c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2

Analysis

max time kernel
125s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
12-10-2022 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe
Size

190KB
MD5

02741a4953e2eb08e64422d494cb999b
SHA1

0cb5e676d12b2ec65fc32b40bc9156b9e68fb005
SHA256

c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2
SHA512

05095f24cc71e410f89309940414f0c547c4653559250478bdc8addcd171f3641b563ae0019585f9bb2ee1eef3c80f586beea1c0c52beb6d86c5f681de4fd24c
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQ9pssU9Z:gDCwfG1bnxLERResdZ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1688	avscan.exe
1040	avscan.exe
1436	hosts.exe
1304	hosts.exe
1964	avscan.exe
456	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
2012	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe
2012	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe
1688	avscan.exe
1304	hosts.exe
1304	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe
File created	\??\c:\windows\W_X_C.bat	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe
File opened for modification	C:\Windows\hosts.exe	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1484	REG.exe
820	REG.exe
1096	REG.exe
2000	REG.exe
1656	REG.exe
1108	REG.exe
2004	REG.exe
1040	REG.exe
824	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1688	avscan.exe
1304	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2012	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe
1688	avscan.exe
1040	avscan.exe
1304	hosts.exe
1436	hosts.exe
1964	avscan.exe
456	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 820	2012	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe	27
PID 2012 wrote to memory of 820	2012	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe	27
PID 2012 wrote to memory of 820	2012	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe	27
PID 2012 wrote to memory of 820	2012	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe	27
PID 2012 wrote to memory of 1688	2012	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe	29
PID 2012 wrote to memory of 1688	2012	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe	29
PID 2012 wrote to memory of 1688	2012	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe	29
PID 2012 wrote to memory of 1688	2012	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe	29
PID 1688 wrote to memory of 1040	1688	avscan.exe	30
PID 1688 wrote to memory of 1040	1688	avscan.exe	30
PID 1688 wrote to memory of 1040	1688	avscan.exe	30
PID 1688 wrote to memory of 1040	1688	avscan.exe	30
PID 1688 wrote to memory of 1128	1688	avscan.exe	32
PID 1688 wrote to memory of 1128	1688	avscan.exe	32
PID 1688 wrote to memory of 1128	1688	avscan.exe	32
PID 1688 wrote to memory of 1128	1688	avscan.exe	32
PID 2012 wrote to memory of 1748	2012	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe	31
PID 2012 wrote to memory of 1748	2012	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe	31
PID 2012 wrote to memory of 1748	2012	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe	31
PID 2012 wrote to memory of 1748	2012	c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe	31
PID 1128 wrote to memory of 1304	1128	cmd.exe	36
PID 1128 wrote to memory of 1304	1128	cmd.exe	36
PID 1128 wrote to memory of 1304	1128	cmd.exe	36
PID 1128 wrote to memory of 1304	1128	cmd.exe	36
PID 1748 wrote to memory of 1436	1748	cmd.exe	35
PID 1748 wrote to memory of 1436	1748	cmd.exe	35
PID 1748 wrote to memory of 1436	1748	cmd.exe	35
PID 1748 wrote to memory of 1436	1748	cmd.exe	35
PID 1304 wrote to memory of 1964	1304	hosts.exe	39
PID 1304 wrote to memory of 1964	1304	hosts.exe	39
PID 1304 wrote to memory of 1964	1304	hosts.exe	39
PID 1304 wrote to memory of 1964	1304	hosts.exe	39
PID 1128 wrote to memory of 812	1128	cmd.exe	37
PID 1128 wrote to memory of 812	1128	cmd.exe	37
PID 1128 wrote to memory of 812	1128	cmd.exe	37
PID 1128 wrote to memory of 812	1128	cmd.exe	37
PID 1748 wrote to memory of 1960	1748	cmd.exe	38
PID 1748 wrote to memory of 1960	1748	cmd.exe	38
PID 1748 wrote to memory of 1960	1748	cmd.exe	38
PID 1748 wrote to memory of 1960	1748	cmd.exe	38
PID 1304 wrote to memory of 1900	1304	hosts.exe	40
PID 1304 wrote to memory of 1900	1304	hosts.exe	40
PID 1304 wrote to memory of 1900	1304	hosts.exe	40
PID 1304 wrote to memory of 1900	1304	hosts.exe	40
PID 1900 wrote to memory of 456	1900	cmd.exe	42
PID 1900 wrote to memory of 456	1900	cmd.exe	42
PID 1900 wrote to memory of 456	1900	cmd.exe	42
PID 1900 wrote to memory of 456	1900	cmd.exe	42
PID 1900 wrote to memory of 1980	1900	cmd.exe	43
PID 1900 wrote to memory of 1980	1900	cmd.exe	43
PID 1900 wrote to memory of 1980	1900	cmd.exe	43
PID 1900 wrote to memory of 1980	1900	cmd.exe	43
PID 1688 wrote to memory of 1108	1688	avscan.exe	45
PID 1688 wrote to memory of 1108	1688	avscan.exe	45
PID 1688 wrote to memory of 1108	1688	avscan.exe	45
PID 1688 wrote to memory of 1108	1688	avscan.exe	45
PID 1304 wrote to memory of 1096	1304	hosts.exe	44
PID 1304 wrote to memory of 1096	1304	hosts.exe	44
PID 1304 wrote to memory of 1096	1304	hosts.exe	44
PID 1304 wrote to memory of 1096	1304	hosts.exe	44
PID 1304 wrote to memory of 2000	1304	hosts.exe	48
PID 1304 wrote to memory of 2000	1304	hosts.exe	48
PID 1304 wrote to memory of 2000	1304	hosts.exe	48
PID 1304 wrote to memory of 2000	1304	hosts.exe	48

C:\Users\Admin\AppData\Local\Temp\c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe
"C:\Users\Admin\AppData\Local\Temp\c0c71726ae07bded4d2dbb380eaccb837361a8b72cb528222ecc5615e33a67a2.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:820
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1304
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1900
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:456
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1980
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1096
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2000
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1040
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1484
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:812
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1108
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2004
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1656
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1436
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
429KB

MD5
1437d7d3ee054aae28602dba6b44de83

SHA1
1588d51a6e28cdc40d7c23eb77c20bf3cfd860cb

SHA256
395b707412634639ddf0921106e0f2f140293f97ff97ce7cb6571f4df96f9616

SHA512
464cdf9ddd7d99ebfcccd3a2f52a17ebe4fa7e224b64a631e2b885c28eafeac41ae91bca4c1d8090be2702c1a97e2a700c016f7a2fbe0a41b461d2a8349e50b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
620KB

MD5
7a60cf05820a6bc34c940d7303fdd137

SHA1
d846e2a5de3d0fdb74110d43261b313e176c1200

SHA256
52088940a09b2db15afa99299bdbd8d9e0c9bda271c04e726fcc7813a729f33b

SHA512
abbee9c1b8fd1e0bfc6b5f5bb2bd7219b03b5dcf1c2f01ba16cbe40687fe4460559893b169402c893a86683907f8d555dd7b61e20000d8c8f864deb9d69c7b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
620KB

MD5
7a60cf05820a6bc34c940d7303fdd137

SHA1
d846e2a5de3d0fdb74110d43261b313e176c1200

SHA256
52088940a09b2db15afa99299bdbd8d9e0c9bda271c04e726fcc7813a729f33b

SHA512
abbee9c1b8fd1e0bfc6b5f5bb2bd7219b03b5dcf1c2f01ba16cbe40687fe4460559893b169402c893a86683907f8d555dd7b61e20000d8c8f864deb9d69c7b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
811KB

MD5
f97d14ec982d49fae9323755fdf64375

SHA1
81fac6443c7ab2eddfb2f363e6af3fa61b5c9a92

SHA256
6215da91fac939e86bfb88b2c1e6ac42c27c3941f82a262f3a1f195119f26ce5

SHA512
3898abcb7b3f51d0b36b30dc629ced61f2e77d86cbad6e7f14a95e0e0d18092e26ef6767363175746a8fedab81d86a9fdf67100498aa20eb27d37f029b86c004

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1002KB

MD5
105788777a67fdbe2c4e0aed7cad1610

SHA1
baa02657c3801651edd62b2745293e2f1e409d15

SHA256
707b1152fe5039400057c90799753cf5c9c3244fabdc9fcb6ab4652b983294cb

SHA512
cf536974cdd1a7a5427af991479e27ec1d9a5a21649384620e36acd6495d11b582f8240c672bcc0f1d05a9d16f9c886782d14fb98c3fdc0f183afb3621da59c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.2MB

MD5
12e9db28c7ff288d1c602c9e6677cd69

SHA1
ebbf959ae720461e8b2e872561b3537dfa4d3cca

SHA256
15a4a2104b3db55e516df61c2109cf954ee24b1b0322b6ae91ffd75bafa27a93

SHA512
3330b84d289ffc261ff26d948cba948f18b1a4f28efc8f4d7fcad8145cb6ea2d898ecf7d59cbe2495fa28b409611edf6c08263ae69f436c99c4221dd5cb3bc72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.2MB

MD5
12e9db28c7ff288d1c602c9e6677cd69

SHA1
ebbf959ae720461e8b2e872561b3537dfa4d3cca

SHA256
15a4a2104b3db55e516df61c2109cf954ee24b1b0322b6ae91ffd75bafa27a93

SHA512
3330b84d289ffc261ff26d948cba948f18b1a4f28efc8f4d7fcad8145cb6ea2d898ecf7d59cbe2495fa28b409611edf6c08263ae69f436c99c4221dd5cb3bc72

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
190KB

MD5
f4835cdb2d484482ba0672c5739cd802

SHA1
38ce9efb857fd5660781486c90023e7ca7a704ee

SHA256
847ed79cfd767a44bf5d6de6aa653edde37fb9622d0683e643ee63fefdaa9f3d

SHA512
3c8406d51d3569054967607f1b63cf4250423ffe22fb0e21f546be958a3ebb403884aeb7b5e889e8737e614cd2b068ad2ba1fd29268209a3e70204464546f237

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
190KB

MD5
f4835cdb2d484482ba0672c5739cd802

SHA1
38ce9efb857fd5660781486c90023e7ca7a704ee

SHA256
847ed79cfd767a44bf5d6de6aa653edde37fb9622d0683e643ee63fefdaa9f3d

SHA512
3c8406d51d3569054967607f1b63cf4250423ffe22fb0e21f546be958a3ebb403884aeb7b5e889e8737e614cd2b068ad2ba1fd29268209a3e70204464546f237

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
190KB

MD5
f4835cdb2d484482ba0672c5739cd802

SHA1
38ce9efb857fd5660781486c90023e7ca7a704ee

SHA256
847ed79cfd767a44bf5d6de6aa653edde37fb9622d0683e643ee63fefdaa9f3d

SHA512
3c8406d51d3569054967607f1b63cf4250423ffe22fb0e21f546be958a3ebb403884aeb7b5e889e8737e614cd2b068ad2ba1fd29268209a3e70204464546f237

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
190KB

MD5
f4835cdb2d484482ba0672c5739cd802

SHA1
38ce9efb857fd5660781486c90023e7ca7a704ee

SHA256
847ed79cfd767a44bf5d6de6aa653edde37fb9622d0683e643ee63fefdaa9f3d

SHA512
3c8406d51d3569054967607f1b63cf4250423ffe22fb0e21f546be958a3ebb403884aeb7b5e889e8737e614cd2b068ad2ba1fd29268209a3e70204464546f237

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
8efab902a61f6cddc318bb5818c2f2e0

SHA1
9608751279ae04ba710d84c61e3937c12950b393

SHA256
a81d0e86c651ead3e4d9c7f64e637006e787c81c8ba3e784648c2786306bfb87

SHA512
aabd0e45609a39584c68c35e16124b399e9a4932bf6c98c22aa8c6ff71b2fbfc80333102960fcfca1abb38b344245f9cdf4cdc0c827c48235f618011a5fbfe18

Download Submit
C:\Windows\hosts.exe

Filesize
190KB

MD5
49d5c1e3ad117d501626df913b1c47d8

SHA1
22502b185620f96e8fb933cf7dc33ada81d62b69

SHA256
4dbf8dc38ac2f32352f1668e2cd5ab8762add0705c092cfb3e5c33e606041078

SHA512
c2ae5ef8a33e9919e83d89e07e237809915f59bb256bab26d90a65c7ff671c61331c8d19fcba9ec5656b77dc4605481faeab030abec8262e264f8ac2f8f210f5

Download Submit
C:\Windows\hosts.exe

Filesize
190KB

MD5
49d5c1e3ad117d501626df913b1c47d8

SHA1
22502b185620f96e8fb933cf7dc33ada81d62b69

SHA256
4dbf8dc38ac2f32352f1668e2cd5ab8762add0705c092cfb3e5c33e606041078

SHA512
c2ae5ef8a33e9919e83d89e07e237809915f59bb256bab26d90a65c7ff671c61331c8d19fcba9ec5656b77dc4605481faeab030abec8262e264f8ac2f8f210f5

Download Submit
C:\Windows\hosts.exe

Filesize
190KB

MD5
49d5c1e3ad117d501626df913b1c47d8

SHA1
22502b185620f96e8fb933cf7dc33ada81d62b69

SHA256
4dbf8dc38ac2f32352f1668e2cd5ab8762add0705c092cfb3e5c33e606041078

SHA512
c2ae5ef8a33e9919e83d89e07e237809915f59bb256bab26d90a65c7ff671c61331c8d19fcba9ec5656b77dc4605481faeab030abec8262e264f8ac2f8f210f5

Download Submit
C:\Windows\hosts.exe

Filesize
190KB

MD5
49d5c1e3ad117d501626df913b1c47d8

SHA1
22502b185620f96e8fb933cf7dc33ada81d62b69

SHA256
4dbf8dc38ac2f32352f1668e2cd5ab8762add0705c092cfb3e5c33e606041078

SHA512
c2ae5ef8a33e9919e83d89e07e237809915f59bb256bab26d90a65c7ff671c61331c8d19fcba9ec5656b77dc4605481faeab030abec8262e264f8ac2f8f210f5

Download Submit
C:\windows\hosts.exe

Filesize
190KB

MD5
49d5c1e3ad117d501626df913b1c47d8

SHA1
22502b185620f96e8fb933cf7dc33ada81d62b69

SHA256
4dbf8dc38ac2f32352f1668e2cd5ab8762add0705c092cfb3e5c33e606041078

SHA512
c2ae5ef8a33e9919e83d89e07e237809915f59bb256bab26d90a65c7ff671c61331c8d19fcba9ec5656b77dc4605481faeab030abec8262e264f8ac2f8f210f5

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
190KB

MD5
f4835cdb2d484482ba0672c5739cd802

SHA1
38ce9efb857fd5660781486c90023e7ca7a704ee

SHA256
847ed79cfd767a44bf5d6de6aa653edde37fb9622d0683e643ee63fefdaa9f3d

SHA512
3c8406d51d3569054967607f1b63cf4250423ffe22fb0e21f546be958a3ebb403884aeb7b5e889e8737e614cd2b068ad2ba1fd29268209a3e70204464546f237

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
190KB

MD5
f4835cdb2d484482ba0672c5739cd802

SHA1
38ce9efb857fd5660781486c90023e7ca7a704ee

SHA256
847ed79cfd767a44bf5d6de6aa653edde37fb9622d0683e643ee63fefdaa9f3d

SHA512
3c8406d51d3569054967607f1b63cf4250423ffe22fb0e21f546be958a3ebb403884aeb7b5e889e8737e614cd2b068ad2ba1fd29268209a3e70204464546f237

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
190KB

MD5
f4835cdb2d484482ba0672c5739cd802

SHA1
38ce9efb857fd5660781486c90023e7ca7a704ee

SHA256
847ed79cfd767a44bf5d6de6aa653edde37fb9622d0683e643ee63fefdaa9f3d

SHA512
3c8406d51d3569054967607f1b63cf4250423ffe22fb0e21f546be958a3ebb403884aeb7b5e889e8737e614cd2b068ad2ba1fd29268209a3e70204464546f237

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
190KB

MD5
f4835cdb2d484482ba0672c5739cd802

SHA1
38ce9efb857fd5660781486c90023e7ca7a704ee

SHA256
847ed79cfd767a44bf5d6de6aa653edde37fb9622d0683e643ee63fefdaa9f3d

SHA512
3c8406d51d3569054967607f1b63cf4250423ffe22fb0e21f546be958a3ebb403884aeb7b5e889e8737e614cd2b068ad2ba1fd29268209a3e70204464546f237

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
190KB

MD5
f4835cdb2d484482ba0672c5739cd802

SHA1
38ce9efb857fd5660781486c90023e7ca7a704ee

SHA256
847ed79cfd767a44bf5d6de6aa653edde37fb9622d0683e643ee63fefdaa9f3d

SHA512
3c8406d51d3569054967607f1b63cf4250423ffe22fb0e21f546be958a3ebb403884aeb7b5e889e8737e614cd2b068ad2ba1fd29268209a3e70204464546f237

Download Submit
memory/2012-56-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/2012-58-0x0000000074161000-0x0000000074163000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads