0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c

Analysis

max time kernel
126s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe
Size

183KB
MD5

0fc54212e276e7b20d020ee246330a6a
SHA1

91aefc8cc86674a9a05a9ae27d0d6a8b8934c4b0
SHA256

0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c
SHA512

97457f2e160845f22230ffe12905744beabc990cf85165a466b298e85ef732cc22299dd7cd379c25bef30d83ad1760e011eac072030580aa029a59e193b59733
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DEcdwvz:gDCwfG1bnxLEc6vz

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1344	avscan.exe
592	avscan.exe
276	hosts.exe
1544	hosts.exe
1132	avscan.exe
1396	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1004	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe
1004	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe
1344	avscan.exe
1544	hosts.exe
1544	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe
File created	\??\c:\windows\W_X_C.bat	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe
File opened for modification	C:\Windows\hosts.exe	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1508	REG.exe
1628	REG.exe
1216	REG.exe
1532	REG.exe
1168	REG.exe
972	REG.exe
268	REG.exe
908	REG.exe
1584	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1344	avscan.exe
1544	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1004	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe
1344	avscan.exe
592	avscan.exe
276	hosts.exe
1544	hosts.exe
1132	avscan.exe
1396	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 1628	1004	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe	28
PID 1004 wrote to memory of 1628	1004	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe	28
PID 1004 wrote to memory of 1628	1004	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe	28
PID 1004 wrote to memory of 1628	1004	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe	28
PID 1004 wrote to memory of 1344	1004	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe	30
PID 1004 wrote to memory of 1344	1004	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe	30
PID 1004 wrote to memory of 1344	1004	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe	30
PID 1004 wrote to memory of 1344	1004	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe	30
PID 1344 wrote to memory of 592	1344	avscan.exe	31
PID 1344 wrote to memory of 592	1344	avscan.exe	31
PID 1344 wrote to memory of 592	1344	avscan.exe	31
PID 1344 wrote to memory of 592	1344	avscan.exe	31
PID 1344 wrote to memory of 2004	1344	avscan.exe	32
PID 1344 wrote to memory of 2004	1344	avscan.exe	32
PID 1344 wrote to memory of 2004	1344	avscan.exe	32
PID 1344 wrote to memory of 2004	1344	avscan.exe	32
PID 1004 wrote to memory of 1692	1004	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe	33
PID 1004 wrote to memory of 1692	1004	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe	33
PID 1004 wrote to memory of 1692	1004	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe	33
PID 1004 wrote to memory of 1692	1004	0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe	33
PID 2004 wrote to memory of 1544	2004	cmd.exe	37
PID 2004 wrote to memory of 1544	2004	cmd.exe	37
PID 2004 wrote to memory of 1544	2004	cmd.exe	37
PID 2004 wrote to memory of 1544	2004	cmd.exe	37
PID 1692 wrote to memory of 276	1692	cmd.exe	36
PID 1692 wrote to memory of 276	1692	cmd.exe	36
PID 1692 wrote to memory of 276	1692	cmd.exe	36
PID 1692 wrote to memory of 276	1692	cmd.exe	36
PID 1692 wrote to memory of 560	1692	cmd.exe	38
PID 1692 wrote to memory of 560	1692	cmd.exe	38
PID 1692 wrote to memory of 560	1692	cmd.exe	38
PID 1692 wrote to memory of 560	1692	cmd.exe	38
PID 2004 wrote to memory of 1728	2004	cmd.exe	39
PID 2004 wrote to memory of 1728	2004	cmd.exe	39
PID 2004 wrote to memory of 1728	2004	cmd.exe	39
PID 2004 wrote to memory of 1728	2004	cmd.exe	39
PID 1544 wrote to memory of 1132	1544	hosts.exe	40
PID 1544 wrote to memory of 1132	1544	hosts.exe	40
PID 1544 wrote to memory of 1132	1544	hosts.exe	40
PID 1544 wrote to memory of 1132	1544	hosts.exe	40
PID 1544 wrote to memory of 1624	1544	hosts.exe	41
PID 1544 wrote to memory of 1624	1544	hosts.exe	41
PID 1544 wrote to memory of 1624	1544	hosts.exe	41
PID 1544 wrote to memory of 1624	1544	hosts.exe	41
PID 1624 wrote to memory of 1396	1624	cmd.exe	43
PID 1624 wrote to memory of 1396	1624	cmd.exe	43
PID 1624 wrote to memory of 1396	1624	cmd.exe	43
PID 1624 wrote to memory of 1396	1624	cmd.exe	43
PID 1624 wrote to memory of 756	1624	cmd.exe	44
PID 1624 wrote to memory of 756	1624	cmd.exe	44
PID 1624 wrote to memory of 756	1624	cmd.exe	44
PID 1624 wrote to memory of 756	1624	cmd.exe	44
PID 1344 wrote to memory of 1216	1344	avscan.exe	45
PID 1344 wrote to memory of 1216	1344	avscan.exe	45
PID 1344 wrote to memory of 1216	1344	avscan.exe	45
PID 1344 wrote to memory of 1216	1344	avscan.exe	45
PID 1544 wrote to memory of 1532	1544	hosts.exe	47
PID 1544 wrote to memory of 1532	1544	hosts.exe	47
PID 1544 wrote to memory of 1532	1544	hosts.exe	47
PID 1544 wrote to memory of 1532	1544	hosts.exe	47
PID 1544 wrote to memory of 268	1544	hosts.exe	49
PID 1544 wrote to memory of 268	1544	hosts.exe	49
PID 1544 wrote to memory of 268	1544	hosts.exe	49
PID 1544 wrote to memory of 268	1544	hosts.exe	49

C:\Users\Admin\AppData\Local\Temp\0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe
"C:\Users\Admin\AppData\Local\Temp\0bbfe4a93ccda69d3aa428db0e590b6227afb7b913945f19d729c41900f97d3c.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1628
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:592
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1132
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1624
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1396
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:756
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1532
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:268
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1168
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1508
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1728
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1216
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:908
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1584
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:276
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
415KB

MD5
4e8b5676f6007975875c0e2df4515f58

SHA1
a47b026fc6fb768faa0802f9249e54877d041889

SHA256
caf3ee4e56e5b62ca06ba2f2e7a55ba2e4daa73086839c9cbde3be19bedeca61

SHA512
b7e81fdf12d79fbac7e20662aaa4103aa207acce74c4f9badf6ad4df9e6ba22faf922447c041c8525089bf469888784f2630ee83af2620b862c11c61e13ea630

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
782KB

MD5
bdc500527167d8fa5a3b2096222cd671

SHA1
3b8e0d824fcd9cfe45eefc01e05a1819a1130042

SHA256
fa318e50e643d8ad0db8bd8c2affd16f654e301380a3e92e138e517f3f52b57e

SHA512
974252be95b8860cb654d1ae34a2ef6e43bc203ff39c302593c4879beb7c78cd6e60efe04ba9b2815b48e1c7627c985c8433a018574db53af1fcfa89c74b21c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
9f25cbc0019b08dbfe03dd2187447b96

SHA1
b1b3270ca617ccd16f3d3271bfa17148ecf3a3a9

SHA256
9f9fb30400173bfe271f36e4efb1a6e6b2f409620f6901e975d549823dbeff0a

SHA512
658c2616d171838fdba8d63a53920a269076f0ad2eb2a14b4416ccc56ef3e4c8961aad3d43852a48099ebe39379e206bbef996519b02be702cd5189e90a43af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.3MB

MD5
9f0eef3fbc86d8313f3ee602bd18dda7

SHA1
4976d33917372e713cf684a187e33aaa940741cb

SHA256
41395edb13a84bd78dc9e35e5a4f46fe0c8234c5a3d293c6343e8f380767d59d

SHA512
7faf23331b9aedddbdddb1f5e980deb52a14c361c14a5ae341cc74603d05f2edc73a3a5ad09599868ed88e4eb57842a885060708aaa834df21bf43a0c2a2c6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.3MB

MD5
9f0eef3fbc86d8313f3ee602bd18dda7

SHA1
4976d33917372e713cf684a187e33aaa940741cb

SHA256
41395edb13a84bd78dc9e35e5a4f46fe0c8234c5a3d293c6343e8f380767d59d

SHA512
7faf23331b9aedddbdddb1f5e980deb52a14c361c14a5ae341cc74603d05f2edc73a3a5ad09599868ed88e4eb57842a885060708aaa834df21bf43a0c2a2c6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
183KB

MD5
a74866e9a186febe34f5085916ec7388

SHA1
cf8d2b63b94a039cfec694e688822413bb8ac722

SHA256
ac05191d97189a89546723fea30ee58541056f89c9057a9eb19254cd7c0d8dd5

SHA512
71e10e4004563041517022a9c5a63c0edb1aee1a1d697a638dc7c9a933066e18febdcbdac318f6dc4454e3baa83f2547d4370549f7e72a840dea06ee3ff8dc5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
183KB

MD5
a74866e9a186febe34f5085916ec7388

SHA1
cf8d2b63b94a039cfec694e688822413bb8ac722

SHA256
ac05191d97189a89546723fea30ee58541056f89c9057a9eb19254cd7c0d8dd5

SHA512
71e10e4004563041517022a9c5a63c0edb1aee1a1d697a638dc7c9a933066e18febdcbdac318f6dc4454e3baa83f2547d4370549f7e72a840dea06ee3ff8dc5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
183KB

MD5
a74866e9a186febe34f5085916ec7388

SHA1
cf8d2b63b94a039cfec694e688822413bb8ac722

SHA256
ac05191d97189a89546723fea30ee58541056f89c9057a9eb19254cd7c0d8dd5

SHA512
71e10e4004563041517022a9c5a63c0edb1aee1a1d697a638dc7c9a933066e18febdcbdac318f6dc4454e3baa83f2547d4370549f7e72a840dea06ee3ff8dc5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
183KB

MD5
a74866e9a186febe34f5085916ec7388

SHA1
cf8d2b63b94a039cfec694e688822413bb8ac722

SHA256
ac05191d97189a89546723fea30ee58541056f89c9057a9eb19254cd7c0d8dd5

SHA512
71e10e4004563041517022a9c5a63c0edb1aee1a1d697a638dc7c9a933066e18febdcbdac318f6dc4454e3baa83f2547d4370549f7e72a840dea06ee3ff8dc5d

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
9eb0c6074d8e54f7da6508b5f6809e78

SHA1
61f003a28c45377e9fc641a0dd1382e6931c11f0

SHA256
df6f01f8c7c5ad4b1e66d19309ad60f0189bc607d7a07c184d9d94abd29c3ee8

SHA512
f6db15038cf4312647c59574cf2352c132c36cd060293977427b719066e5519838c6fed059d3a1d4e3277b575d9132d29d150c45cebd8a3852e705f3297f6d08

Download Submit
C:\Windows\hosts.exe

Filesize
183KB

MD5
21a28413686c8d08bc4668cc1d74b2a8

SHA1
889d7ce7a5c8e65b6caa86f1b482ac8c3974c51b

SHA256
f9f0f652b5f86dd2e9622b0c967a2b8b758587c850926954468e9a94c8e2dfac

SHA512
ead30daa85a3592af90337dd26e550874a956ee7d698e0c285abb691d56c714eea7642398b1193292f62438664fc49a285c66f0dd0e84b4c470103596edd6027

Download Submit
C:\Windows\hosts.exe

Filesize
183KB

MD5
21a28413686c8d08bc4668cc1d74b2a8

SHA1
889d7ce7a5c8e65b6caa86f1b482ac8c3974c51b

SHA256
f9f0f652b5f86dd2e9622b0c967a2b8b758587c850926954468e9a94c8e2dfac

SHA512
ead30daa85a3592af90337dd26e550874a956ee7d698e0c285abb691d56c714eea7642398b1193292f62438664fc49a285c66f0dd0e84b4c470103596edd6027

Download Submit
C:\Windows\hosts.exe

Filesize
183KB

MD5
21a28413686c8d08bc4668cc1d74b2a8

SHA1
889d7ce7a5c8e65b6caa86f1b482ac8c3974c51b

SHA256
f9f0f652b5f86dd2e9622b0c967a2b8b758587c850926954468e9a94c8e2dfac

SHA512
ead30daa85a3592af90337dd26e550874a956ee7d698e0c285abb691d56c714eea7642398b1193292f62438664fc49a285c66f0dd0e84b4c470103596edd6027

Download Submit
C:\Windows\hosts.exe

Filesize
183KB

MD5
21a28413686c8d08bc4668cc1d74b2a8

SHA1
889d7ce7a5c8e65b6caa86f1b482ac8c3974c51b

SHA256
f9f0f652b5f86dd2e9622b0c967a2b8b758587c850926954468e9a94c8e2dfac

SHA512
ead30daa85a3592af90337dd26e550874a956ee7d698e0c285abb691d56c714eea7642398b1193292f62438664fc49a285c66f0dd0e84b4c470103596edd6027

Download Submit
C:\windows\hosts.exe

Filesize
183KB

MD5
21a28413686c8d08bc4668cc1d74b2a8

SHA1
889d7ce7a5c8e65b6caa86f1b482ac8c3974c51b

SHA256
f9f0f652b5f86dd2e9622b0c967a2b8b758587c850926954468e9a94c8e2dfac

SHA512
ead30daa85a3592af90337dd26e550874a956ee7d698e0c285abb691d56c714eea7642398b1193292f62438664fc49a285c66f0dd0e84b4c470103596edd6027

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
183KB

MD5
a74866e9a186febe34f5085916ec7388

SHA1
cf8d2b63b94a039cfec694e688822413bb8ac722

SHA256
ac05191d97189a89546723fea30ee58541056f89c9057a9eb19254cd7c0d8dd5

SHA512
71e10e4004563041517022a9c5a63c0edb1aee1a1d697a638dc7c9a933066e18febdcbdac318f6dc4454e3baa83f2547d4370549f7e72a840dea06ee3ff8dc5d

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
183KB

MD5
a74866e9a186febe34f5085916ec7388

SHA1
cf8d2b63b94a039cfec694e688822413bb8ac722

SHA256
ac05191d97189a89546723fea30ee58541056f89c9057a9eb19254cd7c0d8dd5

SHA512
71e10e4004563041517022a9c5a63c0edb1aee1a1d697a638dc7c9a933066e18febdcbdac318f6dc4454e3baa83f2547d4370549f7e72a840dea06ee3ff8dc5d

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
183KB

MD5
a74866e9a186febe34f5085916ec7388

SHA1
cf8d2b63b94a039cfec694e688822413bb8ac722

SHA256
ac05191d97189a89546723fea30ee58541056f89c9057a9eb19254cd7c0d8dd5

SHA512
71e10e4004563041517022a9c5a63c0edb1aee1a1d697a638dc7c9a933066e18febdcbdac318f6dc4454e3baa83f2547d4370549f7e72a840dea06ee3ff8dc5d

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
183KB

MD5
a74866e9a186febe34f5085916ec7388

SHA1
cf8d2b63b94a039cfec694e688822413bb8ac722

SHA256
ac05191d97189a89546723fea30ee58541056f89c9057a9eb19254cd7c0d8dd5

SHA512
71e10e4004563041517022a9c5a63c0edb1aee1a1d697a638dc7c9a933066e18febdcbdac318f6dc4454e3baa83f2547d4370549f7e72a840dea06ee3ff8dc5d

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
183KB

MD5
a74866e9a186febe34f5085916ec7388

SHA1
cf8d2b63b94a039cfec694e688822413bb8ac722

SHA256
ac05191d97189a89546723fea30ee58541056f89c9057a9eb19254cd7c0d8dd5

SHA512
71e10e4004563041517022a9c5a63c0edb1aee1a1d697a638dc7c9a933066e18febdcbdac318f6dc4454e3baa83f2547d4370549f7e72a840dea06ee3ff8dc5d

Download Submit
memory/1004-58-0x00000000746A1000-0x00000000746A3000-memory.dmp

Filesize
8KB

Download
memory/1004-56-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads