1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce

Analysis

max time kernel
128s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe
Size

171KB
MD5

39cef4688d19860be64c672b4f7ca770
SHA1

dd4bd21431386d5f474c460255760ebad566ce20
SHA256

1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce
SHA512

8a1f038d75122b665034cc54d04d40fe53a7ad3589cd7131446acca93b6ae03abc73b2aee1202df43698ab3f32fddf161bd830a16fd1ff6474dc918ebffd6228
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCmzy8J1ywvOs:gDCwfG1bnxG8DBvOs

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1736	avscan.exe
896	avscan.exe
820	hosts.exe
960	hosts.exe
1748	avscan.exe
560	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1388	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe
1388	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe
1736	avscan.exe
820	hosts.exe
820	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	\??\c:\windows\W_X_C.bat	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe
File opened for modification	C:\Windows\hosts.exe	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1456	REG.exe
1584	REG.exe
628	REG.exe
1112	REG.exe
1416	REG.exe
2028	REG.exe
1960	REG.exe
1332	REG.exe
996	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1736	avscan.exe
820	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1388	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe
1736	avscan.exe
896	avscan.exe
960	hosts.exe
820	hosts.exe
1748	avscan.exe
560	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 996	1388	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe	27
PID 1388 wrote to memory of 996	1388	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe	27
PID 1388 wrote to memory of 996	1388	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe	27
PID 1388 wrote to memory of 996	1388	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe	27
PID 1388 wrote to memory of 1736	1388	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe	29
PID 1388 wrote to memory of 1736	1388	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe	29
PID 1388 wrote to memory of 1736	1388	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe	29
PID 1388 wrote to memory of 1736	1388	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe	29
PID 1736 wrote to memory of 896	1736	avscan.exe	30
PID 1736 wrote to memory of 896	1736	avscan.exe	30
PID 1736 wrote to memory of 896	1736	avscan.exe	30
PID 1736 wrote to memory of 896	1736	avscan.exe	30
PID 1736 wrote to memory of 1712	1736	avscan.exe	31
PID 1736 wrote to memory of 1712	1736	avscan.exe	31
PID 1736 wrote to memory of 1712	1736	avscan.exe	31
PID 1736 wrote to memory of 1712	1736	avscan.exe	31
PID 1388 wrote to memory of 1912	1388	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe	32
PID 1388 wrote to memory of 1912	1388	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe	32
PID 1388 wrote to memory of 1912	1388	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe	32
PID 1388 wrote to memory of 1912	1388	1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe	32
PID 1712 wrote to memory of 820	1712	cmd.exe	35
PID 1712 wrote to memory of 820	1712	cmd.exe	35
PID 1712 wrote to memory of 820	1712	cmd.exe	35
PID 1712 wrote to memory of 820	1712	cmd.exe	35
PID 1912 wrote to memory of 960	1912	cmd.exe	36
PID 1912 wrote to memory of 960	1912	cmd.exe	36
PID 1912 wrote to memory of 960	1912	cmd.exe	36
PID 1912 wrote to memory of 960	1912	cmd.exe	36
PID 1712 wrote to memory of 516	1712	cmd.exe	37
PID 1712 wrote to memory of 516	1712	cmd.exe	37
PID 1712 wrote to memory of 516	1712	cmd.exe	37
PID 1712 wrote to memory of 516	1712	cmd.exe	37
PID 1912 wrote to memory of 1180	1912	cmd.exe	38
PID 1912 wrote to memory of 1180	1912	cmd.exe	38
PID 1912 wrote to memory of 1180	1912	cmd.exe	38
PID 1912 wrote to memory of 1180	1912	cmd.exe	38
PID 820 wrote to memory of 1748	820	hosts.exe	39
PID 820 wrote to memory of 1748	820	hosts.exe	39
PID 820 wrote to memory of 1748	820	hosts.exe	39
PID 820 wrote to memory of 1748	820	hosts.exe	39
PID 820 wrote to memory of 836	820	hosts.exe	40
PID 820 wrote to memory of 836	820	hosts.exe	40
PID 820 wrote to memory of 836	820	hosts.exe	40
PID 820 wrote to memory of 836	820	hosts.exe	40
PID 836 wrote to memory of 560	836	cmd.exe	42
PID 836 wrote to memory of 560	836	cmd.exe	42
PID 836 wrote to memory of 560	836	cmd.exe	42
PID 836 wrote to memory of 560	836	cmd.exe	42
PID 836 wrote to memory of 1264	836	cmd.exe	43
PID 836 wrote to memory of 1264	836	cmd.exe	43
PID 836 wrote to memory of 1264	836	cmd.exe	43
PID 836 wrote to memory of 1264	836	cmd.exe	43
PID 1736 wrote to memory of 1416	1736	avscan.exe	45
PID 1736 wrote to memory of 1416	1736	avscan.exe	45
PID 1736 wrote to memory of 1416	1736	avscan.exe	45
PID 1736 wrote to memory of 1416	1736	avscan.exe	45
PID 820 wrote to memory of 1456	820	hosts.exe	46
PID 820 wrote to memory of 1456	820	hosts.exe	46
PID 820 wrote to memory of 1456	820	hosts.exe	46
PID 820 wrote to memory of 1456	820	hosts.exe	46
PID 1736 wrote to memory of 1584	1736	avscan.exe	48
PID 1736 wrote to memory of 1584	1736	avscan.exe	48
PID 1736 wrote to memory of 1584	1736	avscan.exe	48
PID 1736 wrote to memory of 1584	1736	avscan.exe	48

C:\Users\Admin\AppData\Local\Temp\1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe
"C:\Users\Admin\AppData\Local\Temp\1aef7435075ad557a69ecf5035909f71727d8d041793434ba6f1881eaa1c66ce.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:996
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:896
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:820
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1748
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:836
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:560
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1264
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1456
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2028
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:628
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1112
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:516
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1416
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1584
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1960
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:960
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
390KB

MD5
32d5c3573cd526028fb7db1e752d4e0a

SHA1
233ea02b4e602024900881b89fc7826316130743

SHA256
a8d72f81da11d3c340b3200b00908fc20c551db1cc80bb634f638c514c728851

SHA512
7308eb6148ea11fb36bd66fc153bf33fc957b0940eb884ec2c4172329484870718226593120dd880b029675be8fb81f05a6b90be439b545da3b7dc0b72319bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
561KB

MD5
5285051242f4872582c4908ac106db1a

SHA1
da307f0a6c9642c400742edd37243a2dcb456b7e

SHA256
6118a6858a20ef37d80fc8f31a07bb825fb79b4efc3d0b56d256545d5051e52d

SHA512
8f75af8ddb56a3b02d2aa720e899d4904bbdcfdb37e1981c3f60f79ebfcecf14197d256ebc0bb6009c5ce5d3862b72206633fdbbb3f1c5654bc692a3c1b46835

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
732KB

MD5
57710b7444fe310564150c298f48e385

SHA1
d0fec4f62894818a89e6a4b35bca8fa76b06110b

SHA256
a909e54be58c63a85e798921d69f60b29ce7b7ff2401640886ec99d6d0b7d545

SHA512
d734d212f3c8e03616acc89805b4b8fa692514456f239bf85986538adc0333d43594d3fd9768cac66477069dff197bf908adfc03a4af9af28fbe7198d228cd8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
903KB

MD5
b8da84132d810ec96fdc2d69ef3cc3a5

SHA1
d133206a2200559c6845e46a1a74a037f271d303

SHA256
14b67d9d04ca6d3f8f25b58312c8511a8239c1b153b5d0e693cd33c516916e1b

SHA512
965051ab4aea2c33885112fcb54f808ff91162c072549f08eddd0c475a908c7bdcf700594d2287b90a475cfaabc7d303afe7014a001e3f90ced7150075a4757b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.0MB

MD5
cbc7b9fd8dd6c6546260bb70cfaec6db

SHA1
d10e59c83fb6e887134addc9da0aa80a297a1a85

SHA256
47dac83dffdeaa63f75e2218b2000df55d2ddb88eaac6f900034cdb2ffde58b9

SHA512
9084566dc8883c46301f4da4d0c3e5a578e342b471c18d170fb4478ef89c92c158748f4388b557454913228ab849d5adeb308a942ed36ee1e0c37c447ca9e204

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.0MB

MD5
cbc7b9fd8dd6c6546260bb70cfaec6db

SHA1
d10e59c83fb6e887134addc9da0aa80a297a1a85

SHA256
47dac83dffdeaa63f75e2218b2000df55d2ddb88eaac6f900034cdb2ffde58b9

SHA512
9084566dc8883c46301f4da4d0c3e5a578e342b471c18d170fb4478ef89c92c158748f4388b557454913228ab849d5adeb308a942ed36ee1e0c37c447ca9e204

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.4MB

MD5
fbe49312509258497589a1e32f1283c4

SHA1
47534b1a8d103532dfc0d91234ae3be006227a04

SHA256
b2bb158212a39232121481d335d9e34a460ff85e86bc72ac9b9a670f2f9c2fa1

SHA512
26cc0d4eaa6d6daf1bb3e9ce2205ee2b1c46e53667a1c67262da7ab4517e88aaed5538976e1dc4cad41ed21fd039e7719abe4315088f2d0e30d69987620115a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
4f2518a73c2b7f00cad0be46874f0f56

SHA1
73451b689cf842e9b44513eb42fa02d11d11a659

SHA256
c1dd8f914aad0ea60721101d67b479ee8064a30ac277f02a4edc847bfb4d0118

SHA512
1e9d58cd054ad7aac8ca316e9a7f3c93e55de1f509ce7927876409456c52a1cf91bb076ff2d5cd4e3eeb2b206564d5c412fc420ba354e2217a58fb9ed0d848dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
4f2518a73c2b7f00cad0be46874f0f56

SHA1
73451b689cf842e9b44513eb42fa02d11d11a659

SHA256
c1dd8f914aad0ea60721101d67b479ee8064a30ac277f02a4edc847bfb4d0118

SHA512
1e9d58cd054ad7aac8ca316e9a7f3c93e55de1f509ce7927876409456c52a1cf91bb076ff2d5cd4e3eeb2b206564d5c412fc420ba354e2217a58fb9ed0d848dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
4f2518a73c2b7f00cad0be46874f0f56

SHA1
73451b689cf842e9b44513eb42fa02d11d11a659

SHA256
c1dd8f914aad0ea60721101d67b479ee8064a30ac277f02a4edc847bfb4d0118

SHA512
1e9d58cd054ad7aac8ca316e9a7f3c93e55de1f509ce7927876409456c52a1cf91bb076ff2d5cd4e3eeb2b206564d5c412fc420ba354e2217a58fb9ed0d848dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
4f2518a73c2b7f00cad0be46874f0f56

SHA1
73451b689cf842e9b44513eb42fa02d11d11a659

SHA256
c1dd8f914aad0ea60721101d67b479ee8064a30ac277f02a4edc847bfb4d0118

SHA512
1e9d58cd054ad7aac8ca316e9a7f3c93e55de1f509ce7927876409456c52a1cf91bb076ff2d5cd4e3eeb2b206564d5c412fc420ba354e2217a58fb9ed0d848dd

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
b147c267b47c4a6cfa3a72c41407541b

SHA1
062231bf7639b26f92e6d5ef78d515f8eaa9639d

SHA256
c9b7b5b912ab24c729de962727ac33835dd58f17754f9368ac702b9987f3baf6

SHA512
4f646fee7eaa29f33604b3f349b3d90a65bec39fdbe80bac6dcd2cd67b17475e51f833a66a5207d3008fede867792605bab132d6672e206bfefaa83aa344ac64

Download Submit
C:\Windows\hosts.exe

Filesize
171KB

MD5
8fbc9770ead9d247232c8d79a66f5402

SHA1
b6175c8daf3109cb1a955b11b385b784ecfcf740

SHA256
8b8d8fc524b8df0b67d6e19b2dcba3b2094b79ca84bd53db3f4039f4388a3cf1

SHA512
593a6ef2744e4f51ad4b9ff0c6f7ee1a7c330b1362898141fa40f8c1fe633850209f790d215a99ce7cfa96d5a18be7ddb5d5e8ff016d1ba755b6dfa73d1d22e8

Download Submit
C:\Windows\hosts.exe

Filesize
171KB

MD5
8fbc9770ead9d247232c8d79a66f5402

SHA1
b6175c8daf3109cb1a955b11b385b784ecfcf740

SHA256
8b8d8fc524b8df0b67d6e19b2dcba3b2094b79ca84bd53db3f4039f4388a3cf1

SHA512
593a6ef2744e4f51ad4b9ff0c6f7ee1a7c330b1362898141fa40f8c1fe633850209f790d215a99ce7cfa96d5a18be7ddb5d5e8ff016d1ba755b6dfa73d1d22e8

Download Submit
C:\Windows\hosts.exe

Filesize
171KB

MD5
8fbc9770ead9d247232c8d79a66f5402

SHA1
b6175c8daf3109cb1a955b11b385b784ecfcf740

SHA256
8b8d8fc524b8df0b67d6e19b2dcba3b2094b79ca84bd53db3f4039f4388a3cf1

SHA512
593a6ef2744e4f51ad4b9ff0c6f7ee1a7c330b1362898141fa40f8c1fe633850209f790d215a99ce7cfa96d5a18be7ddb5d5e8ff016d1ba755b6dfa73d1d22e8

Download Submit
C:\Windows\hosts.exe

Filesize
171KB

MD5
8fbc9770ead9d247232c8d79a66f5402

SHA1
b6175c8daf3109cb1a955b11b385b784ecfcf740

SHA256
8b8d8fc524b8df0b67d6e19b2dcba3b2094b79ca84bd53db3f4039f4388a3cf1

SHA512
593a6ef2744e4f51ad4b9ff0c6f7ee1a7c330b1362898141fa40f8c1fe633850209f790d215a99ce7cfa96d5a18be7ddb5d5e8ff016d1ba755b6dfa73d1d22e8

Download Submit
C:\windows\hosts.exe

Filesize
171KB

MD5
8fbc9770ead9d247232c8d79a66f5402

SHA1
b6175c8daf3109cb1a955b11b385b784ecfcf740

SHA256
8b8d8fc524b8df0b67d6e19b2dcba3b2094b79ca84bd53db3f4039f4388a3cf1

SHA512
593a6ef2744e4f51ad4b9ff0c6f7ee1a7c330b1362898141fa40f8c1fe633850209f790d215a99ce7cfa96d5a18be7ddb5d5e8ff016d1ba755b6dfa73d1d22e8

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
4f2518a73c2b7f00cad0be46874f0f56

SHA1
73451b689cf842e9b44513eb42fa02d11d11a659

SHA256
c1dd8f914aad0ea60721101d67b479ee8064a30ac277f02a4edc847bfb4d0118

SHA512
1e9d58cd054ad7aac8ca316e9a7f3c93e55de1f509ce7927876409456c52a1cf91bb076ff2d5cd4e3eeb2b206564d5c412fc420ba354e2217a58fb9ed0d848dd

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
4f2518a73c2b7f00cad0be46874f0f56

SHA1
73451b689cf842e9b44513eb42fa02d11d11a659

SHA256
c1dd8f914aad0ea60721101d67b479ee8064a30ac277f02a4edc847bfb4d0118

SHA512
1e9d58cd054ad7aac8ca316e9a7f3c93e55de1f509ce7927876409456c52a1cf91bb076ff2d5cd4e3eeb2b206564d5c412fc420ba354e2217a58fb9ed0d848dd

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
4f2518a73c2b7f00cad0be46874f0f56

SHA1
73451b689cf842e9b44513eb42fa02d11d11a659

SHA256
c1dd8f914aad0ea60721101d67b479ee8064a30ac277f02a4edc847bfb4d0118

SHA512
1e9d58cd054ad7aac8ca316e9a7f3c93e55de1f509ce7927876409456c52a1cf91bb076ff2d5cd4e3eeb2b206564d5c412fc420ba354e2217a58fb9ed0d848dd

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
4f2518a73c2b7f00cad0be46874f0f56

SHA1
73451b689cf842e9b44513eb42fa02d11d11a659

SHA256
c1dd8f914aad0ea60721101d67b479ee8064a30ac277f02a4edc847bfb4d0118

SHA512
1e9d58cd054ad7aac8ca316e9a7f3c93e55de1f509ce7927876409456c52a1cf91bb076ff2d5cd4e3eeb2b206564d5c412fc420ba354e2217a58fb9ed0d848dd

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
4f2518a73c2b7f00cad0be46874f0f56

SHA1
73451b689cf842e9b44513eb42fa02d11d11a659

SHA256
c1dd8f914aad0ea60721101d67b479ee8064a30ac277f02a4edc847bfb4d0118

SHA512
1e9d58cd054ad7aac8ca316e9a7f3c93e55de1f509ce7927876409456c52a1cf91bb076ff2d5cd4e3eeb2b206564d5c412fc420ba354e2217a58fb9ed0d848dd

Download Submit
memory/1388-56-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download
memory/1388-58-0x0000000074971000-0x0000000074973000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads