cebaf95b6a2e3491c02d47d42c862451eff4207da80f3843f81a24806a65ea99ba9e799e60a85f05cbdd0f9d9a9e4a70e14bcd4145f718b197a29612da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
5.2MB

MD5
311323d54859652c17e8e2937773a2bc

SHA1
b5e0d944d734dd983313a1cb84ac778585057074

SHA256
1e62e61be7798551468c121cd9be3fe1f7ade3718b77249ecf07d53c06dd28f6

SHA512
b53b12cebaf95b6a2e3491c02d47d42c862451eff4207da80f3843f81a24806a65ea99ba9e799e60a85f05cbdd0f9d9a9e4a70e14bcd4145f718b197a29612da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
7.2MB

MD5
8da17b53af57529cb25ce38f4a93346b

SHA1
370d201a88b56c9ca4a8f9c6f0ddd00977e8e3d6

SHA256
4ed2b7d268788d2ab07f209394317c733a1e5096029b26a526f47735b02e15bd

SHA512
c2cfa0feadbea2eb768b158a94e12c595f9c949e56e76945dbc3314388e3a6a008849493393aca1c0b3b85b18c850d4dd132a5a1208731a0b1644b1d19ad1d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
1.0MB

MD5
dc7bf449eddff10eb5584109851815ce

SHA1
9b53b661914736cb47a2e817c3b04893ae2d4145

SHA256
a37b631705106793cbdf54924581f514111dfcd150cbf25f2546e6ecd2313e04

SHA512
158b92878ed12c5572a4b0dae0641b7621870e04745793d13921d20a63c12b246588f17b819b37741d7ec2ea4464cc7ad650c92589e5285ce639ed2e76dc1a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
1.0MB

MD5
dc7bf449eddff10eb5584109851815ce

SHA1
9b53b661914736cb47a2e817c3b04893ae2d4145

SHA256
a37b631705106793cbdf54924581f514111dfcd150cbf25f2546e6ecd2313e04

SHA512
158b92878ed12c5572a4b0dae0641b7621870e04745793d13921d20a63c12b246588f17b819b37741d7ec2ea4464cc7ad650c92589e5285ce639ed2e76dc1a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
1.0MB

MD5
dc7bf449eddff10eb5584109851815ce

SHA1
9b53b661914736cb47a2e817c3b04893ae2d4145

SHA256
a37b631705106793cbdf54924581f514111dfcd150cbf25f2546e6ecd2313e04

SHA512
158b92878ed12c5572a4b0dae0641b7621870e04745793d13921d20a63c12b246588f17b819b37741d7ec2ea4464cc7ad650c92589e5285ce639ed2e76dc1a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
1.0MB

MD5
dc7bf449eddff10eb5584109851815ce

SHA1
9b53b661914736cb47a2e817c3b04893ae2d4145

SHA256
a37b631705106793cbdf54924581f514111dfcd150cbf25f2546e6ecd2313e04

SHA512
158b92878ed12c5572a4b0dae0641b7621870e04745793d13921d20a63c12b246588f17b819b37741d7ec2ea4464cc7ad650c92589e5285ce639ed2e76dc1a9b

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
b147c267b47c4a6cfa3a72c41407541b

SHA1
062231bf7639b26f92e6d5ef78d515f8eaa9639d

SHA256
c9b7b5b912ab24c729de962727ac33835dd58f17754f9368ac702b9987f3baf6

SHA512
4f646fee7eaa29f33604b3f349b3d90a65bec39fdbe80bac6dcd2cd67b17475e51f833a66a5207d3008fede867792605bab132d6672e206bfefaa83aa344ac64

Download Submit
C:\Windows\hosts.exe

Filesize
1.0MB

MD5
80f267d56e3e1c72e0cac96a80800684

SHA1
1be0de049280fdb42f59e524d0b33feddad98336

SHA256
ef101e4dd4bcb57ddaa03d6c2aa50f4db3ded79df0b8256d8cd92c4b4c457d67

SHA512
585897660e4f55677900ee7057e8234b610b33cf68dffa2e8f0127e6e14fed6f7eefee584ee41d1bf22572ecafaea448018d5be85ac46ac39fee88cb047531f6

Download Submit
C:\Windows\hosts.exe

Filesize
1.0MB

MD5
80f267d56e3e1c72e0cac96a80800684

SHA1
1be0de049280fdb42f59e524d0b33feddad98336

SHA256
ef101e4dd4bcb57ddaa03d6c2aa50f4db3ded79df0b8256d8cd92c4b4c457d67

SHA512
585897660e4f55677900ee7057e8234b610b33cf68dffa2e8f0127e6e14fed6f7eefee584ee41d1bf22572ecafaea448018d5be85ac46ac39fee88cb047531f6

Download Submit
C:\Windows\hosts.exe

Filesize
1.0MB

MD5
80f267d56e3e1c72e0cac96a80800684

SHA1
1be0de049280fdb42f59e524d0b33feddad98336

SHA256
ef101e4dd4bcb57ddaa03d6c2aa50f4db3ded79df0b8256d8cd92c4b4c457d67

SHA512
585897660e4f55677900ee7057e8234b610b33cf68dffa2e8f0127e6e14fed6f7eefee584ee41d1bf22572ecafaea448018d5be85ac46ac39fee88cb047531f6

Download Submit
C:\Windows\hosts.exe

Filesize
1.0MB

MD5
80f267d56e3e1c72e0cac96a80800684

SHA1
1be0de049280fdb42f59e524d0b33feddad98336

SHA256
ef101e4dd4bcb57ddaa03d6c2aa50f4db3ded79df0b8256d8cd92c4b4c457d67

SHA512
585897660e4f55677900ee7057e8234b610b33cf68dffa2e8f0127e6e14fed6f7eefee584ee41d1bf22572ecafaea448018d5be85ac46ac39fee88cb047531f6

Download Submit
C:\windows\hosts.exe

Filesize
1.0MB

MD5
80f267d56e3e1c72e0cac96a80800684

SHA1
1be0de049280fdb42f59e524d0b33feddad98336

SHA256
ef101e4dd4bcb57ddaa03d6c2aa50f4db3ded79df0b8256d8cd92c4b4c457d67

SHA512
585897660e4f55677900ee7057e8234b610b33cf68dffa2e8f0127e6e14fed6f7eefee584ee41d1bf22572ecafaea448018d5be85ac46ac39fee88cb047531f6

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
1.0MB

MD5
dc7bf449eddff10eb5584109851815ce

SHA1
9b53b661914736cb47a2e817c3b04893ae2d4145

SHA256
a37b631705106793cbdf54924581f514111dfcd150cbf25f2546e6ecd2313e04

SHA512
158b92878ed12c5572a4b0dae0641b7621870e04745793d13921d20a63c12b246588f17b819b37741d7ec2ea4464cc7ad650c92589e5285ce639ed2e76dc1a9b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
1.0MB

MD5
dc7bf449eddff10eb5584109851815ce

SHA1
9b53b661914736cb47a2e817c3b04893ae2d4145

SHA256
a37b631705106793cbdf54924581f514111dfcd150cbf25f2546e6ecd2313e04

SHA512
158b92878ed12c5572a4b0dae0641b7621870e04745793d13921d20a63c12b246588f17b819b37741d7ec2ea4464cc7ad650c92589e5285ce639ed2e76dc1a9b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
1.0MB

MD5
dc7bf449eddff10eb5584109851815ce

SHA1
9b53b661914736cb47a2e817c3b04893ae2d4145

SHA256
a37b631705106793cbdf54924581f514111dfcd150cbf25f2546e6ecd2313e04

SHA512
158b92878ed12c5572a4b0dae0641b7621870e04745793d13921d20a63c12b246588f17b819b37741d7ec2ea4464cc7ad650c92589e5285ce639ed2e76dc1a9b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
1.0MB

MD5
dc7bf449eddff10eb5584109851815ce

SHA1
9b53b661914736cb47a2e817c3b04893ae2d4145

SHA256
a37b631705106793cbdf54924581f514111dfcd150cbf25f2546e6ecd2313e04

SHA512
158b92878ed12c5572a4b0dae0641b7621870e04745793d13921d20a63c12b246588f17b819b37741d7ec2ea4464cc7ad650c92589e5285ce639ed2e76dc1a9b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
1.0MB

MD5
dc7bf449eddff10eb5584109851815ce

SHA1
9b53b661914736cb47a2e817c3b04893ae2d4145

SHA256
a37b631705106793cbdf54924581f514111dfcd150cbf25f2546e6ecd2313e04

SHA512
158b92878ed12c5572a4b0dae0641b7621870e04745793d13921d20a63c12b246588f17b819b37741d7ec2ea4464cc7ad650c92589e5285ce639ed2e76dc1a9b

Download Submit
memory/1620-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1620-58-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads