65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5

Analysis

max time kernel
124s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe
Size

371KB
MD5

0dc4a872fadaaea4b1c2adb72f5d20d4
SHA1

8c7f768f48ed1da59b814fca43548334ea77b009
SHA256

65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5
SHA512

f1f780450f32d860ac93ac6a81034e5805e074f6634974545aa98452af07f14d20ca57267bec2c4a6b7f6a0d7fd949f570d50b4b046afbbcd3e9f660e9cc0488
SSDEEP

6144:gDCwfG1bnxL8CQo6DCwfG1bnxL8CQoeYjj:g72bntdQ572bntdQb4j

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
2032	avscan.exe
340	avscan.exe
1224	hosts.exe
1556	hosts.exe
2012	avscan.exe
1808	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1884	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe
1884	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe
2032	avscan.exe
1556	hosts.exe
1556	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe
File created	\??\c:\windows\W_X_C.bat	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe
File opened for modification	C:\Windows\hosts.exe	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1800	REG.exe
1004	REG.exe
2020	REG.exe
268	REG.exe
668	REG.exe
1320	REG.exe
1612	REG.exe
1000	REG.exe
2024	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2032	avscan.exe
1556	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1884	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe
2032	avscan.exe
340	avscan.exe
1556	hosts.exe
1224	hosts.exe
2012	avscan.exe
1808	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1000	1884	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe	28
PID 1884 wrote to memory of 1000	1884	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe	28
PID 1884 wrote to memory of 1000	1884	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe	28
PID 1884 wrote to memory of 1000	1884	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe	28
PID 1884 wrote to memory of 2032	1884	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe	30
PID 1884 wrote to memory of 2032	1884	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe	30
PID 1884 wrote to memory of 2032	1884	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe	30
PID 1884 wrote to memory of 2032	1884	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe	30
PID 2032 wrote to memory of 340	2032	avscan.exe	31
PID 2032 wrote to memory of 340	2032	avscan.exe	31
PID 2032 wrote to memory of 340	2032	avscan.exe	31
PID 2032 wrote to memory of 340	2032	avscan.exe	31
PID 2032 wrote to memory of 1324	2032	avscan.exe	32
PID 2032 wrote to memory of 1324	2032	avscan.exe	32
PID 2032 wrote to memory of 1324	2032	avscan.exe	32
PID 2032 wrote to memory of 1324	2032	avscan.exe	32
PID 1884 wrote to memory of 588	1884	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe	34
PID 1884 wrote to memory of 588	1884	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe	34
PID 1884 wrote to memory of 588	1884	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe	34
PID 1884 wrote to memory of 588	1884	65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe	34
PID 1324 wrote to memory of 1224	1324	cmd.exe	37
PID 1324 wrote to memory of 1224	1324	cmd.exe	37
PID 1324 wrote to memory of 1224	1324	cmd.exe	37
PID 1324 wrote to memory of 1224	1324	cmd.exe	37
PID 588 wrote to memory of 1556	588	cmd.exe	36
PID 588 wrote to memory of 1556	588	cmd.exe	36
PID 588 wrote to memory of 1556	588	cmd.exe	36
PID 588 wrote to memory of 1556	588	cmd.exe	36
PID 1556 wrote to memory of 2012	1556	hosts.exe	38
PID 1556 wrote to memory of 2012	1556	hosts.exe	38
PID 1556 wrote to memory of 2012	1556	hosts.exe	38
PID 1556 wrote to memory of 2012	1556	hosts.exe	38
PID 1556 wrote to memory of 1180	1556	hosts.exe	39
PID 1556 wrote to memory of 1180	1556	hosts.exe	39
PID 1556 wrote to memory of 1180	1556	hosts.exe	39
PID 1556 wrote to memory of 1180	1556	hosts.exe	39
PID 1180 wrote to memory of 1808	1180	cmd.exe	41
PID 1180 wrote to memory of 1808	1180	cmd.exe	41
PID 1180 wrote to memory of 1808	1180	cmd.exe	41
PID 1180 wrote to memory of 1808	1180	cmd.exe	41
PID 588 wrote to memory of 972	588	cmd.exe	43
PID 588 wrote to memory of 972	588	cmd.exe	43
PID 588 wrote to memory of 972	588	cmd.exe	43
PID 588 wrote to memory of 972	588	cmd.exe	43
PID 1324 wrote to memory of 572	1324	cmd.exe	42
PID 1180 wrote to memory of 632	1180	cmd.exe	44
PID 1180 wrote to memory of 632	1180	cmd.exe	44
PID 1180 wrote to memory of 632	1180	cmd.exe	44
PID 1180 wrote to memory of 632	1180	cmd.exe	44
PID 1324 wrote to memory of 572	1324	cmd.exe	42
PID 1324 wrote to memory of 572	1324	cmd.exe	42
PID 1324 wrote to memory of 572	1324	cmd.exe	42
PID 2032 wrote to memory of 1800	2032	avscan.exe	45
PID 2032 wrote to memory of 1800	2032	avscan.exe	45
PID 2032 wrote to memory of 1800	2032	avscan.exe	45
PID 2032 wrote to memory of 1800	2032	avscan.exe	45
PID 1556 wrote to memory of 1004	1556	hosts.exe	47
PID 1556 wrote to memory of 1004	1556	hosts.exe	47
PID 1556 wrote to memory of 1004	1556	hosts.exe	47
PID 1556 wrote to memory of 1004	1556	hosts.exe	47
PID 1556 wrote to memory of 2024	1556	hosts.exe	50
PID 1556 wrote to memory of 2024	1556	hosts.exe	50
PID 1556 wrote to memory of 2024	1556	hosts.exe	50
PID 1556 wrote to memory of 2024	1556	hosts.exe	50

C:\Users\Admin\AppData\Local\Temp\65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe
"C:\Users\Admin\AppData\Local\Temp\65bbbe71cf0a23e13975368f08e1eb9fb730fb3a46b5b8abf86c00d4ecdc05a5.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1000
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:340
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1224
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:572
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1800
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2020
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:268
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2012
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1180
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1808
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:632
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1004
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:2024
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:668
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1612
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
791KB

MD5
29fece54bca617de579b06d487c28c86

SHA1
2f997082b80a31cfda9e593222b933ca12a66585

SHA256
7db5c45194c821a12d9f12554fe635cd00fb37640c6499a36440f2cf7f36cc7e

SHA512
f9b330ca9f9b66739dffb0d978c3d7858e3864fa4dd3977de82bda5fd03258ce55325246f4bad061523fb88fa2b13c15c853359f62486fe2b45624f7ad6e8d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.5MB

MD5
1058e7bc937ba3f96d8a1bf018cf9162

SHA1
09d2735e01a518b9a73d4b8e835c1a6fa621fcd0

SHA256
fa9ed65c6ac06d23285363421f2a8087f6e3a3c43669acd1a76c1d7e2b6ca417

SHA512
635e5ec5b3a0c8041e97c06c248f7e1229388dca27ec6d9f0f46432b8027ddcf4efbaefbb2125255e94d79f3452afba0adfbb568960eddaa8a76edf9e9aa3e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.2MB

MD5
fee1af7d8bd0afdff4941275ecd5931f

SHA1
74d55a922fca4c2b90c80c0c0095d72d597e288a

SHA256
6770eeaffb38572c2221412a24c1d4b81139f43cc12c918bb766723bf1bb735b

SHA512
36f5af865cdf401f839719a2703857c129d6f27462c38a28547de114dd81c5903b31483b9f55c0bec5c8e865478d625c6640d7be1d70ffe2809ea5731a8f5946

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.2MB

MD5
25ea1bb1e1f5550498fdaee4c9f0a6bd

SHA1
242b5a637532ba4c21ec916edc7b0ac6d5bec75a

SHA256
d2e83addc341cea142959a9df2c1578083171fe124f1c52a73c23ea4517a23cb

SHA512
db2bf32b7bcdb0dc482681fbfd8df41b43271dbf79e3d0d7bb5ab3989b49812f35553c7cea0e4edf04eb1c24b4a369588a98b4b7aa1470f029bcfa87a16aedb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
3.0MB

MD5
8664d0a6405e3bac052c50669b035099

SHA1
fd6dafc1b3dfad74f88783ec9e2a2d59705977bc

SHA256
3069114da4ff84443da15ef545201b67fa5907a8d3ceaa5f3a924bc2fbb9a862

SHA512
089190a7491025c4f33a9be4924af16e1dd180998cbcbcf50b569b16bf9e596d634cdbd07416f3f97eea3e729369d211c868f0e15076247a512abf199edffb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
3.0MB

MD5
7fb74cd3e51d278c25279afb9cb6f66e

SHA1
bf9c998b61073643a71eaca5c687041487223eb3

SHA256
a27a244c893a526609405891ace45671acec6e0427760d6b218f47bf1a170c1b

SHA512
52b5ed57e685430277581fbca11f6fc7bec988913d3a42773aa1a60baa8da7285ec8c1881645c9d0fd6f13424b3797f660ed9a33d26175248154ebab56f0f775

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
371KB

MD5
788719b1d2e9f42aeabe421747139190

SHA1
bb63488950b64498a745a47d468b6021e6b1d8f7

SHA256
561d15d981207b46877f9d63977e69dd378e6e2d17985fedf7f2bcd0a2a1e6bd

SHA512
635d732fa49a301a04e4e31d708e9f284440c475d9b8650c3648e3c3bf71adaf3df8f21f0a8b0b045845bb8da1349d213c74e2d8d204c85dbb4228d005cba957

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
371KB

MD5
788719b1d2e9f42aeabe421747139190

SHA1
bb63488950b64498a745a47d468b6021e6b1d8f7

SHA256
561d15d981207b46877f9d63977e69dd378e6e2d17985fedf7f2bcd0a2a1e6bd

SHA512
635d732fa49a301a04e4e31d708e9f284440c475d9b8650c3648e3c3bf71adaf3df8f21f0a8b0b045845bb8da1349d213c74e2d8d204c85dbb4228d005cba957

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
371KB

MD5
788719b1d2e9f42aeabe421747139190

SHA1
bb63488950b64498a745a47d468b6021e6b1d8f7

SHA256
561d15d981207b46877f9d63977e69dd378e6e2d17985fedf7f2bcd0a2a1e6bd

SHA512
635d732fa49a301a04e4e31d708e9f284440c475d9b8650c3648e3c3bf71adaf3df8f21f0a8b0b045845bb8da1349d213c74e2d8d204c85dbb4228d005cba957

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
371KB

MD5
788719b1d2e9f42aeabe421747139190

SHA1
bb63488950b64498a745a47d468b6021e6b1d8f7

SHA256
561d15d981207b46877f9d63977e69dd378e6e2d17985fedf7f2bcd0a2a1e6bd

SHA512
635d732fa49a301a04e4e31d708e9f284440c475d9b8650c3648e3c3bf71adaf3df8f21f0a8b0b045845bb8da1349d213c74e2d8d204c85dbb4228d005cba957

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
9eb0c6074d8e54f7da6508b5f6809e78

SHA1
61f003a28c45377e9fc641a0dd1382e6931c11f0

SHA256
df6f01f8c7c5ad4b1e66d19309ad60f0189bc607d7a07c184d9d94abd29c3ee8

SHA512
f6db15038cf4312647c59574cf2352c132c36cd060293977427b719066e5519838c6fed059d3a1d4e3277b575d9132d29d150c45cebd8a3852e705f3297f6d08

Download Submit
C:\Windows\hosts.exe

Filesize
371KB

MD5
8106d104435d606ccea81fc39e039618

SHA1
3617e101093a0dff7367f7765afa854009983c3d

SHA256
99c9143d68f47f83f408a0c802b786a2f21c09589fa82715933c7f718f871f6d

SHA512
fe656e551c6347a67320a711b780cd46e67d76164cbbd23ace38193a4bb8661e3fac0bf7c3752281d8606bc8347df714943d02d6241dcff3d1d949dd14c26c2b

Download Submit
C:\Windows\hosts.exe

Filesize
371KB

MD5
8106d104435d606ccea81fc39e039618

SHA1
3617e101093a0dff7367f7765afa854009983c3d

SHA256
99c9143d68f47f83f408a0c802b786a2f21c09589fa82715933c7f718f871f6d

SHA512
fe656e551c6347a67320a711b780cd46e67d76164cbbd23ace38193a4bb8661e3fac0bf7c3752281d8606bc8347df714943d02d6241dcff3d1d949dd14c26c2b

Download Submit
C:\Windows\hosts.exe

Filesize
371KB

MD5
8106d104435d606ccea81fc39e039618

SHA1
3617e101093a0dff7367f7765afa854009983c3d

SHA256
99c9143d68f47f83f408a0c802b786a2f21c09589fa82715933c7f718f871f6d

SHA512
fe656e551c6347a67320a711b780cd46e67d76164cbbd23ace38193a4bb8661e3fac0bf7c3752281d8606bc8347df714943d02d6241dcff3d1d949dd14c26c2b

Download Submit
C:\Windows\hosts.exe

Filesize
371KB

MD5
8106d104435d606ccea81fc39e039618

SHA1
3617e101093a0dff7367f7765afa854009983c3d

SHA256
99c9143d68f47f83f408a0c802b786a2f21c09589fa82715933c7f718f871f6d

SHA512
fe656e551c6347a67320a711b780cd46e67d76164cbbd23ace38193a4bb8661e3fac0bf7c3752281d8606bc8347df714943d02d6241dcff3d1d949dd14c26c2b

Download Submit
C:\windows\hosts.exe

Filesize
371KB

MD5
8106d104435d606ccea81fc39e039618

SHA1
3617e101093a0dff7367f7765afa854009983c3d

SHA256
99c9143d68f47f83f408a0c802b786a2f21c09589fa82715933c7f718f871f6d

SHA512
fe656e551c6347a67320a711b780cd46e67d76164cbbd23ace38193a4bb8661e3fac0bf7c3752281d8606bc8347df714943d02d6241dcff3d1d949dd14c26c2b

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
371KB

MD5
788719b1d2e9f42aeabe421747139190

SHA1
bb63488950b64498a745a47d468b6021e6b1d8f7

SHA256
561d15d981207b46877f9d63977e69dd378e6e2d17985fedf7f2bcd0a2a1e6bd

SHA512
635d732fa49a301a04e4e31d708e9f284440c475d9b8650c3648e3c3bf71adaf3df8f21f0a8b0b045845bb8da1349d213c74e2d8d204c85dbb4228d005cba957

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
371KB

MD5
788719b1d2e9f42aeabe421747139190

SHA1
bb63488950b64498a745a47d468b6021e6b1d8f7

SHA256
561d15d981207b46877f9d63977e69dd378e6e2d17985fedf7f2bcd0a2a1e6bd

SHA512
635d732fa49a301a04e4e31d708e9f284440c475d9b8650c3648e3c3bf71adaf3df8f21f0a8b0b045845bb8da1349d213c74e2d8d204c85dbb4228d005cba957

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
371KB

MD5
788719b1d2e9f42aeabe421747139190

SHA1
bb63488950b64498a745a47d468b6021e6b1d8f7

SHA256
561d15d981207b46877f9d63977e69dd378e6e2d17985fedf7f2bcd0a2a1e6bd

SHA512
635d732fa49a301a04e4e31d708e9f284440c475d9b8650c3648e3c3bf71adaf3df8f21f0a8b0b045845bb8da1349d213c74e2d8d204c85dbb4228d005cba957

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
371KB

MD5
788719b1d2e9f42aeabe421747139190

SHA1
bb63488950b64498a745a47d468b6021e6b1d8f7

SHA256
561d15d981207b46877f9d63977e69dd378e6e2d17985fedf7f2bcd0a2a1e6bd

SHA512
635d732fa49a301a04e4e31d708e9f284440c475d9b8650c3648e3c3bf71adaf3df8f21f0a8b0b045845bb8da1349d213c74e2d8d204c85dbb4228d005cba957

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
371KB

MD5
788719b1d2e9f42aeabe421747139190

SHA1
bb63488950b64498a745a47d468b6021e6b1d8f7

SHA256
561d15d981207b46877f9d63977e69dd378e6e2d17985fedf7f2bcd0a2a1e6bd

SHA512
635d732fa49a301a04e4e31d708e9f284440c475d9b8650c3648e3c3bf71adaf3df8f21f0a8b0b045845bb8da1349d213c74e2d8d204c85dbb4228d005cba957

Download Submit
memory/268-114-0x0000000000000000-mapping.dmp

Download
memory/340-68-0x0000000000000000-mapping.dmp

Download
memory/572-99-0x0000000000000000-mapping.dmp

Download
memory/588-74-0x0000000000000000-mapping.dmp

Download
memory/632-100-0x0000000000000000-mapping.dmp

Download
memory/668-113-0x0000000000000000-mapping.dmp

Download
memory/972-101-0x0000000000000000-mapping.dmp

Download
memory/1000-57-0x0000000000000000-mapping.dmp

Download
memory/1004-108-0x0000000000000000-mapping.dmp

Download
memory/1180-92-0x0000000000000000-mapping.dmp

Download
memory/1224-76-0x0000000000000000-mapping.dmp

Download
memory/1320-120-0x0000000000000000-mapping.dmp

Download
memory/1324-73-0x0000000000000000-mapping.dmp

Download
memory/1556-77-0x0000000000000000-mapping.dmp

Download
memory/1612-119-0x0000000000000000-mapping.dmp

Download
memory/1800-106-0x0000000000000000-mapping.dmp

Download
memory/1808-93-0x0000000000000000-mapping.dmp

Download
memory/1884-56-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1884-58-0x00000000746F1000-0x00000000746F3000-memory.dmp

Filesize
8KB

Download
memory/2012-88-0x0000000000000000-mapping.dmp

Download
memory/2020-111-0x0000000000000000-mapping.dmp

Download
memory/2024-110-0x0000000000000000-mapping.dmp

Download
memory/2032-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads