36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9

Analysis

max time kernel
127s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe
Size

175KB
MD5

0d6b7f57b69958a94216f6f7d05d6306
SHA1

6dbbac56202d7d61c92ce98b6286c0626142e77e
SHA256

36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9
SHA512

24454da78f8587896e51feec07a942b51031a4329641d5c1f74010edceb1e308ffca61dabac47a8528b6d4a62743191073e3aa7e89a506a0564bd19fbae22d7e
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCmvfIcGJy8JQfIct:gDCwfG1bnx4M8t4

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1332	avscan.exe
760	avscan.exe
612	hosts.exe
2036	hosts.exe
1728	avscan.exe
1468	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
864	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe
864	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe
1332	avscan.exe
612	hosts.exe
612	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	\??\c:\windows\W_X_C.bat	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe
File opened for modification	C:\Windows\hosts.exe	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1688	REG.exe
756	REG.exe
1148	REG.exe
1712	REG.exe
1176	REG.exe
760	REG.exe
1372	REG.exe
1556	REG.exe
1300	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1332	avscan.exe
612	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
864	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe
1332	avscan.exe
760	avscan.exe
612	hosts.exe
2036	hosts.exe
1728	avscan.exe
1468	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1712	864	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe	28
PID 864 wrote to memory of 1712	864	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe	28
PID 864 wrote to memory of 1712	864	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe	28
PID 864 wrote to memory of 1712	864	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe	28
PID 864 wrote to memory of 1332	864	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe	30
PID 864 wrote to memory of 1332	864	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe	30
PID 864 wrote to memory of 1332	864	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe	30
PID 864 wrote to memory of 1332	864	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe	30
PID 1332 wrote to memory of 760	1332	avscan.exe	31
PID 1332 wrote to memory of 760	1332	avscan.exe	31
PID 1332 wrote to memory of 760	1332	avscan.exe	31
PID 1332 wrote to memory of 760	1332	avscan.exe	31
PID 1332 wrote to memory of 1120	1332	avscan.exe	32
PID 1332 wrote to memory of 1120	1332	avscan.exe	32
PID 1332 wrote to memory of 1120	1332	avscan.exe	32
PID 1332 wrote to memory of 1120	1332	avscan.exe	32
PID 864 wrote to memory of 940	864	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe	33
PID 864 wrote to memory of 940	864	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe	33
PID 864 wrote to memory of 940	864	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe	33
PID 864 wrote to memory of 940	864	36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe	33
PID 1120 wrote to memory of 2036	1120	cmd.exe	36
PID 1120 wrote to memory of 2036	1120	cmd.exe	36
PID 1120 wrote to memory of 2036	1120	cmd.exe	36
PID 1120 wrote to memory of 2036	1120	cmd.exe	36
PID 940 wrote to memory of 612	940	cmd.exe	37
PID 940 wrote to memory of 612	940	cmd.exe	37
PID 940 wrote to memory of 612	940	cmd.exe	37
PID 940 wrote to memory of 612	940	cmd.exe	37
PID 1120 wrote to memory of 1384	1120	cmd.exe	38
PID 1120 wrote to memory of 1384	1120	cmd.exe	38
PID 1120 wrote to memory of 1384	1120	cmd.exe	38
PID 1120 wrote to memory of 1384	1120	cmd.exe	38
PID 940 wrote to memory of 1884	940	cmd.exe	39
PID 940 wrote to memory of 1884	940	cmd.exe	39
PID 940 wrote to memory of 1884	940	cmd.exe	39
PID 940 wrote to memory of 1884	940	cmd.exe	39
PID 612 wrote to memory of 1728	612	hosts.exe	42
PID 612 wrote to memory of 1728	612	hosts.exe	42
PID 612 wrote to memory of 1728	612	hosts.exe	42
PID 612 wrote to memory of 1728	612	hosts.exe	42
PID 612 wrote to memory of 992	612	hosts.exe	41
PID 612 wrote to memory of 992	612	hosts.exe	41
PID 612 wrote to memory of 992	612	hosts.exe	41
PID 612 wrote to memory of 992	612	hosts.exe	41
PID 992 wrote to memory of 1468	992	cmd.exe	43
PID 992 wrote to memory of 1468	992	cmd.exe	43
PID 992 wrote to memory of 1468	992	cmd.exe	43
PID 992 wrote to memory of 1468	992	cmd.exe	43
PID 992 wrote to memory of 1704	992	cmd.exe	44
PID 992 wrote to memory of 1704	992	cmd.exe	44
PID 992 wrote to memory of 1704	992	cmd.exe	44
PID 992 wrote to memory of 1704	992	cmd.exe	44
PID 1332 wrote to memory of 1372	1332	avscan.exe	45
PID 1332 wrote to memory of 1372	1332	avscan.exe	45
PID 1332 wrote to memory of 1372	1332	avscan.exe	45
PID 1332 wrote to memory of 1372	1332	avscan.exe	45
PID 612 wrote to memory of 1556	612	hosts.exe	47
PID 612 wrote to memory of 1556	612	hosts.exe	47
PID 612 wrote to memory of 1556	612	hosts.exe	47
PID 612 wrote to memory of 1556	612	hosts.exe	47
PID 1332 wrote to memory of 1300	1332	avscan.exe	49
PID 1332 wrote to memory of 1300	1332	avscan.exe	49
PID 1332 wrote to memory of 1300	1332	avscan.exe	49
PID 1332 wrote to memory of 1300	1332	avscan.exe	49

C:\Users\Admin\AppData\Local\Temp\36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe
"C:\Users\Admin\AppData\Local\Temp\36865ee10611988d2a23de1d67d6d1dfca4ab546c82dbcb71edfdecc447f62d9.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1712
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2036
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1384
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1372
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1300
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:760
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:612
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:992
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1728
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1556
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1176
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1688
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1148
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
399KB

MD5
06f676f4cdb20ae2e2a7c55c0a3c6d2b

SHA1
8d5eb918a400bcb666f2896c60dbed89d2b47b41

SHA256
55cddda7bcdd7eb874385ee0ef2eda12b6ba563bbafa8409b63fced737d377a3

SHA512
f02f0e9d33d00e45ad23a62ed37d2200a0923a645c33c422503f15f0b9e7ce844188d7609dec99e6478c51526dcb41a484ec3979f9b46f9f1f88321e969c9030

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
575KB

MD5
7d9ce754f073630962518006463236ea

SHA1
fa93b5c646c9847644a1f114274aef58b3c2cd4d

SHA256
79b7bc9beddb749f2b7ce5812bf7b269c2f1a453225cf7ad4494286cca483a64

SHA512
94d0c60f4b053721181d93d60d81892781a9cce9d5a2953e0a27eed3fa6a3a27ef1a77112b82d2b4fc86498c89b1ca66d97bd442ccba6fe7571abda94c3f1f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
750KB

MD5
ea75690b5db04015037f4596ce87a5fb

SHA1
0d7d2a9888a04966c90b23e8cbb27f8c591005fe

SHA256
ba065ee34385fa22f8dcfa3440c419bafdfccb5826a0d9d1c5c147901c01b1ac

SHA512
1c001a193bd5350c1971db0b4e93d2e52177e0443b63ceabcc7becc1e987904b2ff596e54f12dd1c0c73ad9da29a98f3f1ae26b601c4101bb0e022d10048ace8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
926KB

MD5
82d7600a4a74b4c01d9350e62e8f7129

SHA1
71b2ed3d0ffbf46246450da14383d864075da216

SHA256
9bdc17eb070a9d9048e1833ff1e8da907215ad569400246d377448c24b837e01

SHA512
7d777df508b450509a997b72175f132e34d76b6cb4d8a45ce1b0f116909ccd20ad02837ec558c192f31b31b0c38121e96a22adc1e6cbab5a613e51888ea4eae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
873f1452b997e3ebae988b1bd03df3a4

SHA1
554c753755a6170e5600e41cf35f0d900c7c4cd3

SHA256
1bc76b146e212afeb047fc48a08022fa8bb70c8916008995469d6ba9738515ec

SHA512
8fab9b7d4f46a40cde30328430aa4f7cb2052bb5fae6a51c6137b91fa87e0f8f244e70292267f997c26df61197e9cd43d52ef38796346395549c3fa2a48299e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.2MB

MD5
606d4676f811246c2af63b11f66fb4c4

SHA1
cade6156f9d476bd3e3a99ab34aea950e7806020

SHA256
d11ec2f234b588e0cb95ea76660f1e5afc6c0ce944e11ae4f149705ec1b51345

SHA512
5971768256d495fbac4eb9248266b9e4443a90d0c59386a929b46b5cd18a79dd92e0fd9f88f647ae37ef778924e580b58999322db07f9135469a75082e2cd7ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.4MB

MD5
dda8636d369badf66802da9c187feb55

SHA1
23a34d423565a2566b2185cb8f8d642017c70c16

SHA256
53e9d74baa189bbc5c6cdb93e35e87c91aaddff0d01f8b74d21f7ce213ac0ce2

SHA512
906a3c24f19117f9de47d0a7ec98dcffe3abe8223659665a1ce7b9f4bf6839d80cf454a98172815069cc41a2107354f350c9575d39d385d284ca4b2cfb69ebc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
c2f3672010027779e3746fe75b5cfdbc

SHA1
d96d0ebc37cc68ca53fe111bec8a423c4c1fe2ac

SHA256
e9dec3df8d34af7892afb61e65a283624dadb609e01bc224b48f969c6c3b99c9

SHA512
d7c805a9bda87433b0324406962c8f64af1da32c999139d4c7db19d98a9a1149b4d63999c2192b2caf3d6b797a8fb39afddebfbb76ea29fbd5c55ea6bc3d5d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
c2f3672010027779e3746fe75b5cfdbc

SHA1
d96d0ebc37cc68ca53fe111bec8a423c4c1fe2ac

SHA256
e9dec3df8d34af7892afb61e65a283624dadb609e01bc224b48f969c6c3b99c9

SHA512
d7c805a9bda87433b0324406962c8f64af1da32c999139d4c7db19d98a9a1149b4d63999c2192b2caf3d6b797a8fb39afddebfbb76ea29fbd5c55ea6bc3d5d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
c2f3672010027779e3746fe75b5cfdbc

SHA1
d96d0ebc37cc68ca53fe111bec8a423c4c1fe2ac

SHA256
e9dec3df8d34af7892afb61e65a283624dadb609e01bc224b48f969c6c3b99c9

SHA512
d7c805a9bda87433b0324406962c8f64af1da32c999139d4c7db19d98a9a1149b4d63999c2192b2caf3d6b797a8fb39afddebfbb76ea29fbd5c55ea6bc3d5d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
c2f3672010027779e3746fe75b5cfdbc

SHA1
d96d0ebc37cc68ca53fe111bec8a423c4c1fe2ac

SHA256
e9dec3df8d34af7892afb61e65a283624dadb609e01bc224b48f969c6c3b99c9

SHA512
d7c805a9bda87433b0324406962c8f64af1da32c999139d4c7db19d98a9a1149b4d63999c2192b2caf3d6b797a8fb39afddebfbb76ea29fbd5c55ea6bc3d5d08

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
9eb0c6074d8e54f7da6508b5f6809e78

SHA1
61f003a28c45377e9fc641a0dd1382e6931c11f0

SHA256
df6f01f8c7c5ad4b1e66d19309ad60f0189bc607d7a07c184d9d94abd29c3ee8

SHA512
f6db15038cf4312647c59574cf2352c132c36cd060293977427b719066e5519838c6fed059d3a1d4e3277b575d9132d29d150c45cebd8a3852e705f3297f6d08

Download Submit
C:\Windows\hosts.exe

Filesize
175KB

MD5
a874198703197595b064c58cccc8c6e2

SHA1
6db51f2de51c01a409bd8be333bc8895fe2f4822

SHA256
b2a58e5a05890197011e11d29ded3c8b05a5be256bf55af5d68880f75c09f203

SHA512
4e7d3fe7cd8aff67f223a39c663e7f0307d6e6567d1584285ce2e4f0c67fe0014d5e27dd2038ec53714fcb251b57f9e65efae1eeb437420a196ba5c616e9528e

Download Submit
C:\Windows\hosts.exe

Filesize
175KB

MD5
a874198703197595b064c58cccc8c6e2

SHA1
6db51f2de51c01a409bd8be333bc8895fe2f4822

SHA256
b2a58e5a05890197011e11d29ded3c8b05a5be256bf55af5d68880f75c09f203

SHA512
4e7d3fe7cd8aff67f223a39c663e7f0307d6e6567d1584285ce2e4f0c67fe0014d5e27dd2038ec53714fcb251b57f9e65efae1eeb437420a196ba5c616e9528e

Download Submit
C:\Windows\hosts.exe

Filesize
175KB

MD5
a874198703197595b064c58cccc8c6e2

SHA1
6db51f2de51c01a409bd8be333bc8895fe2f4822

SHA256
b2a58e5a05890197011e11d29ded3c8b05a5be256bf55af5d68880f75c09f203

SHA512
4e7d3fe7cd8aff67f223a39c663e7f0307d6e6567d1584285ce2e4f0c67fe0014d5e27dd2038ec53714fcb251b57f9e65efae1eeb437420a196ba5c616e9528e

Download Submit
C:\Windows\hosts.exe

Filesize
175KB

MD5
a874198703197595b064c58cccc8c6e2

SHA1
6db51f2de51c01a409bd8be333bc8895fe2f4822

SHA256
b2a58e5a05890197011e11d29ded3c8b05a5be256bf55af5d68880f75c09f203

SHA512
4e7d3fe7cd8aff67f223a39c663e7f0307d6e6567d1584285ce2e4f0c67fe0014d5e27dd2038ec53714fcb251b57f9e65efae1eeb437420a196ba5c616e9528e

Download Submit
C:\windows\hosts.exe

Filesize
175KB

MD5
a874198703197595b064c58cccc8c6e2

SHA1
6db51f2de51c01a409bd8be333bc8895fe2f4822

SHA256
b2a58e5a05890197011e11d29ded3c8b05a5be256bf55af5d68880f75c09f203

SHA512
4e7d3fe7cd8aff67f223a39c663e7f0307d6e6567d1584285ce2e4f0c67fe0014d5e27dd2038ec53714fcb251b57f9e65efae1eeb437420a196ba5c616e9528e

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
c2f3672010027779e3746fe75b5cfdbc

SHA1
d96d0ebc37cc68ca53fe111bec8a423c4c1fe2ac

SHA256
e9dec3df8d34af7892afb61e65a283624dadb609e01bc224b48f969c6c3b99c9

SHA512
d7c805a9bda87433b0324406962c8f64af1da32c999139d4c7db19d98a9a1149b4d63999c2192b2caf3d6b797a8fb39afddebfbb76ea29fbd5c55ea6bc3d5d08

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
c2f3672010027779e3746fe75b5cfdbc

SHA1
d96d0ebc37cc68ca53fe111bec8a423c4c1fe2ac

SHA256
e9dec3df8d34af7892afb61e65a283624dadb609e01bc224b48f969c6c3b99c9

SHA512
d7c805a9bda87433b0324406962c8f64af1da32c999139d4c7db19d98a9a1149b4d63999c2192b2caf3d6b797a8fb39afddebfbb76ea29fbd5c55ea6bc3d5d08

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
c2f3672010027779e3746fe75b5cfdbc

SHA1
d96d0ebc37cc68ca53fe111bec8a423c4c1fe2ac

SHA256
e9dec3df8d34af7892afb61e65a283624dadb609e01bc224b48f969c6c3b99c9

SHA512
d7c805a9bda87433b0324406962c8f64af1da32c999139d4c7db19d98a9a1149b4d63999c2192b2caf3d6b797a8fb39afddebfbb76ea29fbd5c55ea6bc3d5d08

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
c2f3672010027779e3746fe75b5cfdbc

SHA1
d96d0ebc37cc68ca53fe111bec8a423c4c1fe2ac

SHA256
e9dec3df8d34af7892afb61e65a283624dadb609e01bc224b48f969c6c3b99c9

SHA512
d7c805a9bda87433b0324406962c8f64af1da32c999139d4c7db19d98a9a1149b4d63999c2192b2caf3d6b797a8fb39afddebfbb76ea29fbd5c55ea6bc3d5d08

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
c2f3672010027779e3746fe75b5cfdbc

SHA1
d96d0ebc37cc68ca53fe111bec8a423c4c1fe2ac

SHA256
e9dec3df8d34af7892afb61e65a283624dadb609e01bc224b48f969c6c3b99c9

SHA512
d7c805a9bda87433b0324406962c8f64af1da32c999139d4c7db19d98a9a1149b4d63999c2192b2caf3d6b797a8fb39afddebfbb76ea29fbd5c55ea6bc3d5d08

Download Submit
memory/864-58-0x0000000074AF1000-0x0000000074AF3000-memory.dmp

Filesize
8KB

Download
memory/864-56-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads