876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af

Analysis

max time kernel
35s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 07:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe
Size

219KB
MD5

065f616d1e008b2b88fb08a035888823
SHA1

25b509758e5208f47df989c09ad47fdd380df162
SHA256

876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af
SHA512

ad8d2adad2eacdff4550c7903eb30d8e50686bda12dea4b1b77b3a96784210a22f5e55225f52bd6d717ae9bd2e763a254e9078a9b581848ee52e435bee9118e0
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQKhsa7GlWTUSsDgjiH4EbkC:gDCwfG1bnxLERR9sa7sSs8j/EbkC

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
848	avscan.exe
1676	avscan.exe
1660	hosts.exe
592	hosts.exe
1252	avscan.exe
1064	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1860	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe
1860	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe
848	avscan.exe
1660	hosts.exe
1660	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe
File created	\??\c:\windows\W_X_C.bat	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe
File opened for modification	C:\Windows\hosts.exe	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

T1112

pid	Process
988	REG.exe
968	REG.exe
108	REG.exe
1724	REG.exe
1360	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
848	avscan.exe
1660	hosts.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1860	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe
848	avscan.exe
1676	avscan.exe
1660	hosts.exe
1252	avscan.exe
1064	hosts.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 1360	1860	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe	28
PID 1860 wrote to memory of 1360	1860	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe	28
PID 1860 wrote to memory of 1360	1860	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe	28
PID 1860 wrote to memory of 1360	1860	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe	28
PID 1860 wrote to memory of 848	1860	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe	30
PID 1860 wrote to memory of 848	1860	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe	30
PID 1860 wrote to memory of 848	1860	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe	30
PID 1860 wrote to memory of 848	1860	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe	30
PID 848 wrote to memory of 1676	848	avscan.exe	31
PID 848 wrote to memory of 1676	848	avscan.exe	31
PID 848 wrote to memory of 1676	848	avscan.exe	31
PID 848 wrote to memory of 1676	848	avscan.exe	31
PID 848 wrote to memory of 904	848	avscan.exe	32
PID 848 wrote to memory of 904	848	avscan.exe	32
PID 848 wrote to memory of 904	848	avscan.exe	32
PID 848 wrote to memory of 904	848	avscan.exe	32
PID 1860 wrote to memory of 1340	1860	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe	35
PID 1860 wrote to memory of 1340	1860	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe	35
PID 1860 wrote to memory of 1340	1860	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe	35
PID 1860 wrote to memory of 1340	1860	876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe	35
PID 1340 wrote to memory of 1660	1340	cmd.exe	36
PID 1340 wrote to memory of 1660	1340	cmd.exe	36
PID 1340 wrote to memory of 1660	1340	cmd.exe	36
PID 1340 wrote to memory of 1660	1340	cmd.exe	36
PID 904 wrote to memory of 592	904	cmd.exe	38
PID 904 wrote to memory of 592	904	cmd.exe	38
PID 904 wrote to memory of 592	904	cmd.exe	38
PID 904 wrote to memory of 592	904	cmd.exe	38
PID 1660 wrote to memory of 1252	1660	hosts.exe	37
PID 1660 wrote to memory of 1252	1660	hosts.exe	37
PID 1660 wrote to memory of 1252	1660	hosts.exe	37
PID 1660 wrote to memory of 1252	1660	hosts.exe	37
PID 1340 wrote to memory of 1540	1340	cmd.exe	39
PID 1340 wrote to memory of 1540	1340	cmd.exe	39
PID 1340 wrote to memory of 1540	1340	cmd.exe	39
PID 1340 wrote to memory of 1540	1340	cmd.exe	39
PID 1660 wrote to memory of 1800	1660	hosts.exe	40
PID 1660 wrote to memory of 1800	1660	hosts.exe	40
PID 1660 wrote to memory of 1800	1660	hosts.exe	40
PID 1660 wrote to memory of 1800	1660	hosts.exe	40
PID 1800 wrote to memory of 1064	1800	cmd.exe	42
PID 1800 wrote to memory of 1064	1800	cmd.exe	42
PID 1800 wrote to memory of 1064	1800	cmd.exe	42
PID 1800 wrote to memory of 1064	1800	cmd.exe	42
PID 1800 wrote to memory of 1528	1800	cmd.exe	43
PID 1800 wrote to memory of 1528	1800	cmd.exe	43
PID 1800 wrote to memory of 1528	1800	cmd.exe	43
PID 1800 wrote to memory of 1528	1800	cmd.exe	43
PID 848 wrote to memory of 988	848	avscan.exe	44
PID 848 wrote to memory of 988	848	avscan.exe	44
PID 848 wrote to memory of 988	848	avscan.exe	44
PID 848 wrote to memory of 988	848	avscan.exe	44
PID 1660 wrote to memory of 968	1660	hosts.exe	46
PID 1660 wrote to memory of 968	1660	hosts.exe	46
PID 1660 wrote to memory of 968	1660	hosts.exe	46
PID 1660 wrote to memory of 968	1660	hosts.exe	46

C:\Users\Admin\AppData\Local\Temp\876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe
"C:\Users\Admin\AppData\Local\Temp\876b8c0116eb2288cd9a767b74f308b996342f38c67804018b846aee5ba9c3af.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1360
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      PID:592
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:988
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1252
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1064
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:1528
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:968
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:108
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
487KB

MD5
532d97f38d5ba6cc7e80994c68c19a0b

SHA1
95d6f245f96c27909085488c4e1068375e406c1d

SHA256
8d36da520138a8fea54065bfef97fc9ae7635d3e8f46f6d0c5388c5f3fa9ab23

SHA512
70bec366b3ea593100a6888135245f55dc8844134ae41708db0fd43a95ea3cf6a331b2c1d0c00cc8c498de3eaa3b3a42285e1453ac3c1c1fc9dd196cfb778c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
707KB

MD5
1540d30c6639f7820feec291ebe10cd2

SHA1
b779907b3a77bc9f89dbb862afa61f67da53971e

SHA256
29fd52446d3b4ff0548f5e5deb36a99ac29d4e0e450b78e70f54d66d9559de90

SHA512
8eb26d504dade1f3ae7ac9821d832ac4b064893d2f9f61eeb6cc2436041d4fe4b9ae3267dbdd5155db98b7ffed7cf9842dadc177e3bdf6a03ce87375dcd99019

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
927KB

MD5
32432beffe16856ea67b88303c7e34f8

SHA1
5b018fb71fa10be4bebed41341a272f9e4fae4ba

SHA256
21635e498dfa7e41b2395f28d1830a6c5135cc1750bd98fc4546727ba03cb325

SHA512
e4c51768204eef222de667f43379febbc045431c8396ac99b104e85437efb8b8be0ab1246309301432e92dfc36073285775e2ebb9742b9580dc72c8230965001

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
219KB

MD5
756e70e720a9c8926c1f0135a30957ad

SHA1
80077d4942083275e0794e14216a436d61b90044

SHA256
42e5fc4203394889a1f9f156582a2afb1749e2a0a23638ede26a0b7a8eda65b0

SHA512
31d162c4b75a6ab5b09d351f4945cd4c3f7c32ee7f96fd98e05f9f10c19854d13b1a1c8eb615703e36bf3667a5cd7c10b6ddf6d833efdc5988d87ccb69b23550

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
219KB

MD5
756e70e720a9c8926c1f0135a30957ad

SHA1
80077d4942083275e0794e14216a436d61b90044

SHA256
42e5fc4203394889a1f9f156582a2afb1749e2a0a23638ede26a0b7a8eda65b0

SHA512
31d162c4b75a6ab5b09d351f4945cd4c3f7c32ee7f96fd98e05f9f10c19854d13b1a1c8eb615703e36bf3667a5cd7c10b6ddf6d833efdc5988d87ccb69b23550

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
219KB

MD5
756e70e720a9c8926c1f0135a30957ad

SHA1
80077d4942083275e0794e14216a436d61b90044

SHA256
42e5fc4203394889a1f9f156582a2afb1749e2a0a23638ede26a0b7a8eda65b0

SHA512
31d162c4b75a6ab5b09d351f4945cd4c3f7c32ee7f96fd98e05f9f10c19854d13b1a1c8eb615703e36bf3667a5cd7c10b6ddf6d833efdc5988d87ccb69b23550

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
219KB

MD5
756e70e720a9c8926c1f0135a30957ad

SHA1
80077d4942083275e0794e14216a436d61b90044

SHA256
42e5fc4203394889a1f9f156582a2afb1749e2a0a23638ede26a0b7a8eda65b0

SHA512
31d162c4b75a6ab5b09d351f4945cd4c3f7c32ee7f96fd98e05f9f10c19854d13b1a1c8eb615703e36bf3667a5cd7c10b6ddf6d833efdc5988d87ccb69b23550

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
b147c267b47c4a6cfa3a72c41407541b

SHA1
062231bf7639b26f92e6d5ef78d515f8eaa9639d

SHA256
c9b7b5b912ab24c729de962727ac33835dd58f17754f9368ac702b9987f3baf6

SHA512
4f646fee7eaa29f33604b3f349b3d90a65bec39fdbe80bac6dcd2cd67b17475e51f833a66a5207d3008fede867792605bab132d6672e206bfefaa83aa344ac64

Download Submit
C:\Windows\hosts.exe

Filesize
219KB

MD5
9b05052d3b996f9dd934f46578f3c6d9

SHA1
6b1c3eb8a4430acf6418f7278cd792a82faecade

SHA256
c4308ab23e9af4a47dae84eb980287699aaaf5c10e9284c393ce923c7b54be9e

SHA512
a90d19740e1dbdfdcc8ea9d3c144d146d45cab0ae2b4128f35de2d9d97c823092f7a4916f064afd0a84d853a887943655d3f7ddd62ab40b287be8c1d8b8e6c2f

Download Submit
C:\Windows\hosts.exe

Filesize
219KB

MD5
9b05052d3b996f9dd934f46578f3c6d9

SHA1
6b1c3eb8a4430acf6418f7278cd792a82faecade

SHA256
c4308ab23e9af4a47dae84eb980287699aaaf5c10e9284c393ce923c7b54be9e

SHA512
a90d19740e1dbdfdcc8ea9d3c144d146d45cab0ae2b4128f35de2d9d97c823092f7a4916f064afd0a84d853a887943655d3f7ddd62ab40b287be8c1d8b8e6c2f

Download Submit
C:\Windows\hosts.exe

Filesize
219KB

MD5
9b05052d3b996f9dd934f46578f3c6d9

SHA1
6b1c3eb8a4430acf6418f7278cd792a82faecade

SHA256
c4308ab23e9af4a47dae84eb980287699aaaf5c10e9284c393ce923c7b54be9e

SHA512
a90d19740e1dbdfdcc8ea9d3c144d146d45cab0ae2b4128f35de2d9d97c823092f7a4916f064afd0a84d853a887943655d3f7ddd62ab40b287be8c1d8b8e6c2f

Download Submit
C:\Windows\hosts.exe

Filesize
219KB

MD5
9b05052d3b996f9dd934f46578f3c6d9

SHA1
6b1c3eb8a4430acf6418f7278cd792a82faecade

SHA256
c4308ab23e9af4a47dae84eb980287699aaaf5c10e9284c393ce923c7b54be9e

SHA512
a90d19740e1dbdfdcc8ea9d3c144d146d45cab0ae2b4128f35de2d9d97c823092f7a4916f064afd0a84d853a887943655d3f7ddd62ab40b287be8c1d8b8e6c2f

Download Submit
C:\windows\hosts.exe

Filesize
219KB

MD5
9b05052d3b996f9dd934f46578f3c6d9

SHA1
6b1c3eb8a4430acf6418f7278cd792a82faecade

SHA256
c4308ab23e9af4a47dae84eb980287699aaaf5c10e9284c393ce923c7b54be9e

SHA512
a90d19740e1dbdfdcc8ea9d3c144d146d45cab0ae2b4128f35de2d9d97c823092f7a4916f064afd0a84d853a887943655d3f7ddd62ab40b287be8c1d8b8e6c2f

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
219KB

MD5
756e70e720a9c8926c1f0135a30957ad

SHA1
80077d4942083275e0794e14216a436d61b90044

SHA256
42e5fc4203394889a1f9f156582a2afb1749e2a0a23638ede26a0b7a8eda65b0

SHA512
31d162c4b75a6ab5b09d351f4945cd4c3f7c32ee7f96fd98e05f9f10c19854d13b1a1c8eb615703e36bf3667a5cd7c10b6ddf6d833efdc5988d87ccb69b23550

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
219KB

MD5
756e70e720a9c8926c1f0135a30957ad

SHA1
80077d4942083275e0794e14216a436d61b90044

SHA256
42e5fc4203394889a1f9f156582a2afb1749e2a0a23638ede26a0b7a8eda65b0

SHA512
31d162c4b75a6ab5b09d351f4945cd4c3f7c32ee7f96fd98e05f9f10c19854d13b1a1c8eb615703e36bf3667a5cd7c10b6ddf6d833efdc5988d87ccb69b23550

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
219KB

MD5
756e70e720a9c8926c1f0135a30957ad

SHA1
80077d4942083275e0794e14216a436d61b90044

SHA256
42e5fc4203394889a1f9f156582a2afb1749e2a0a23638ede26a0b7a8eda65b0

SHA512
31d162c4b75a6ab5b09d351f4945cd4c3f7c32ee7f96fd98e05f9f10c19854d13b1a1c8eb615703e36bf3667a5cd7c10b6ddf6d833efdc5988d87ccb69b23550

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
219KB

MD5
756e70e720a9c8926c1f0135a30957ad

SHA1
80077d4942083275e0794e14216a436d61b90044

SHA256
42e5fc4203394889a1f9f156582a2afb1749e2a0a23638ede26a0b7a8eda65b0

SHA512
31d162c4b75a6ab5b09d351f4945cd4c3f7c32ee7f96fd98e05f9f10c19854d13b1a1c8eb615703e36bf3667a5cd7c10b6ddf6d833efdc5988d87ccb69b23550

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
219KB

MD5
756e70e720a9c8926c1f0135a30957ad

SHA1
80077d4942083275e0794e14216a436d61b90044

SHA256
42e5fc4203394889a1f9f156582a2afb1749e2a0a23638ede26a0b7a8eda65b0

SHA512
31d162c4b75a6ab5b09d351f4945cd4c3f7c32ee7f96fd98e05f9f10c19854d13b1a1c8eb615703e36bf3667a5cd7c10b6ddf6d833efdc5988d87ccb69b23550

Download Submit
memory/1860-56-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1860-58-0x0000000074551000-0x0000000074553000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads