837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea

Analysis

max time kernel
133s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe
Size

348KB
MD5

29961eb08597ce7123e548d2bf38ff52
SHA1

03761d37bd79ff775eaf4790dc07992f485c5909
SHA256

837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea
SHA512

d287eeb2cefa4dd4401193b1db1c06996080bfb384002bac3267b3289594dadfa9f15eaaacd026ed6f770bcf4082c492aca2a570d86f7094b80655825984f69b
SSDEEP

6144:gDCwfG1bnxG848KJ+oDCwfG1bnxG848KJ+X:g72bnIh8KJ+o72bnIh8KJ+X

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ORXGKKZC = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ORXGKKZC = "W_X_C.bat"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ORXGKKZC = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1596	avscan.exe
1408	avscan.exe
1144	hosts.exe
1396	hosts.exe
1724	avscan.exe
980	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1488	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe
1488	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe
1596	avscan.exe
1144	hosts.exe
1144	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe
File created	\??\c:\windows\W_X_C.bat	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe
File opened for modification	C:\Windows\hosts.exe	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
676	REG.exe
1612	REG.exe
2000	REG.exe
2044	REG.exe
1792	REG.exe
336	REG.exe
1800	REG.exe
516	REG.exe
112	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1596	avscan.exe
1144	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1488	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe
1596	avscan.exe
1408	avscan.exe
1396	hosts.exe
1144	hosts.exe
1724	avscan.exe
980	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 112	1488	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe	26
PID 1488 wrote to memory of 112	1488	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe	26
PID 1488 wrote to memory of 112	1488	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe	26
PID 1488 wrote to memory of 112	1488	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe	26
PID 1488 wrote to memory of 1596	1488	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe	28
PID 1488 wrote to memory of 1596	1488	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe	28
PID 1488 wrote to memory of 1596	1488	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe	28
PID 1488 wrote to memory of 1596	1488	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe	28
PID 1596 wrote to memory of 1408	1596	avscan.exe	29
PID 1596 wrote to memory of 1408	1596	avscan.exe	29
PID 1596 wrote to memory of 1408	1596	avscan.exe	29
PID 1596 wrote to memory of 1408	1596	avscan.exe	29
PID 1596 wrote to memory of 908	1596	avscan.exe	30
PID 1596 wrote to memory of 908	1596	avscan.exe	30
PID 1596 wrote to memory of 908	1596	avscan.exe	30
PID 1596 wrote to memory of 908	1596	avscan.exe	30
PID 1488 wrote to memory of 1796	1488	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe	31
PID 1488 wrote to memory of 1796	1488	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe	31
PID 1488 wrote to memory of 1796	1488	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe	31
PID 1488 wrote to memory of 1796	1488	837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe	31
PID 908 wrote to memory of 1396	908	cmd.exe	35
PID 908 wrote to memory of 1396	908	cmd.exe	35
PID 908 wrote to memory of 1396	908	cmd.exe	35
PID 908 wrote to memory of 1396	908	cmd.exe	35
PID 1796 wrote to memory of 1144	1796	cmd.exe	34
PID 1796 wrote to memory of 1144	1796	cmd.exe	34
PID 1796 wrote to memory of 1144	1796	cmd.exe	34
PID 1796 wrote to memory of 1144	1796	cmd.exe	34
PID 1144 wrote to memory of 1724	1144	hosts.exe	36
PID 1144 wrote to memory of 1724	1144	hosts.exe	36
PID 1144 wrote to memory of 1724	1144	hosts.exe	36
PID 1144 wrote to memory of 1724	1144	hosts.exe	36
PID 1144 wrote to memory of 1220	1144	hosts.exe	37
PID 1144 wrote to memory of 1220	1144	hosts.exe	37
PID 1144 wrote to memory of 1220	1144	hosts.exe	37
PID 1144 wrote to memory of 1220	1144	hosts.exe	37
PID 1220 wrote to memory of 980	1220	cmd.exe	39
PID 1220 wrote to memory of 980	1220	cmd.exe	39
PID 1220 wrote to memory of 980	1220	cmd.exe	39
PID 1220 wrote to memory of 980	1220	cmd.exe	39
PID 908 wrote to memory of 1368	908	cmd.exe	41
PID 908 wrote to memory of 1368	908	cmd.exe	41
PID 908 wrote to memory of 1368	908	cmd.exe	41
PID 908 wrote to memory of 1368	908	cmd.exe	41
PID 1220 wrote to memory of 1752	1220	cmd.exe	42
PID 1220 wrote to memory of 1752	1220	cmd.exe	42
PID 1220 wrote to memory of 1752	1220	cmd.exe	42
PID 1220 wrote to memory of 1752	1220	cmd.exe	42
PID 1796 wrote to memory of 1572	1796	cmd.exe	40
PID 1796 wrote to memory of 1572	1796	cmd.exe	40
PID 1796 wrote to memory of 1572	1796	cmd.exe	40
PID 1796 wrote to memory of 1572	1796	cmd.exe	40
PID 1596 wrote to memory of 2000	1596	avscan.exe	43
PID 1596 wrote to memory of 2000	1596	avscan.exe	43
PID 1596 wrote to memory of 2000	1596	avscan.exe	43
PID 1596 wrote to memory of 2000	1596	avscan.exe	43
PID 1144 wrote to memory of 676	1144	hosts.exe	45
PID 1144 wrote to memory of 676	1144	hosts.exe	45
PID 1144 wrote to memory of 676	1144	hosts.exe	45
PID 1144 wrote to memory of 676	1144	hosts.exe	45
PID 1596 wrote to memory of 1612	1596	avscan.exe	47
PID 1596 wrote to memory of 1612	1596	avscan.exe	47
PID 1596 wrote to memory of 1612	1596	avscan.exe	47
PID 1596 wrote to memory of 1612	1596	avscan.exe	47

C:\Users\Admin\AppData\Local\Temp\837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe
"C:\Users\Admin\AppData\Local\Temp\837bad4ed8cef3d6dbc091cf652010d8b3241e5899ca82e98f0e4e58210ca6ea.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:112
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1408
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1396
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1368
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2000
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1612
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1792
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1724
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1220
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:980
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:1752
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:676
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:2044
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:336
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:516
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
745KB

MD5
ab68b07da1b6c8452074bab905b5ce7b

SHA1
7eaf0516c415a8361136738845ed73ede60dedb0

SHA256
9b9177c96f60afdbac52c78a15135b8d02ef06d87d364d42222f278de78cca84

SHA512
3f99c925d563c23cf6d3ba9ff5f3199ea079f5abc7a740aa69d397307ea53fe53a5bb706667e89c53568617b33b6b7f9870eadcc0388f9b4f15775e035b00b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
735770c0600cd30d9d926886017d8706

SHA1
45411ac8b6789ca3bb21b6ebe5e2c231929964dd

SHA256
82ea7825fe6bbed0ef4f1a7e4dd7aaf5c151e479c4ac37e244fd0799cef0c2c9

SHA512
9191eee30a966b18e3255eab751a2076d20a43e81af6f07d09bc37c53c559507c8159c4e51485e5035f9bdc3c748b217833882d9b42bd718394598a8beaef615

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.4MB

MD5
03829dbcf061c6d8a04d1fcfb63a1e2d

SHA1
f81272548026de0e5cf58e13b2f14f91487ecb08

SHA256
943e334620c6a4de07557c09310fce4b91f87672d90d8b8742d06e833740d3f7

SHA512
5bca2b342803527f16097eb227b342aec83c88c5d33da221f853ebea02001e538a3926977748029f75d0ab1bbfa896697d0cddea8d43ddb7fd9e8b05f1890aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.7MB

MD5
2619d417e9af865ab59acdf81d92b565

SHA1
adeec16f3a16a93d1b382709e6dacbd8a34891ab

SHA256
e95523308ce852890192e6752b444521cafda21062e0db7bcff140286c7ecc44

SHA512
a6658faf9bcbba2c31c425b365b0f09392748458701fdf7fa3624b8ab01d7e658632cbcad7ea5c2ac6d193bc83dbc4283bfb774c9b7ceacc8dca5cbbea37cef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.1MB

MD5
c0d2c3d30e5d14be7e84d773161fd3e9

SHA1
56e685b07ce7c9d5e9ff577a1d104284b6683786

SHA256
ace3528d081bc1f5174dc78d2cba86a87928d52e4cf793a0fbde001160d746c9

SHA512
ab1f78537cec3edfbd02e1761f12b4600d769aac48ff9c0e7c3e5abab64957a232b35406d4477da7541fd58c5085039dae9380929639f7d18cb8f35ac115eba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.4MB

MD5
44ff757fd0821cdf3ae805b8ccb4ffff

SHA1
fb02ae5b926610ecfbdd12b1bcbf7cbe2e0daed6

SHA256
0ba835fd34610ecb9e58ed3c53c02f2ad27700b5dd0a8a60b4efe5fa5d5d7f91

SHA512
ad4cd768e6ef7fae32349455381b8e69e01f7a4ecadfa058a12a98d09ca8eb92d867544d9b7243899e44e122d5486cf993d10d990746947ec2fdbca2399a26a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.8MB

MD5
99b59790849e15a9cf5aa5859a4879c5

SHA1
1966c4640f8c3d707f98918a057a4f19f1ef410c

SHA256
76ea89b6dba703627b093bbf8dd8a5a0a9ba116089c713a1f8dd7bffb3c91952

SHA512
27c4d311d5ea722e81b166c6810a09d9c43f067eb22c9a86f002c91ced47d97ff06d53e3ba9081dfdbf61b5433df723bf5a2bc4f54769cd503c5c7e5f3f15754

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
348KB

MD5
6cd1bc729d17c4bf3fc08778cb43c230

SHA1
a12888051b56b17a3f2680a6b488ea105277c2e1

SHA256
c9df1d95a96a73de5119699c69c0d1393eb59db38d4351cd6b8a9f49e4ca7e21

SHA512
17075cdb10cd673a715a888eb063c8992796b22373a764f170bd9566628cd4abe68a3b026306da81d721ec10bfa393dcf10450f34a9691846d98535e4f297191

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
348KB

MD5
6cd1bc729d17c4bf3fc08778cb43c230

SHA1
a12888051b56b17a3f2680a6b488ea105277c2e1

SHA256
c9df1d95a96a73de5119699c69c0d1393eb59db38d4351cd6b8a9f49e4ca7e21

SHA512
17075cdb10cd673a715a888eb063c8992796b22373a764f170bd9566628cd4abe68a3b026306da81d721ec10bfa393dcf10450f34a9691846d98535e4f297191

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
348KB

MD5
6cd1bc729d17c4bf3fc08778cb43c230

SHA1
a12888051b56b17a3f2680a6b488ea105277c2e1

SHA256
c9df1d95a96a73de5119699c69c0d1393eb59db38d4351cd6b8a9f49e4ca7e21

SHA512
17075cdb10cd673a715a888eb063c8992796b22373a764f170bd9566628cd4abe68a3b026306da81d721ec10bfa393dcf10450f34a9691846d98535e4f297191

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
348KB

MD5
6cd1bc729d17c4bf3fc08778cb43c230

SHA1
a12888051b56b17a3f2680a6b488ea105277c2e1

SHA256
c9df1d95a96a73de5119699c69c0d1393eb59db38d4351cd6b8a9f49e4ca7e21

SHA512
17075cdb10cd673a715a888eb063c8992796b22373a764f170bd9566628cd4abe68a3b026306da81d721ec10bfa393dcf10450f34a9691846d98535e4f297191

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
6cb1a862c5d3015502be64b07c6b5ec7

SHA1
055b4b97bd55f4f0f47fd8c981fc216709e91936

SHA256
6ae3ae6c1d057e9376efd0711d9912dfddebd9f8a8b257cee104cba98195c48e

SHA512
5f8f0cdbbd70f06bc8783c0e762208a3c54daf0f2b064abd450116cb31963d0802bc59648e868d647031e0e321d151a20f1b71ccba613f6e1c0c7fbb7ee974ab

Download Submit
C:\Windows\hosts.exe

Filesize
348KB

MD5
2c369f76a4df4e705bcb39cc72efbfc2

SHA1
f437b757c2ddff5a171157969f548c4266a22370

SHA256
5fdfc6e3a42e46cafb418a53b4c74934ca1e24a4f5581b1b1ebd66cb712ac530

SHA512
c27daef077ba1687c4e9deb14d58685cbfbeeccf540386e8cf8cc649d0d59f81f255d9cc31e34bb83e2ed927241f11c1ffcb8d761b0c31c438ba137618bc6203

Download Submit
C:\Windows\hosts.exe

Filesize
348KB

MD5
2c369f76a4df4e705bcb39cc72efbfc2

SHA1
f437b757c2ddff5a171157969f548c4266a22370

SHA256
5fdfc6e3a42e46cafb418a53b4c74934ca1e24a4f5581b1b1ebd66cb712ac530

SHA512
c27daef077ba1687c4e9deb14d58685cbfbeeccf540386e8cf8cc649d0d59f81f255d9cc31e34bb83e2ed927241f11c1ffcb8d761b0c31c438ba137618bc6203

Download Submit
C:\Windows\hosts.exe

Filesize
348KB

MD5
2c369f76a4df4e705bcb39cc72efbfc2

SHA1
f437b757c2ddff5a171157969f548c4266a22370

SHA256
5fdfc6e3a42e46cafb418a53b4c74934ca1e24a4f5581b1b1ebd66cb712ac530

SHA512
c27daef077ba1687c4e9deb14d58685cbfbeeccf540386e8cf8cc649d0d59f81f255d9cc31e34bb83e2ed927241f11c1ffcb8d761b0c31c438ba137618bc6203

Download Submit
C:\Windows\hosts.exe

Filesize
348KB

MD5
2c369f76a4df4e705bcb39cc72efbfc2

SHA1
f437b757c2ddff5a171157969f548c4266a22370

SHA256
5fdfc6e3a42e46cafb418a53b4c74934ca1e24a4f5581b1b1ebd66cb712ac530

SHA512
c27daef077ba1687c4e9deb14d58685cbfbeeccf540386e8cf8cc649d0d59f81f255d9cc31e34bb83e2ed927241f11c1ffcb8d761b0c31c438ba137618bc6203

Download Submit
C:\windows\hosts.exe

Filesize
348KB

MD5
2c369f76a4df4e705bcb39cc72efbfc2

SHA1
f437b757c2ddff5a171157969f548c4266a22370

SHA256
5fdfc6e3a42e46cafb418a53b4c74934ca1e24a4f5581b1b1ebd66cb712ac530

SHA512
c27daef077ba1687c4e9deb14d58685cbfbeeccf540386e8cf8cc649d0d59f81f255d9cc31e34bb83e2ed927241f11c1ffcb8d761b0c31c438ba137618bc6203

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
348KB

MD5
6cd1bc729d17c4bf3fc08778cb43c230

SHA1
a12888051b56b17a3f2680a6b488ea105277c2e1

SHA256
c9df1d95a96a73de5119699c69c0d1393eb59db38d4351cd6b8a9f49e4ca7e21

SHA512
17075cdb10cd673a715a888eb063c8992796b22373a764f170bd9566628cd4abe68a3b026306da81d721ec10bfa393dcf10450f34a9691846d98535e4f297191

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
348KB

MD5
6cd1bc729d17c4bf3fc08778cb43c230

SHA1
a12888051b56b17a3f2680a6b488ea105277c2e1

SHA256
c9df1d95a96a73de5119699c69c0d1393eb59db38d4351cd6b8a9f49e4ca7e21

SHA512
17075cdb10cd673a715a888eb063c8992796b22373a764f170bd9566628cd4abe68a3b026306da81d721ec10bfa393dcf10450f34a9691846d98535e4f297191

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
348KB

MD5
6cd1bc729d17c4bf3fc08778cb43c230

SHA1
a12888051b56b17a3f2680a6b488ea105277c2e1

SHA256
c9df1d95a96a73de5119699c69c0d1393eb59db38d4351cd6b8a9f49e4ca7e21

SHA512
17075cdb10cd673a715a888eb063c8992796b22373a764f170bd9566628cd4abe68a3b026306da81d721ec10bfa393dcf10450f34a9691846d98535e4f297191

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
348KB

MD5
6cd1bc729d17c4bf3fc08778cb43c230

SHA1
a12888051b56b17a3f2680a6b488ea105277c2e1

SHA256
c9df1d95a96a73de5119699c69c0d1393eb59db38d4351cd6b8a9f49e4ca7e21

SHA512
17075cdb10cd673a715a888eb063c8992796b22373a764f170bd9566628cd4abe68a3b026306da81d721ec10bfa393dcf10450f34a9691846d98535e4f297191

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
348KB

MD5
6cd1bc729d17c4bf3fc08778cb43c230

SHA1
a12888051b56b17a3f2680a6b488ea105277c2e1

SHA256
c9df1d95a96a73de5119699c69c0d1393eb59db38d4351cd6b8a9f49e4ca7e21

SHA512
17075cdb10cd673a715a888eb063c8992796b22373a764f170bd9566628cd4abe68a3b026306da81d721ec10bfa393dcf10450f34a9691846d98535e4f297191

Download Submit
memory/112-57-0x0000000000000000-mapping.dmp

Download
memory/336-116-0x0000000000000000-mapping.dmp

Download
memory/516-122-0x0000000000000000-mapping.dmp

Download
memory/676-108-0x0000000000000000-mapping.dmp

Download
memory/908-73-0x0000000000000000-mapping.dmp

Download
memory/980-94-0x0000000000000000-mapping.dmp

Download
memory/1144-77-0x0000000000000000-mapping.dmp

Download
memory/1220-93-0x0000000000000000-mapping.dmp

Download
memory/1368-99-0x0000000000000000-mapping.dmp

Download
memory/1396-76-0x0000000000000000-mapping.dmp

Download
memory/1408-68-0x0000000000000000-mapping.dmp

Download
memory/1488-58-0x0000000074DF1000-0x0000000074DF3000-memory.dmp

Filesize
8KB

Download
memory/1488-56-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1572-100-0x0000000000000000-mapping.dmp

Download
memory/1596-61-0x0000000000000000-mapping.dmp

Download
memory/1612-110-0x0000000000000000-mapping.dmp

Download
memory/1724-88-0x0000000000000000-mapping.dmp

Download
memory/1752-101-0x0000000000000000-mapping.dmp

Download
memory/1792-114-0x0000000000000000-mapping.dmp

Download
memory/1796-74-0x0000000000000000-mapping.dmp

Download
memory/1800-119-0x0000000000000000-mapping.dmp

Download
memory/2000-106-0x0000000000000000-mapping.dmp

Download
memory/2044-112-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads