9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c

Analysis

max time kernel
124s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe
Size

367KB
MD5

03d59a294951b4b4a8026e5dede58ec7
SHA1

bdeb0d484970a309c655019755d6604ec42a2b20
SHA256

9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c
SHA512

cbc09e48cdb5e41e27f8099c33a0f1709ddab131494aadaca7caa8f30e03c35b168294d331bfed8d01ae5ada4e34772909bffedb05e0f1c2d4725742c88bdfce
SSDEEP

6144:gDCwfG1bnxLERR9saMDCwfG1bnxLERR9satG14W:g72bntEL9/M72bntEL9/tG1p

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1704	avscan.exe
1720	avscan.exe
696	hosts.exe
324	hosts.exe
1224	avscan.exe
964	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
832	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe
832	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe
1704	avscan.exe
696	hosts.exe
696	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe
File created	\??\c:\windows\W_X_C.bat	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe
File opened for modification	C:\Windows\hosts.exe	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1604	REG.exe
1980	REG.exe
980	REG.exe
1568	REG.exe
1992	REG.exe
1448	REG.exe
432	REG.exe
860	REG.exe
1892	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1704	avscan.exe
696	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
832	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe
1704	avscan.exe
1720	avscan.exe
696	hosts.exe
324	hosts.exe
1224	avscan.exe
964	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1448	832	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe	28
PID 832 wrote to memory of 1448	832	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe	28
PID 832 wrote to memory of 1448	832	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe	28
PID 832 wrote to memory of 1448	832	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe	28
PID 832 wrote to memory of 1704	832	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe	30
PID 832 wrote to memory of 1704	832	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe	30
PID 832 wrote to memory of 1704	832	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe	30
PID 832 wrote to memory of 1704	832	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe	30
PID 1704 wrote to memory of 1720	1704	avscan.exe	31
PID 1704 wrote to memory of 1720	1704	avscan.exe	31
PID 1704 wrote to memory of 1720	1704	avscan.exe	31
PID 1704 wrote to memory of 1720	1704	avscan.exe	31
PID 1704 wrote to memory of 2016	1704	avscan.exe	32
PID 1704 wrote to memory of 2016	1704	avscan.exe	32
PID 1704 wrote to memory of 2016	1704	avscan.exe	32
PID 1704 wrote to memory of 2016	1704	avscan.exe	32
PID 832 wrote to memory of 572	832	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe	33
PID 832 wrote to memory of 572	832	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe	33
PID 832 wrote to memory of 572	832	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe	33
PID 832 wrote to memory of 572	832	9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe	33
PID 2016 wrote to memory of 696	2016	cmd.exe	37
PID 2016 wrote to memory of 696	2016	cmd.exe	37
PID 2016 wrote to memory of 696	2016	cmd.exe	37
PID 2016 wrote to memory of 696	2016	cmd.exe	37
PID 572 wrote to memory of 324	572	cmd.exe	36
PID 572 wrote to memory of 324	572	cmd.exe	36
PID 572 wrote to memory of 324	572	cmd.exe	36
PID 572 wrote to memory of 324	572	cmd.exe	36
PID 696 wrote to memory of 1224	696	hosts.exe	38
PID 696 wrote to memory of 1224	696	hosts.exe	38
PID 696 wrote to memory of 1224	696	hosts.exe	38
PID 696 wrote to memory of 1224	696	hosts.exe	38
PID 572 wrote to memory of 1688	572	cmd.exe	39
PID 572 wrote to memory of 1688	572	cmd.exe	39
PID 572 wrote to memory of 1688	572	cmd.exe	39
PID 572 wrote to memory of 1688	572	cmd.exe	39
PID 696 wrote to memory of 1272	696	hosts.exe	40
PID 696 wrote to memory of 1272	696	hosts.exe	40
PID 696 wrote to memory of 1272	696	hosts.exe	40
PID 696 wrote to memory of 1272	696	hosts.exe	40
PID 1272 wrote to memory of 964	1272	cmd.exe	42
PID 1272 wrote to memory of 964	1272	cmd.exe	42
PID 1272 wrote to memory of 964	1272	cmd.exe	42
PID 1272 wrote to memory of 964	1272	cmd.exe	42
PID 1272 wrote to memory of 1396	1272	cmd.exe	43
PID 1272 wrote to memory of 1396	1272	cmd.exe	43
PID 1272 wrote to memory of 1396	1272	cmd.exe	43
PID 1272 wrote to memory of 1396	1272	cmd.exe	43
PID 1704 wrote to memory of 432	1704	avscan.exe	44
PID 1704 wrote to memory of 432	1704	avscan.exe	44
PID 1704 wrote to memory of 432	1704	avscan.exe	44
PID 1704 wrote to memory of 432	1704	avscan.exe	44
PID 696 wrote to memory of 860	696	hosts.exe	46
PID 696 wrote to memory of 860	696	hosts.exe	46
PID 696 wrote to memory of 860	696	hosts.exe	46
PID 696 wrote to memory of 860	696	hosts.exe	46
PID 1704 wrote to memory of 1604	1704	avscan.exe	48
PID 1704 wrote to memory of 1604	1704	avscan.exe	48
PID 1704 wrote to memory of 1604	1704	avscan.exe	48
PID 1704 wrote to memory of 1604	1704	avscan.exe	48
PID 696 wrote to memory of 1892	696	hosts.exe	50
PID 696 wrote to memory of 1892	696	hosts.exe	50
PID 696 wrote to memory of 1892	696	hosts.exe	50
PID 696 wrote to memory of 1892	696	hosts.exe	50

C:\Users\Admin\AppData\Local\Temp\9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe
"C:\Users\Admin\AppData\Local\Temp\9905a9b56a5e88edaf6d43badfdf6db9ce86837f5a8436164033e6b0bf381c1c.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1448
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:696
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1224
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1272
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:964
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1396
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:860
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1892
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1980
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1568
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:432
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1604
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1992
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:324
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
783KB

MD5
6ae2342ab1930cb7e276885323c0b928

SHA1
5ccca50b840c8c4d57eecc5cf125f7544d871312

SHA256
ff246a2c87231e5fc3325b78e1673c06307902b8ad97d1f0c173cffafb59ea7f

SHA512
15d8b2e1819e09ca33fe1bfb8a24ca391b7b29b3cfabd7d5baa667da54d5898193a2a6c97840edc5b15c0354f8ef3af60eae39ae5d109cdfb0d86461db8f460d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
5d0a9613086f7dece735d8c1f99de48d

SHA1
d7b851969c430b96c81d4f51a9ffd71a8d3c8de0

SHA256
840bc1cfa88452919f3bc5450f46064f149e688a00e7d0e46d625be5ea880b53

SHA512
17928c7c0414f85a7126c625b614a0f7df855f68d7802bb4e2ca6901a5e7b4fa452355e31c2c5cec3f3e6bbcbf19ccfe8947d76a312a96bb7fdd6bf352b8ec99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.5MB

MD5
3d355c4ee451e5d118703e8aa4ab2f37

SHA1
17cd200f058db7ba343c4da1496fc4e8e3c33792

SHA256
82fa2f282a54b656c81d08b8b616da9acbb24313f9809cb2a99fa1f6037f0256

SHA512
86af7ee454c6b129a6ea32cca714985d530d053b46ce840d9b6d6a1e5f77e9855e044cec222dd58d30848f22702d4774cf54466be2261798ff564ec871d2ce67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.8MB

MD5
09c6560ded51cbc98b8995dd3eb818ec

SHA1
c3449ac3d45f6f123eb9aef9997371e29a5af873

SHA256
1412926d31890f874d54840c097206aadafa798531b2db829187e601ef1467f1

SHA512
ffdd3418b4417ba9ffd0e6bf753bd16ccebf474bd50cfa30d794360885dba1fbbc615246491243b18ed92f088e0669d5b270bf71984541dffcaed00a310323a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.2MB

MD5
a53205ca9741ab4ae6bf25db7f7bc855

SHA1
f5756bacdf24ebc3a59860dad7daae000714b7e7

SHA256
453491b2612216b46d9048cea9d7558e4606bbf63272240c3743f6d5cb969308

SHA512
54c780d09eb094ef6a219c28444ff78eb9e5c00cd48cbda164a6a0275d2c9e50ae333e2ca77709f167bbd011c50d2c1fefd2f65f175c84668450a846ec375566

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.9MB

MD5
b6b370232ac584886729ee1aae93914e

SHA1
541c3508f10c7f3ed90b0347133b768c993505c5

SHA256
cbb2448e97084c37a5897640482d184d09aca80c0d8e7a32429c41fcda55dc78

SHA512
4edf93bd3f6927c32d5a95231ebd70b13342d1f8402fd0bb2409f1bc520bf1049da9c1cb0a1fca367f2f621b126082dda2ed7d88037f89a9a6afa198949d2c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.9MB

MD5
7855e4b5ea108d4bbb000d2aed71e52c

SHA1
758f035af203a30866b67611e22c6b6974b0f6b7

SHA256
3cffc3584e49086f7d71b042d091dc5ac520d46d832b3853cfbd39383443ee8b

SHA512
db7af7883003da0ac81040da447995c8fa50812a54a5ce4539bf5f7ce291e9b4f5be94e29bb17682b8b4155fbbd2bb789b85d1b8c1dd93418bbe1ff0ee8670d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
367KB

MD5
ded54a1cf73e9125f266c47fbc0cbc9d

SHA1
bca6723f5857b7a9ca8cb7381bbd75f9e04b9eef

SHA256
295391d9739d593a2f3f01c7781de4de6c1b6a5047f7eb4f723a7d7ba676f6ce

SHA512
2944094e1c29af47f7f38d834d83bf471926a795a84703f4cf86e9b44a87842ee2ee21870012990a1565e3b6c59df038e38ee7d559a24a4c927fe3a0fd67521d

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
367KB

MD5
ded54a1cf73e9125f266c47fbc0cbc9d

SHA1
bca6723f5857b7a9ca8cb7381bbd75f9e04b9eef

SHA256
295391d9739d593a2f3f01c7781de4de6c1b6a5047f7eb4f723a7d7ba676f6ce

SHA512
2944094e1c29af47f7f38d834d83bf471926a795a84703f4cf86e9b44a87842ee2ee21870012990a1565e3b6c59df038e38ee7d559a24a4c927fe3a0fd67521d

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
367KB

MD5
ded54a1cf73e9125f266c47fbc0cbc9d

SHA1
bca6723f5857b7a9ca8cb7381bbd75f9e04b9eef

SHA256
295391d9739d593a2f3f01c7781de4de6c1b6a5047f7eb4f723a7d7ba676f6ce

SHA512
2944094e1c29af47f7f38d834d83bf471926a795a84703f4cf86e9b44a87842ee2ee21870012990a1565e3b6c59df038e38ee7d559a24a4c927fe3a0fd67521d

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
367KB

MD5
ded54a1cf73e9125f266c47fbc0cbc9d

SHA1
bca6723f5857b7a9ca8cb7381bbd75f9e04b9eef

SHA256
295391d9739d593a2f3f01c7781de4de6c1b6a5047f7eb4f723a7d7ba676f6ce

SHA512
2944094e1c29af47f7f38d834d83bf471926a795a84703f4cf86e9b44a87842ee2ee21870012990a1565e3b6c59df038e38ee7d559a24a4c927fe3a0fd67521d

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
b147c267b47c4a6cfa3a72c41407541b

SHA1
062231bf7639b26f92e6d5ef78d515f8eaa9639d

SHA256
c9b7b5b912ab24c729de962727ac33835dd58f17754f9368ac702b9987f3baf6

SHA512
4f646fee7eaa29f33604b3f349b3d90a65bec39fdbe80bac6dcd2cd67b17475e51f833a66a5207d3008fede867792605bab132d6672e206bfefaa83aa344ac64

Download Submit
C:\Windows\hosts.exe

Filesize
367KB

MD5
8750fbc435d98089c37fa67bdef2c242

SHA1
8157b49ae295f7dea664b77389e8e9beba2e2343

SHA256
4d41d1ae0680f1ffb700532a8f34533b6073f60b260305550f1da9d7e71d68cf

SHA512
af26cbcfb4a76b25f9ab12bccbf6993696eb9aaee61f56b1bee20d0d5ea821f6c4746872ec9ee85c2392b8353dbfdd86a1d873de8163609942d8464cc91808fb

Download Submit
C:\Windows\hosts.exe

Filesize
367KB

MD5
8750fbc435d98089c37fa67bdef2c242

SHA1
8157b49ae295f7dea664b77389e8e9beba2e2343

SHA256
4d41d1ae0680f1ffb700532a8f34533b6073f60b260305550f1da9d7e71d68cf

SHA512
af26cbcfb4a76b25f9ab12bccbf6993696eb9aaee61f56b1bee20d0d5ea821f6c4746872ec9ee85c2392b8353dbfdd86a1d873de8163609942d8464cc91808fb

Download Submit
C:\Windows\hosts.exe

Filesize
367KB

MD5
8750fbc435d98089c37fa67bdef2c242

SHA1
8157b49ae295f7dea664b77389e8e9beba2e2343

SHA256
4d41d1ae0680f1ffb700532a8f34533b6073f60b260305550f1da9d7e71d68cf

SHA512
af26cbcfb4a76b25f9ab12bccbf6993696eb9aaee61f56b1bee20d0d5ea821f6c4746872ec9ee85c2392b8353dbfdd86a1d873de8163609942d8464cc91808fb

Download Submit
C:\Windows\hosts.exe

Filesize
367KB

MD5
8750fbc435d98089c37fa67bdef2c242

SHA1
8157b49ae295f7dea664b77389e8e9beba2e2343

SHA256
4d41d1ae0680f1ffb700532a8f34533b6073f60b260305550f1da9d7e71d68cf

SHA512
af26cbcfb4a76b25f9ab12bccbf6993696eb9aaee61f56b1bee20d0d5ea821f6c4746872ec9ee85c2392b8353dbfdd86a1d873de8163609942d8464cc91808fb

Download Submit
C:\windows\hosts.exe

Filesize
367KB

MD5
8750fbc435d98089c37fa67bdef2c242

SHA1
8157b49ae295f7dea664b77389e8e9beba2e2343

SHA256
4d41d1ae0680f1ffb700532a8f34533b6073f60b260305550f1da9d7e71d68cf

SHA512
af26cbcfb4a76b25f9ab12bccbf6993696eb9aaee61f56b1bee20d0d5ea821f6c4746872ec9ee85c2392b8353dbfdd86a1d873de8163609942d8464cc91808fb

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
367KB

MD5
ded54a1cf73e9125f266c47fbc0cbc9d

SHA1
bca6723f5857b7a9ca8cb7381bbd75f9e04b9eef

SHA256
295391d9739d593a2f3f01c7781de4de6c1b6a5047f7eb4f723a7d7ba676f6ce

SHA512
2944094e1c29af47f7f38d834d83bf471926a795a84703f4cf86e9b44a87842ee2ee21870012990a1565e3b6c59df038e38ee7d559a24a4c927fe3a0fd67521d

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
367KB

MD5
ded54a1cf73e9125f266c47fbc0cbc9d

SHA1
bca6723f5857b7a9ca8cb7381bbd75f9e04b9eef

SHA256
295391d9739d593a2f3f01c7781de4de6c1b6a5047f7eb4f723a7d7ba676f6ce

SHA512
2944094e1c29af47f7f38d834d83bf471926a795a84703f4cf86e9b44a87842ee2ee21870012990a1565e3b6c59df038e38ee7d559a24a4c927fe3a0fd67521d

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
367KB

MD5
ded54a1cf73e9125f266c47fbc0cbc9d

SHA1
bca6723f5857b7a9ca8cb7381bbd75f9e04b9eef

SHA256
295391d9739d593a2f3f01c7781de4de6c1b6a5047f7eb4f723a7d7ba676f6ce

SHA512
2944094e1c29af47f7f38d834d83bf471926a795a84703f4cf86e9b44a87842ee2ee21870012990a1565e3b6c59df038e38ee7d559a24a4c927fe3a0fd67521d

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
367KB

MD5
ded54a1cf73e9125f266c47fbc0cbc9d

SHA1
bca6723f5857b7a9ca8cb7381bbd75f9e04b9eef

SHA256
295391d9739d593a2f3f01c7781de4de6c1b6a5047f7eb4f723a7d7ba676f6ce

SHA512
2944094e1c29af47f7f38d834d83bf471926a795a84703f4cf86e9b44a87842ee2ee21870012990a1565e3b6c59df038e38ee7d559a24a4c927fe3a0fd67521d

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
367KB

MD5
ded54a1cf73e9125f266c47fbc0cbc9d

SHA1
bca6723f5857b7a9ca8cb7381bbd75f9e04b9eef

SHA256
295391d9739d593a2f3f01c7781de4de6c1b6a5047f7eb4f723a7d7ba676f6ce

SHA512
2944094e1c29af47f7f38d834d83bf471926a795a84703f4cf86e9b44a87842ee2ee21870012990a1565e3b6c59df038e38ee7d559a24a4c927fe3a0fd67521d

Download Submit
memory/832-58-0x0000000074D51000-0x0000000074D53000-memory.dmp

Filesize
8KB

Download
memory/832-56-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads