3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7

Analysis

max time kernel
125s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 06:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe
Size

351KB
MD5

107faaa6586fb452db43fe8876a95da2
SHA1

829113fe332ca607f165c4e9b5fd92645e54b625
SHA256

3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7
SHA512

40d387e6da5565a063415d17c0b34441504e4a610c5d461bd1a26ca128a859a8e96477ba88544d022b6c59d8bd59b385398cd851fbbf4939b8772342785ed162
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DEtJoObpDCw1p3vmLvsZIaVwiwDcIbDHd:gDCwfG1bnxLEfvDCwfG1bnxLEfwXz

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
472	avscan.exe
1708	avscan.exe
1324	hosts.exe
904	hosts.exe
596	avscan.exe
1888	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1376	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe
1376	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe
472	avscan.exe
904	hosts.exe
904	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe
File created	\??\c:\windows\W_X_C.bat	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe
File opened for modification	C:\Windows\hosts.exe	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1620	REG.exe
1376	REG.exe
584	REG.exe
1952	REG.exe
1880	REG.exe
1972	REG.exe
996	REG.exe
1232	REG.exe
1704	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
472	avscan.exe
904	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1376	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe
472	avscan.exe
1708	avscan.exe
1324	hosts.exe
904	hosts.exe
596	avscan.exe
1888	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1952	1376	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe	26
PID 1376 wrote to memory of 1952	1376	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe	26
PID 1376 wrote to memory of 1952	1376	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe	26
PID 1376 wrote to memory of 1952	1376	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe	26
PID 1376 wrote to memory of 472	1376	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe	28
PID 1376 wrote to memory of 472	1376	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe	28
PID 1376 wrote to memory of 472	1376	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe	28
PID 1376 wrote to memory of 472	1376	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe	28
PID 472 wrote to memory of 1708	472	avscan.exe	29
PID 472 wrote to memory of 1708	472	avscan.exe	29
PID 472 wrote to memory of 1708	472	avscan.exe	29
PID 472 wrote to memory of 1708	472	avscan.exe	29
PID 472 wrote to memory of 1744	472	avscan.exe	32
PID 472 wrote to memory of 1744	472	avscan.exe	32
PID 472 wrote to memory of 1744	472	avscan.exe	32
PID 472 wrote to memory of 1744	472	avscan.exe	32
PID 1376 wrote to memory of 1064	1376	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe	31
PID 1376 wrote to memory of 1064	1376	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe	31
PID 1376 wrote to memory of 1064	1376	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe	31
PID 1376 wrote to memory of 1064	1376	3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe	31
PID 1744 wrote to memory of 904	1744	cmd.exe	34
PID 1744 wrote to memory of 904	1744	cmd.exe	34
PID 1744 wrote to memory of 904	1744	cmd.exe	34
PID 1744 wrote to memory of 904	1744	cmd.exe	34
PID 1064 wrote to memory of 1324	1064	cmd.exe	35
PID 1064 wrote to memory of 1324	1064	cmd.exe	35
PID 1064 wrote to memory of 1324	1064	cmd.exe	35
PID 1064 wrote to memory of 1324	1064	cmd.exe	35
PID 904 wrote to memory of 596	904	hosts.exe	36
PID 904 wrote to memory of 596	904	hosts.exe	36
PID 904 wrote to memory of 596	904	hosts.exe	36
PID 904 wrote to memory of 596	904	hosts.exe	36
PID 1744 wrote to memory of 2028	1744	cmd.exe	37
PID 1744 wrote to memory of 2028	1744	cmd.exe	37
PID 1744 wrote to memory of 2028	1744	cmd.exe	37
PID 1744 wrote to memory of 2028	1744	cmd.exe	37
PID 1064 wrote to memory of 1876	1064	cmd.exe	38
PID 1064 wrote to memory of 1876	1064	cmd.exe	38
PID 1064 wrote to memory of 1876	1064	cmd.exe	38
PID 1064 wrote to memory of 1876	1064	cmd.exe	38
PID 904 wrote to memory of 1936	904	hosts.exe	39
PID 904 wrote to memory of 1936	904	hosts.exe	39
PID 904 wrote to memory of 1936	904	hosts.exe	39
PID 904 wrote to memory of 1936	904	hosts.exe	39
PID 1936 wrote to memory of 1888	1936	cmd.exe	41
PID 1936 wrote to memory of 1888	1936	cmd.exe	41
PID 1936 wrote to memory of 1888	1936	cmd.exe	41
PID 1936 wrote to memory of 1888	1936	cmd.exe	41
PID 1936 wrote to memory of 1812	1936	cmd.exe	42
PID 1936 wrote to memory of 1812	1936	cmd.exe	42
PID 1936 wrote to memory of 1812	1936	cmd.exe	42
PID 1936 wrote to memory of 1812	1936	cmd.exe	42
PID 472 wrote to memory of 1880	472	avscan.exe	43
PID 472 wrote to memory of 1880	472	avscan.exe	43
PID 472 wrote to memory of 1880	472	avscan.exe	43
PID 472 wrote to memory of 1880	472	avscan.exe	43
PID 904 wrote to memory of 1972	904	hosts.exe	45
PID 904 wrote to memory of 1972	904	hosts.exe	45
PID 904 wrote to memory of 1972	904	hosts.exe	45
PID 904 wrote to memory of 1972	904	hosts.exe	45
PID 472 wrote to memory of 996	472	avscan.exe	47
PID 472 wrote to memory of 996	472	avscan.exe	47
PID 472 wrote to memory of 996	472	avscan.exe	47
PID 472 wrote to memory of 996	472	avscan.exe	47

C:\Users\Admin\AppData\Local\Temp\3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe
"C:\Users\Admin\AppData\Local\Temp\3081f9e3911dabb12f84383505bea1357f83d88bc7f43cd02290dd20517e4ea7.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1952
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:904
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:596
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1936
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1888
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1812
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1972
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1232
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1620
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:584
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:2028
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1880
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:996
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1704
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1324
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
751KB

MD5
dcd87b4f40226b21f5370856ac18f33e

SHA1
9670005cc21ad6213ebe692934f74bca1cedfbc1

SHA256
ee423540a614e40c60a8497cf0047a08367ada6ab32e7dd933d73ffeb1ec100c

SHA512
963254b3996fd7274fa7319a3db3d5db4da2c5c54d626fbabbdf946beca075fd0c32bd8951e03c5c5e4cfc8173c670326427dbf297172de722792cc5d9609fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.4MB

MD5
bbeb641b595c14540b0519c910312752

SHA1
b8a75b2b3a43e23fd156262e18616a2fe04cbac0

SHA256
2be3aae8f54152096cd7fd1d2da64ff3ebff3e403be67a0c64e19fc509552802

SHA512
37b785e02ec01c2d2fae1076f74ad6f52b7ccfc146d050e746c73054422b6149c709108d9d6ef70a1eba57f373a2506c93210d5953e4b6cf33d7956f2b190928

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.1MB

MD5
0a2def08533508d4d4e7e5f1f1912718

SHA1
6ce560707ab0fbd0deaec5eba78b6b22ef7d3985

SHA256
40eeed92ad13feead725deccca9e010d12c6cc5f2bc3550079de90a52b3cb18b

SHA512
00a5063cd628f890694b7df541cadec3299df5827f4bf6d8fb1296f0e3c09173dcc83da08f96881e1231065f7144c6c2b01cc6060332a2f00438b66ddcc42d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.5MB

MD5
6e620b9aa5b2972c11ffb242049570d4

SHA1
e39735fe9bd8f7a33ccffecab4f9677c60f7b5ef

SHA256
4af7eda4b765bd215663f4b4306ff218c9c2dabe2c4badadde91fe458c808515

SHA512
21fa1c64cd9e261f36a63c8eed496ffbab7d198303b7934e48342ba859f9b791e15cd844af2b6fc022e923acd6976087ec94f4473f4e151dcd9428bf692123e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.5MB

MD5
6e620b9aa5b2972c11ffb242049570d4

SHA1
e39735fe9bd8f7a33ccffecab4f9677c60f7b5ef

SHA256
4af7eda4b765bd215663f4b4306ff218c9c2dabe2c4badadde91fe458c808515

SHA512
21fa1c64cd9e261f36a63c8eed496ffbab7d198303b7934e48342ba859f9b791e15cd844af2b6fc022e923acd6976087ec94f4473f4e151dcd9428bf692123e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
18c6553052b36d809a6cff5a476b05b8

SHA1
264534d49d7116ef3cdff5254e5c3a7d6b7a5a9d

SHA256
82ea4c0f9eb20535ec9a25d3f6ed8b281f6e4b0a22a7157e2a9c38456a44ddde

SHA512
538e72604f645197f55c568a9e02d02261be22f79981c27f7606c1b5e462fdf04b115e4f359a30b6c1a9faf451ac6f5ff20f34194d8e2cf84cf82beaa6ee4442

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
18c6553052b36d809a6cff5a476b05b8

SHA1
264534d49d7116ef3cdff5254e5c3a7d6b7a5a9d

SHA256
82ea4c0f9eb20535ec9a25d3f6ed8b281f6e4b0a22a7157e2a9c38456a44ddde

SHA512
538e72604f645197f55c568a9e02d02261be22f79981c27f7606c1b5e462fdf04b115e4f359a30b6c1a9faf451ac6f5ff20f34194d8e2cf84cf82beaa6ee4442

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
18c6553052b36d809a6cff5a476b05b8

SHA1
264534d49d7116ef3cdff5254e5c3a7d6b7a5a9d

SHA256
82ea4c0f9eb20535ec9a25d3f6ed8b281f6e4b0a22a7157e2a9c38456a44ddde

SHA512
538e72604f645197f55c568a9e02d02261be22f79981c27f7606c1b5e462fdf04b115e4f359a30b6c1a9faf451ac6f5ff20f34194d8e2cf84cf82beaa6ee4442

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
18c6553052b36d809a6cff5a476b05b8

SHA1
264534d49d7116ef3cdff5254e5c3a7d6b7a5a9d

SHA256
82ea4c0f9eb20535ec9a25d3f6ed8b281f6e4b0a22a7157e2a9c38456a44ddde

SHA512
538e72604f645197f55c568a9e02d02261be22f79981c27f7606c1b5e462fdf04b115e4f359a30b6c1a9faf451ac6f5ff20f34194d8e2cf84cf82beaa6ee4442

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
8efab902a61f6cddc318bb5818c2f2e0

SHA1
9608751279ae04ba710d84c61e3937c12950b393

SHA256
a81d0e86c651ead3e4d9c7f64e637006e787c81c8ba3e784648c2786306bfb87

SHA512
aabd0e45609a39584c68c35e16124b399e9a4932bf6c98c22aa8c6ff71b2fbfc80333102960fcfca1abb38b344245f9cdf4cdc0c827c48235f618011a5fbfe18

Download Submit
C:\Windows\hosts.exe

Filesize
351KB

MD5
237ce1403c73be991c8b1176b4c261c1

SHA1
04ebc8b586b23a58fc1149658a69b3f95495869f

SHA256
689ca241c1d2833516882b0fe596cd7afdecaf307dd233733ce32d1634e0d7e8

SHA512
847fdeb439ba4a032be551a2be8f20d3e759a4fb738282b716fb807b1d34f153ff6c50f46ec09e91f541bbf9c6ac4df2fc3c8cd4a9404a8664f521b4b9d785aa

Download Submit
C:\Windows\hosts.exe

Filesize
351KB

MD5
237ce1403c73be991c8b1176b4c261c1

SHA1
04ebc8b586b23a58fc1149658a69b3f95495869f

SHA256
689ca241c1d2833516882b0fe596cd7afdecaf307dd233733ce32d1634e0d7e8

SHA512
847fdeb439ba4a032be551a2be8f20d3e759a4fb738282b716fb807b1d34f153ff6c50f46ec09e91f541bbf9c6ac4df2fc3c8cd4a9404a8664f521b4b9d785aa

Download Submit
C:\Windows\hosts.exe

Filesize
351KB

MD5
237ce1403c73be991c8b1176b4c261c1

SHA1
04ebc8b586b23a58fc1149658a69b3f95495869f

SHA256
689ca241c1d2833516882b0fe596cd7afdecaf307dd233733ce32d1634e0d7e8

SHA512
847fdeb439ba4a032be551a2be8f20d3e759a4fb738282b716fb807b1d34f153ff6c50f46ec09e91f541bbf9c6ac4df2fc3c8cd4a9404a8664f521b4b9d785aa

Download Submit
C:\Windows\hosts.exe

Filesize
351KB

MD5
237ce1403c73be991c8b1176b4c261c1

SHA1
04ebc8b586b23a58fc1149658a69b3f95495869f

SHA256
689ca241c1d2833516882b0fe596cd7afdecaf307dd233733ce32d1634e0d7e8

SHA512
847fdeb439ba4a032be551a2be8f20d3e759a4fb738282b716fb807b1d34f153ff6c50f46ec09e91f541bbf9c6ac4df2fc3c8cd4a9404a8664f521b4b9d785aa

Download Submit
C:\windows\hosts.exe

Filesize
351KB

MD5
237ce1403c73be991c8b1176b4c261c1

SHA1
04ebc8b586b23a58fc1149658a69b3f95495869f

SHA256
689ca241c1d2833516882b0fe596cd7afdecaf307dd233733ce32d1634e0d7e8

SHA512
847fdeb439ba4a032be551a2be8f20d3e759a4fb738282b716fb807b1d34f153ff6c50f46ec09e91f541bbf9c6ac4df2fc3c8cd4a9404a8664f521b4b9d785aa

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
18c6553052b36d809a6cff5a476b05b8

SHA1
264534d49d7116ef3cdff5254e5c3a7d6b7a5a9d

SHA256
82ea4c0f9eb20535ec9a25d3f6ed8b281f6e4b0a22a7157e2a9c38456a44ddde

SHA512
538e72604f645197f55c568a9e02d02261be22f79981c27f7606c1b5e462fdf04b115e4f359a30b6c1a9faf451ac6f5ff20f34194d8e2cf84cf82beaa6ee4442

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
18c6553052b36d809a6cff5a476b05b8

SHA1
264534d49d7116ef3cdff5254e5c3a7d6b7a5a9d

SHA256
82ea4c0f9eb20535ec9a25d3f6ed8b281f6e4b0a22a7157e2a9c38456a44ddde

SHA512
538e72604f645197f55c568a9e02d02261be22f79981c27f7606c1b5e462fdf04b115e4f359a30b6c1a9faf451ac6f5ff20f34194d8e2cf84cf82beaa6ee4442

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
18c6553052b36d809a6cff5a476b05b8

SHA1
264534d49d7116ef3cdff5254e5c3a7d6b7a5a9d

SHA256
82ea4c0f9eb20535ec9a25d3f6ed8b281f6e4b0a22a7157e2a9c38456a44ddde

SHA512
538e72604f645197f55c568a9e02d02261be22f79981c27f7606c1b5e462fdf04b115e4f359a30b6c1a9faf451ac6f5ff20f34194d8e2cf84cf82beaa6ee4442

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
18c6553052b36d809a6cff5a476b05b8

SHA1
264534d49d7116ef3cdff5254e5c3a7d6b7a5a9d

SHA256
82ea4c0f9eb20535ec9a25d3f6ed8b281f6e4b0a22a7157e2a9c38456a44ddde

SHA512
538e72604f645197f55c568a9e02d02261be22f79981c27f7606c1b5e462fdf04b115e4f359a30b6c1a9faf451ac6f5ff20f34194d8e2cf84cf82beaa6ee4442

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
18c6553052b36d809a6cff5a476b05b8

SHA1
264534d49d7116ef3cdff5254e5c3a7d6b7a5a9d

SHA256
82ea4c0f9eb20535ec9a25d3f6ed8b281f6e4b0a22a7157e2a9c38456a44ddde

SHA512
538e72604f645197f55c568a9e02d02261be22f79981c27f7606c1b5e462fdf04b115e4f359a30b6c1a9faf451ac6f5ff20f34194d8e2cf84cf82beaa6ee4442

Download Submit
memory/1376-58-0x00000000745E1000-0x00000000745E3000-memory.dmp

Filesize
8KB

Download
memory/1376-56-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads