1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb

Analysis

max time kernel
167s
max time network
83s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 14:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe
Size

205KB
MD5

604e512b4d0ef175efe2bf60e7e7593e
SHA1

cab482e44de8d984cbac12d7bfe195fd6a56edf6
SHA256

1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb
SHA512

94b04cb24f0e957c93d6905c42768f4b7d2535bd24e0a3ffbe4657408c2a36afb49da2ca36ca537bacca0fe171cd9e97d6fd166150c934f5a679580376000f42
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER9yk9Oow16T7LjJ:gDCwfG1bnxLEREkg2HJ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
952	avscan.exe
544	avscan.exe
616	hosts.exe
1500	avscan.exe
752	hosts.exe
1924	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1636	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe
1636	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe
952	avscan.exe
616	hosts.exe
616	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	\??\c:\windows\W_X_C.bat	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe
File opened for modification	C:\Windows\hosts.exe	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1764	REG.exe
1704	REG.exe
592	REG.exe
884	REG.exe
1400	REG.exe
808	REG.exe
1508	REG.exe
848	REG.exe
1600	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
952	avscan.exe
616	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1636	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe
952	avscan.exe
544	avscan.exe
616	hosts.exe
1500	avscan.exe
752	hosts.exe
1924	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 848	1636	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe	28
PID 1636 wrote to memory of 848	1636	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe	28
PID 1636 wrote to memory of 848	1636	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe	28
PID 1636 wrote to memory of 848	1636	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe	28
PID 1636 wrote to memory of 952	1636	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe	30
PID 1636 wrote to memory of 952	1636	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe	30
PID 1636 wrote to memory of 952	1636	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe	30
PID 1636 wrote to memory of 952	1636	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe	30
PID 952 wrote to memory of 544	952	avscan.exe	31
PID 952 wrote to memory of 544	952	avscan.exe	31
PID 952 wrote to memory of 544	952	avscan.exe	31
PID 952 wrote to memory of 544	952	avscan.exe	31
PID 952 wrote to memory of 520	952	avscan.exe	35
PID 952 wrote to memory of 520	952	avscan.exe	35
PID 952 wrote to memory of 520	952	avscan.exe	35
PID 952 wrote to memory of 520	952	avscan.exe	35
PID 1636 wrote to memory of 1360	1636	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe	33
PID 1636 wrote to memory of 1360	1636	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe	33
PID 1636 wrote to memory of 1360	1636	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe	33
PID 1636 wrote to memory of 1360	1636	1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe	33
PID 520 wrote to memory of 616	520	cmd.exe	37
PID 520 wrote to memory of 616	520	cmd.exe	37
PID 520 wrote to memory of 616	520	cmd.exe	37
PID 520 wrote to memory of 616	520	cmd.exe	37
PID 616 wrote to memory of 1500	616	hosts.exe	38
PID 616 wrote to memory of 1500	616	hosts.exe	38
PID 616 wrote to memory of 1500	616	hosts.exe	38
PID 616 wrote to memory of 1500	616	hosts.exe	38
PID 1360 wrote to memory of 752	1360	cmd.exe	36
PID 1360 wrote to memory of 752	1360	cmd.exe	36
PID 1360 wrote to memory of 752	1360	cmd.exe	36
PID 1360 wrote to memory of 752	1360	cmd.exe	36
PID 616 wrote to memory of 1740	616	hosts.exe	39
PID 616 wrote to memory of 1740	616	hosts.exe	39
PID 616 wrote to memory of 1740	616	hosts.exe	39
PID 616 wrote to memory of 1740	616	hosts.exe	39
PID 1740 wrote to memory of 1924	1740	cmd.exe	42
PID 1740 wrote to memory of 1924	1740	cmd.exe	42
PID 1740 wrote to memory of 1924	1740	cmd.exe	42
PID 1740 wrote to memory of 1924	1740	cmd.exe	42
PID 1360 wrote to memory of 1712	1360	cmd.exe	43
PID 1360 wrote to memory of 1712	1360	cmd.exe	43
PID 1360 wrote to memory of 1712	1360	cmd.exe	43
PID 1360 wrote to memory of 1712	1360	cmd.exe	43
PID 520 wrote to memory of 1996	520	cmd.exe	41
PID 520 wrote to memory of 1996	520	cmd.exe	41
PID 520 wrote to memory of 1996	520	cmd.exe	41
PID 520 wrote to memory of 1996	520	cmd.exe	41
PID 1740 wrote to memory of 1112	1740	cmd.exe	44
PID 1740 wrote to memory of 1112	1740	cmd.exe	44
PID 1740 wrote to memory of 1112	1740	cmd.exe	44
PID 1740 wrote to memory of 1112	1740	cmd.exe	44
PID 952 wrote to memory of 1764	952	avscan.exe	45
PID 952 wrote to memory of 1764	952	avscan.exe	45
PID 952 wrote to memory of 1764	952	avscan.exe	45
PID 952 wrote to memory of 1764	952	avscan.exe	45
PID 616 wrote to memory of 1600	616	hosts.exe	47
PID 616 wrote to memory of 1600	616	hosts.exe	47
PID 616 wrote to memory of 1600	616	hosts.exe	47
PID 616 wrote to memory of 1600	616	hosts.exe	47
PID 952 wrote to memory of 1704	952	avscan.exe	49
PID 952 wrote to memory of 1704	952	avscan.exe	49
PID 952 wrote to memory of 1704	952	avscan.exe	49
PID 952 wrote to memory of 1704	952	avscan.exe	49

C:\Users\Admin\AppData\Local\Temp\1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe
"C:\Users\Admin\AppData\Local\Temp\1dfb3ccadfd1f8a81e8bb66a6fb551b28f0ef527d4a25965d767946cf86cbbfb.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:848
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:520
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:616
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1500
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1740
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1924
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1112
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1600
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:592
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:884
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:808
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1996
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1764
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1704
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1400
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:752
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
459KB

MD5
6ac16b52c60c9c2cf71f6be9a1fbaffc

SHA1
51ebf9092cae969c695459c0570ca655d6fc95c9

SHA256
e209f7f544458972d8ddc764817475a3b4129e82dc42a2e54dc9ffa5e2b0875a

SHA512
ce73eed3233d0d75955a9402ecb6d96337bde4f50262f937da4bbb7a4d6bd22044d4e27429ad48a32106c463d9c539edee55a262cca009277f2b097d8e25b0ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
664KB

MD5
ad1b2f53d544c0808f449b4d8b3c114b

SHA1
d42d1584ce1424dd250ef5f6cf7b9c18ab5a63ab

SHA256
77228402969d411c97a2f02091ac7222038f8c4e0567e3c47d471ed332d4db45

SHA512
0f50924bae994bc23c5236c4df5c0f700065810cb1809e6a898da708482e4dbbb096920a0263dc0fe1b5c2b29eb910bf1e5028b74a392bdb9ad98720a9784e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
664KB

MD5
c472f6575134cecac4b21160ef02796d

SHA1
a01a06919ad8f0c730e38bc346db8c5d8734cb3c

SHA256
c9fdfac6ecdf272929fa6c28d8b64de97c5dc737714655e8abb87cc9cce1691b

SHA512
c6b086b65e5113cf4a3a03300a61207f8bcf1cf3fcfed9a0b4965753c1fb9e9dc1e9aa7e0ebfb119a3e083bff0186bbb93a09a06e959eaa2b9acda855d8f0230

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
870KB

MD5
08d1ccd30591d9432e332de7e0701bd9

SHA1
31a012ec3723989b4064db201147c53c589042ea

SHA256
8a396662dcb176d79f02c10176f01b945e85d0bbf50e9808257222bc7ccbe325

SHA512
0e066f99ae49b8514f3ea0d5e0d86f1d0d7b276e306b9f3d818e884acb4fe7b9d1f88210abb5d70db5be1bad7af2682a3d79e32b8d35d9453eaf3a4544981afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
870KB

MD5
d82db89fcd47dc612a222111a5d2bc88

SHA1
88800f8b7eec1896bc2fe48cad648a132616ed6d

SHA256
c44a3d6bd6a4dd66a49a5fcc27ee33077c300f0e3370f1053b53496b533786ba

SHA512
2fdade811d64aef976c17b54a1c0ba6dbdb4a508d1eb8d3af77b466d397ef553b4946f42ff442edb0ccc2d50fdd147b756cbce8a7c74a85b41527587fe216128

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.3MB

MD5
167367ce4f3ebb5b09706f5510f963af

SHA1
8440a1308a905d93c13719f8b5f4e2980b8d3abf

SHA256
6ee444fd7c1870c139a81fb0d2d03daa11ba78ee7612c89972a6747354fcfd12

SHA512
a31b28d9aa13b2224c156a2565a0e02e660cedc7fe524bb14759eda4f1e15d0b85d6b5744eaea81ac2d45a3d0e0def8e0f5043d77d38a98f1550820e1dc929f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
205KB

MD5
e0106ee9c34cfe9a1cec4b3ba32be65e

SHA1
cc430d83fa15f08c26af48fcace7d98dee8c6842

SHA256
5ba2ee4c3850a0cae3d40e1a657f5a4f6ddbeda0b25aedcce5a7dc5b984e0fc9

SHA512
4aa6fb26ee4e7e5f267db0b23730b8eaa05fa4f2c377fc60c03146dae2085eb1a6bfce9f46730af993d0fecd1a72549cab9947c1e4e330e558b7b90fc90445be

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
205KB

MD5
e0106ee9c34cfe9a1cec4b3ba32be65e

SHA1
cc430d83fa15f08c26af48fcace7d98dee8c6842

SHA256
5ba2ee4c3850a0cae3d40e1a657f5a4f6ddbeda0b25aedcce5a7dc5b984e0fc9

SHA512
4aa6fb26ee4e7e5f267db0b23730b8eaa05fa4f2c377fc60c03146dae2085eb1a6bfce9f46730af993d0fecd1a72549cab9947c1e4e330e558b7b90fc90445be

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
205KB

MD5
e0106ee9c34cfe9a1cec4b3ba32be65e

SHA1
cc430d83fa15f08c26af48fcace7d98dee8c6842

SHA256
5ba2ee4c3850a0cae3d40e1a657f5a4f6ddbeda0b25aedcce5a7dc5b984e0fc9

SHA512
4aa6fb26ee4e7e5f267db0b23730b8eaa05fa4f2c377fc60c03146dae2085eb1a6bfce9f46730af993d0fecd1a72549cab9947c1e4e330e558b7b90fc90445be

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
205KB

MD5
e0106ee9c34cfe9a1cec4b3ba32be65e

SHA1
cc430d83fa15f08c26af48fcace7d98dee8c6842

SHA256
5ba2ee4c3850a0cae3d40e1a657f5a4f6ddbeda0b25aedcce5a7dc5b984e0fc9

SHA512
4aa6fb26ee4e7e5f267db0b23730b8eaa05fa4f2c377fc60c03146dae2085eb1a6bfce9f46730af993d0fecd1a72549cab9947c1e4e330e558b7b90fc90445be

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
9eb0c6074d8e54f7da6508b5f6809e78

SHA1
61f003a28c45377e9fc641a0dd1382e6931c11f0

SHA256
df6f01f8c7c5ad4b1e66d19309ad60f0189bc607d7a07c184d9d94abd29c3ee8

SHA512
f6db15038cf4312647c59574cf2352c132c36cd060293977427b719066e5519838c6fed059d3a1d4e3277b575d9132d29d150c45cebd8a3852e705f3297f6d08

Download Submit
C:\Windows\hosts.exe

Filesize
205KB

MD5
f120f4c9d515e4f45081c35c9b1fb2d1

SHA1
d8645bade01fda07bf7c8f57a75856caf672e734

SHA256
cc165a69c4e53d7a99f06411f3a60bd804f54f5c04e6b73d613a4a6363654462

SHA512
fc0e535c0de52dc4d12ed45947976151ce12778156baef99c3afb8e3fe9dd21649b9286a8db21d784b09a6b185021f089b4ef47e46e26a5ac29544803d6e4059

Download Submit
C:\Windows\hosts.exe

Filesize
205KB

MD5
f120f4c9d515e4f45081c35c9b1fb2d1

SHA1
d8645bade01fda07bf7c8f57a75856caf672e734

SHA256
cc165a69c4e53d7a99f06411f3a60bd804f54f5c04e6b73d613a4a6363654462

SHA512
fc0e535c0de52dc4d12ed45947976151ce12778156baef99c3afb8e3fe9dd21649b9286a8db21d784b09a6b185021f089b4ef47e46e26a5ac29544803d6e4059

Download Submit
C:\Windows\hosts.exe

Filesize
205KB

MD5
f120f4c9d515e4f45081c35c9b1fb2d1

SHA1
d8645bade01fda07bf7c8f57a75856caf672e734

SHA256
cc165a69c4e53d7a99f06411f3a60bd804f54f5c04e6b73d613a4a6363654462

SHA512
fc0e535c0de52dc4d12ed45947976151ce12778156baef99c3afb8e3fe9dd21649b9286a8db21d784b09a6b185021f089b4ef47e46e26a5ac29544803d6e4059

Download Submit
C:\Windows\hosts.exe

Filesize
205KB

MD5
f120f4c9d515e4f45081c35c9b1fb2d1

SHA1
d8645bade01fda07bf7c8f57a75856caf672e734

SHA256
cc165a69c4e53d7a99f06411f3a60bd804f54f5c04e6b73d613a4a6363654462

SHA512
fc0e535c0de52dc4d12ed45947976151ce12778156baef99c3afb8e3fe9dd21649b9286a8db21d784b09a6b185021f089b4ef47e46e26a5ac29544803d6e4059

Download Submit
C:\windows\hosts.exe

Filesize
205KB

MD5
f120f4c9d515e4f45081c35c9b1fb2d1

SHA1
d8645bade01fda07bf7c8f57a75856caf672e734

SHA256
cc165a69c4e53d7a99f06411f3a60bd804f54f5c04e6b73d613a4a6363654462

SHA512
fc0e535c0de52dc4d12ed45947976151ce12778156baef99c3afb8e3fe9dd21649b9286a8db21d784b09a6b185021f089b4ef47e46e26a5ac29544803d6e4059

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
205KB

MD5
e0106ee9c34cfe9a1cec4b3ba32be65e

SHA1
cc430d83fa15f08c26af48fcace7d98dee8c6842

SHA256
5ba2ee4c3850a0cae3d40e1a657f5a4f6ddbeda0b25aedcce5a7dc5b984e0fc9

SHA512
4aa6fb26ee4e7e5f267db0b23730b8eaa05fa4f2c377fc60c03146dae2085eb1a6bfce9f46730af993d0fecd1a72549cab9947c1e4e330e558b7b90fc90445be

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
205KB

MD5
e0106ee9c34cfe9a1cec4b3ba32be65e

SHA1
cc430d83fa15f08c26af48fcace7d98dee8c6842

SHA256
5ba2ee4c3850a0cae3d40e1a657f5a4f6ddbeda0b25aedcce5a7dc5b984e0fc9

SHA512
4aa6fb26ee4e7e5f267db0b23730b8eaa05fa4f2c377fc60c03146dae2085eb1a6bfce9f46730af993d0fecd1a72549cab9947c1e4e330e558b7b90fc90445be

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
205KB

MD5
e0106ee9c34cfe9a1cec4b3ba32be65e

SHA1
cc430d83fa15f08c26af48fcace7d98dee8c6842

SHA256
5ba2ee4c3850a0cae3d40e1a657f5a4f6ddbeda0b25aedcce5a7dc5b984e0fc9

SHA512
4aa6fb26ee4e7e5f267db0b23730b8eaa05fa4f2c377fc60c03146dae2085eb1a6bfce9f46730af993d0fecd1a72549cab9947c1e4e330e558b7b90fc90445be

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
205KB

MD5
e0106ee9c34cfe9a1cec4b3ba32be65e

SHA1
cc430d83fa15f08c26af48fcace7d98dee8c6842

SHA256
5ba2ee4c3850a0cae3d40e1a657f5a4f6ddbeda0b25aedcce5a7dc5b984e0fc9

SHA512
4aa6fb26ee4e7e5f267db0b23730b8eaa05fa4f2c377fc60c03146dae2085eb1a6bfce9f46730af993d0fecd1a72549cab9947c1e4e330e558b7b90fc90445be

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
205KB

MD5
e0106ee9c34cfe9a1cec4b3ba32be65e

SHA1
cc430d83fa15f08c26af48fcace7d98dee8c6842

SHA256
5ba2ee4c3850a0cae3d40e1a657f5a4f6ddbeda0b25aedcce5a7dc5b984e0fc9

SHA512
4aa6fb26ee4e7e5f267db0b23730b8eaa05fa4f2c377fc60c03146dae2085eb1a6bfce9f46730af993d0fecd1a72549cab9947c1e4e330e558b7b90fc90445be

Download Submit
memory/1636-56-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1636-58-0x00000000746A1000-0x00000000746A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads