a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8

Analysis

max time kernel
140s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe
Size

177KB
MD5

088f5610d61bdfd57739dddb607f6bd5
SHA1

052b3854aeacf797529bbea8a5332714a5c5c12b
SHA256

a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8
SHA512

d6582b6582753243bcd067f6fd8535745a6a6663a5761e5ad3b584bc4e7a0e5d3338c892a0398abcb4e4b9b19e0c8588aa9a9189acb5c407f60ecc1f242ee53f
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQvh3I:gDCwfG1bnxLERRG4

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
2024	avscan.exe
900	avscan.exe
1748	hosts.exe
700	hosts.exe
820	avscan.exe
364	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
864	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe
864	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe
2024	avscan.exe
1748	hosts.exe
1748	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe
File created	\??\c:\windows\W_X_C.bat	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1576	REG.exe
844	REG.exe
540	REG.exe
2032	REG.exe
280	REG.exe
1544	REG.exe
1480	REG.exe
1984	REG.exe
1696	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2024	avscan.exe
1748	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
864	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe
2024	avscan.exe
900	avscan.exe
1748	hosts.exe
700	hosts.exe
820	avscan.exe
364	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1480	864	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe	27
PID 864 wrote to memory of 1480	864	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe	27
PID 864 wrote to memory of 1480	864	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe	27
PID 864 wrote to memory of 1480	864	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe	27
PID 864 wrote to memory of 2024	864	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe	29
PID 864 wrote to memory of 2024	864	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe	29
PID 864 wrote to memory of 2024	864	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe	29
PID 864 wrote to memory of 2024	864	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe	29
PID 2024 wrote to memory of 900	2024	avscan.exe	30
PID 2024 wrote to memory of 900	2024	avscan.exe	30
PID 2024 wrote to memory of 900	2024	avscan.exe	30
PID 2024 wrote to memory of 900	2024	avscan.exe	30
PID 2024 wrote to memory of 1776	2024	avscan.exe	31
PID 2024 wrote to memory of 1776	2024	avscan.exe	31
PID 2024 wrote to memory of 1776	2024	avscan.exe	31
PID 2024 wrote to memory of 1776	2024	avscan.exe	31
PID 864 wrote to memory of 552	864	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe	33
PID 864 wrote to memory of 552	864	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe	33
PID 864 wrote to memory of 552	864	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe	33
PID 864 wrote to memory of 552	864	a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe	33
PID 552 wrote to memory of 700	552	cmd.exe	35
PID 552 wrote to memory of 700	552	cmd.exe	35
PID 552 wrote to memory of 700	552	cmd.exe	35
PID 552 wrote to memory of 700	552	cmd.exe	35
PID 1776 wrote to memory of 1748	1776	cmd.exe	36
PID 1776 wrote to memory of 1748	1776	cmd.exe	36
PID 1776 wrote to memory of 1748	1776	cmd.exe	36
PID 1776 wrote to memory of 1748	1776	cmd.exe	36
PID 1748 wrote to memory of 820	1748	hosts.exe	37
PID 1748 wrote to memory of 820	1748	hosts.exe	37
PID 1748 wrote to memory of 820	1748	hosts.exe	37
PID 1748 wrote to memory of 820	1748	hosts.exe	37
PID 1748 wrote to memory of 320	1748	hosts.exe	39
PID 1748 wrote to memory of 320	1748	hosts.exe	39
PID 1748 wrote to memory of 320	1748	hosts.exe	39
PID 1748 wrote to memory of 320	1748	hosts.exe	39
PID 552 wrote to memory of 608	552	cmd.exe	38
PID 552 wrote to memory of 608	552	cmd.exe	38
PID 552 wrote to memory of 608	552	cmd.exe	38
PID 552 wrote to memory of 608	552	cmd.exe	38
PID 320 wrote to memory of 364	320	cmd.exe	41
PID 320 wrote to memory of 364	320	cmd.exe	41
PID 320 wrote to memory of 364	320	cmd.exe	41
PID 320 wrote to memory of 364	320	cmd.exe	41
PID 1776 wrote to memory of 1180	1776	cmd.exe	42
PID 1776 wrote to memory of 1180	1776	cmd.exe	42
PID 1776 wrote to memory of 1180	1776	cmd.exe	42
PID 1776 wrote to memory of 1180	1776	cmd.exe	42
PID 320 wrote to memory of 1628	320	cmd.exe	43
PID 320 wrote to memory of 1628	320	cmd.exe	43
PID 320 wrote to memory of 1628	320	cmd.exe	43
PID 320 wrote to memory of 1628	320	cmd.exe	43
PID 1748 wrote to memory of 844	1748	hosts.exe	44
PID 1748 wrote to memory of 844	1748	hosts.exe	44
PID 1748 wrote to memory of 844	1748	hosts.exe	44
PID 1748 wrote to memory of 844	1748	hosts.exe	44
PID 2024 wrote to memory of 540	2024	avscan.exe	45
PID 2024 wrote to memory of 540	2024	avscan.exe	45
PID 2024 wrote to memory of 540	2024	avscan.exe	45
PID 2024 wrote to memory of 540	2024	avscan.exe	45
PID 1748 wrote to memory of 1984	1748	hosts.exe	48
PID 1748 wrote to memory of 1984	1748	hosts.exe	48
PID 1748 wrote to memory of 1984	1748	hosts.exe	48
PID 1748 wrote to memory of 1984	1748	hosts.exe	48

C:\Users\Admin\AppData\Local\Temp\a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe
"C:\Users\Admin\AppData\Local\Temp\a0a02d9fc849bcff42a69749431aed7d6f6a25df6db3ede7a386e688eaff53f8.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1480
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:820
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:320
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:364
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1628
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:844
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1984
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:280
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1576
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1180
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:540
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1696
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2032
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:700
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
403KB

MD5
0df095e028d8d0d0d4ae0a1845619cd4

SHA1
7a3f436095b60f37e4e2194743c4631399c3e988

SHA256
b5a13771001673af8e45f6ff85eda959c07685d4870e18210067a41c58d465b1

SHA512
336d5289ede50230e443e2217204606c1edb45892adbb3bd1e59131e14537b3539b676a8416e59623774b4fffb66ea0473c5a99352915f5a08279bf5eb4a4022

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
580KB

MD5
28d3714aa098f9775eca23c6cc793661

SHA1
52d31b5de0894e97f587ba6ffce4f1b993cf0e76

SHA256
f65f679a94081e7fd5ebe1c33183706f98a6ac4822c4e44a8b36457ec7ab53f0

SHA512
74d58278cfebcf5039f9ccf8f272f9d5d0fd43f3ea45160d89b8f89f1f602a172809985df2baf744113644f9091e0d725d8ed3f76c164a8cd09c7f4dcacf4eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
580KB

MD5
28d3714aa098f9775eca23c6cc793661

SHA1
52d31b5de0894e97f587ba6ffce4f1b993cf0e76

SHA256
f65f679a94081e7fd5ebe1c33183706f98a6ac4822c4e44a8b36457ec7ab53f0

SHA512
74d58278cfebcf5039f9ccf8f272f9d5d0fd43f3ea45160d89b8f89f1f602a172809985df2baf744113644f9091e0d725d8ed3f76c164a8cd09c7f4dcacf4eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
580KB

MD5
7ebeab8b7aa7f4e1113eaf3598ba584c

SHA1
4e7149a7554940b36e7c210310f87b47e6171f5c

SHA256
73926991c69129ae4b18a21e6a1ab661c1fe146e737fbd3acecaed3e94c32b8f

SHA512
33fd7f4ae12035c487348bb1246b3ba5bfda69bad5a35aff6ed701319c266bda8e597e3d8b368fe64297a64530985f98750f4985c4a215e2088347e3ee862930

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
758KB

MD5
1d6a1c75bee3effde9d5b2388219bb0e

SHA1
040e9bf09cb69f1404365c03c506cd851bc62b51

SHA256
46c67d6b637edfd11d0269066513e48ae3560c48e4d9f786ee084bbea3e809f0

SHA512
463a20806478ac985be06c4cef4e0f04fbf6c26d55ffde5bb943aa1061fda4d58b4214b4b48345bd2c36878930e8ed4b737e635bc4da596eb5688cfc50634fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.3MB

MD5
921ef1b8962fa1d752646003503cbd36

SHA1
5a6b74d3ca9741cc0050bbef979ff2c8900ca904

SHA256
ed49d15279a62780f406e1a715977615f0055c6ccde7f6b10b592a5071b36660

SHA512
06562131a6b15e7f2ddf79da6070d358c7fb41e178c0dcf2a986feefc0cd7baae398df3257ce0a26c090bb60350cef366b17a1f42f9c5cf63f6d263cb5e712cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.3MB

MD5
921ef1b8962fa1d752646003503cbd36

SHA1
5a6b74d3ca9741cc0050bbef979ff2c8900ca904

SHA256
ed49d15279a62780f406e1a715977615f0055c6ccde7f6b10b592a5071b36660

SHA512
06562131a6b15e7f2ddf79da6070d358c7fb41e178c0dcf2a986feefc0cd7baae398df3257ce0a26c090bb60350cef366b17a1f42f9c5cf63f6d263cb5e712cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
177KB

MD5
a391a88bd51ea457b3f1eee3d1a20199

SHA1
f1603f0c3aa0a5622e16279c6b9351493ebfb9fc

SHA256
8ec766ced7416ced623edaaffb0e14fc355eecacadfcebdaf30aa8301cc55148

SHA512
597a3dc5efdc8309eda0b696153b359594172c8cd1644e6e4e255bf5a18be623aa360e2e36e51efd368191cdb6cb814365bdfe282391aad0cc0a0a665e7e3f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
177KB

MD5
a391a88bd51ea457b3f1eee3d1a20199

SHA1
f1603f0c3aa0a5622e16279c6b9351493ebfb9fc

SHA256
8ec766ced7416ced623edaaffb0e14fc355eecacadfcebdaf30aa8301cc55148

SHA512
597a3dc5efdc8309eda0b696153b359594172c8cd1644e6e4e255bf5a18be623aa360e2e36e51efd368191cdb6cb814365bdfe282391aad0cc0a0a665e7e3f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
177KB

MD5
a391a88bd51ea457b3f1eee3d1a20199

SHA1
f1603f0c3aa0a5622e16279c6b9351493ebfb9fc

SHA256
8ec766ced7416ced623edaaffb0e14fc355eecacadfcebdaf30aa8301cc55148

SHA512
597a3dc5efdc8309eda0b696153b359594172c8cd1644e6e4e255bf5a18be623aa360e2e36e51efd368191cdb6cb814365bdfe282391aad0cc0a0a665e7e3f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
177KB

MD5
a391a88bd51ea457b3f1eee3d1a20199

SHA1
f1603f0c3aa0a5622e16279c6b9351493ebfb9fc

SHA256
8ec766ced7416ced623edaaffb0e14fc355eecacadfcebdaf30aa8301cc55148

SHA512
597a3dc5efdc8309eda0b696153b359594172c8cd1644e6e4e255bf5a18be623aa360e2e36e51efd368191cdb6cb814365bdfe282391aad0cc0a0a665e7e3f5e

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
b147c267b47c4a6cfa3a72c41407541b

SHA1
062231bf7639b26f92e6d5ef78d515f8eaa9639d

SHA256
c9b7b5b912ab24c729de962727ac33835dd58f17754f9368ac702b9987f3baf6

SHA512
4f646fee7eaa29f33604b3f349b3d90a65bec39fdbe80bac6dcd2cd67b17475e51f833a66a5207d3008fede867792605bab132d6672e206bfefaa83aa344ac64

Download Submit
C:\Windows\hosts.exe

Filesize
177KB

MD5
e3f8798597bb7097f2ffdd258a7fb545

SHA1
5c96d1650f58f035e345d2cc56c322b8c194eba3

SHA256
ee6e750c2f6e937980c30d6ff030706fa9bf4476f7e677810a805986119b2bf3

SHA512
8a902406d53f5c65e8777fb44428702d8f18f283682da6e68bf89c05bc8c1855a3ae8365a83f009f3d52fe59dba4f6b4c6ff6d6642fe8dd7d09681534e668645

Download Submit
C:\Windows\hosts.exe

Filesize
177KB

MD5
e3f8798597bb7097f2ffdd258a7fb545

SHA1
5c96d1650f58f035e345d2cc56c322b8c194eba3

SHA256
ee6e750c2f6e937980c30d6ff030706fa9bf4476f7e677810a805986119b2bf3

SHA512
8a902406d53f5c65e8777fb44428702d8f18f283682da6e68bf89c05bc8c1855a3ae8365a83f009f3d52fe59dba4f6b4c6ff6d6642fe8dd7d09681534e668645

Download Submit
C:\Windows\hosts.exe

Filesize
177KB

MD5
e3f8798597bb7097f2ffdd258a7fb545

SHA1
5c96d1650f58f035e345d2cc56c322b8c194eba3

SHA256
ee6e750c2f6e937980c30d6ff030706fa9bf4476f7e677810a805986119b2bf3

SHA512
8a902406d53f5c65e8777fb44428702d8f18f283682da6e68bf89c05bc8c1855a3ae8365a83f009f3d52fe59dba4f6b4c6ff6d6642fe8dd7d09681534e668645

Download Submit
C:\Windows\hosts.exe

Filesize
177KB

MD5
e3f8798597bb7097f2ffdd258a7fb545

SHA1
5c96d1650f58f035e345d2cc56c322b8c194eba3

SHA256
ee6e750c2f6e937980c30d6ff030706fa9bf4476f7e677810a805986119b2bf3

SHA512
8a902406d53f5c65e8777fb44428702d8f18f283682da6e68bf89c05bc8c1855a3ae8365a83f009f3d52fe59dba4f6b4c6ff6d6642fe8dd7d09681534e668645

Download Submit
C:\windows\hosts.exe

Filesize
177KB

MD5
e3f8798597bb7097f2ffdd258a7fb545

SHA1
5c96d1650f58f035e345d2cc56c322b8c194eba3

SHA256
ee6e750c2f6e937980c30d6ff030706fa9bf4476f7e677810a805986119b2bf3

SHA512
8a902406d53f5c65e8777fb44428702d8f18f283682da6e68bf89c05bc8c1855a3ae8365a83f009f3d52fe59dba4f6b4c6ff6d6642fe8dd7d09681534e668645

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
177KB

MD5
a391a88bd51ea457b3f1eee3d1a20199

SHA1
f1603f0c3aa0a5622e16279c6b9351493ebfb9fc

SHA256
8ec766ced7416ced623edaaffb0e14fc355eecacadfcebdaf30aa8301cc55148

SHA512
597a3dc5efdc8309eda0b696153b359594172c8cd1644e6e4e255bf5a18be623aa360e2e36e51efd368191cdb6cb814365bdfe282391aad0cc0a0a665e7e3f5e

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
177KB

MD5
a391a88bd51ea457b3f1eee3d1a20199

SHA1
f1603f0c3aa0a5622e16279c6b9351493ebfb9fc

SHA256
8ec766ced7416ced623edaaffb0e14fc355eecacadfcebdaf30aa8301cc55148

SHA512
597a3dc5efdc8309eda0b696153b359594172c8cd1644e6e4e255bf5a18be623aa360e2e36e51efd368191cdb6cb814365bdfe282391aad0cc0a0a665e7e3f5e

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
177KB

MD5
a391a88bd51ea457b3f1eee3d1a20199

SHA1
f1603f0c3aa0a5622e16279c6b9351493ebfb9fc

SHA256
8ec766ced7416ced623edaaffb0e14fc355eecacadfcebdaf30aa8301cc55148

SHA512
597a3dc5efdc8309eda0b696153b359594172c8cd1644e6e4e255bf5a18be623aa360e2e36e51efd368191cdb6cb814365bdfe282391aad0cc0a0a665e7e3f5e

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
177KB

MD5
a391a88bd51ea457b3f1eee3d1a20199

SHA1
f1603f0c3aa0a5622e16279c6b9351493ebfb9fc

SHA256
8ec766ced7416ced623edaaffb0e14fc355eecacadfcebdaf30aa8301cc55148

SHA512
597a3dc5efdc8309eda0b696153b359594172c8cd1644e6e4e255bf5a18be623aa360e2e36e51efd368191cdb6cb814365bdfe282391aad0cc0a0a665e7e3f5e

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
177KB

MD5
a391a88bd51ea457b3f1eee3d1a20199

SHA1
f1603f0c3aa0a5622e16279c6b9351493ebfb9fc

SHA256
8ec766ced7416ced623edaaffb0e14fc355eecacadfcebdaf30aa8301cc55148

SHA512
597a3dc5efdc8309eda0b696153b359594172c8cd1644e6e4e255bf5a18be623aa360e2e36e51efd368191cdb6cb814365bdfe282391aad0cc0a0a665e7e3f5e

Download Submit
memory/864-56-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/864-58-0x0000000075061000-0x0000000075063000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads