379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687

Analysis

max time kernel
138s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 18:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
Size

220KB
MD5

0d4742b26606392e5a23cb9b353eff9f
SHA1

315cd20fef7b567c8369f022d2805d416615d82b
SHA256

379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687
SHA512

7d5de0e7dd077e9fc50fa612fb122296ad051ab73ce57f6bfd4cbe6d6cbfb4452d142ad501e57f4a25f0c9c25b605d31260820216bb40e67518c9bf81aea2a4b
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQB17lgVUInUMEqvbuSDxh:gDCwfG1bnxLERRMlmjU7qvySDxh

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1744	avscan.exe
1740	avscan.exe
1768	hosts.exe
812	hosts.exe
1956	avscan.exe
616	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1500	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
1500	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
1744	avscan.exe
1768	hosts.exe
1768	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
File created	\??\c:\windows\W_X_C.bat	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
File opened for modification	C:\Windows\hosts.exe	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1152	REG.exe
1172	REG.exe
1620	REG.exe
1560	REG.exe
1920	REG.exe
2004	REG.exe
1988	REG.exe
268	REG.exe
284	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1744	avscan.exe
1768	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1500	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
1744	avscan.exe
1740	avscan.exe
812	hosts.exe
1768	hosts.exe
1956	avscan.exe
616	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1152	1500	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	27
PID 1500 wrote to memory of 1152	1500	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	27
PID 1500 wrote to memory of 1152	1500	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	27
PID 1500 wrote to memory of 1152	1500	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	27
PID 1500 wrote to memory of 1744	1500	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	29
PID 1500 wrote to memory of 1744	1500	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	29
PID 1500 wrote to memory of 1744	1500	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	29
PID 1500 wrote to memory of 1744	1500	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	29
PID 1744 wrote to memory of 1740	1744	avscan.exe	30
PID 1744 wrote to memory of 1740	1744	avscan.exe	30
PID 1744 wrote to memory of 1740	1744	avscan.exe	30
PID 1744 wrote to memory of 1740	1744	avscan.exe	30
PID 1744 wrote to memory of 1772	1744	avscan.exe	31
PID 1744 wrote to memory of 1772	1744	avscan.exe	31
PID 1744 wrote to memory of 1772	1744	avscan.exe	31
PID 1744 wrote to memory of 1772	1744	avscan.exe	31
PID 1500 wrote to memory of 1356	1500	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	32
PID 1500 wrote to memory of 1356	1500	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	32
PID 1500 wrote to memory of 1356	1500	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	32
PID 1500 wrote to memory of 1356	1500	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	32
PID 1772 wrote to memory of 1768	1772	cmd.exe	35
PID 1772 wrote to memory of 1768	1772	cmd.exe	35
PID 1772 wrote to memory of 1768	1772	cmd.exe	35
PID 1772 wrote to memory of 1768	1772	cmd.exe	35
PID 1356 wrote to memory of 812	1356	cmd.exe	36
PID 1356 wrote to memory of 812	1356	cmd.exe	36
PID 1356 wrote to memory of 812	1356	cmd.exe	36
PID 1356 wrote to memory of 812	1356	cmd.exe	36
PID 1356 wrote to memory of 1164	1356	cmd.exe	38
PID 1356 wrote to memory of 1164	1356	cmd.exe	38
PID 1356 wrote to memory of 1164	1356	cmd.exe	38
PID 1356 wrote to memory of 1164	1356	cmd.exe	38
PID 1772 wrote to memory of 1444	1772	cmd.exe	37
PID 1772 wrote to memory of 1444	1772	cmd.exe	37
PID 1772 wrote to memory of 1444	1772	cmd.exe	37
PID 1772 wrote to memory of 1444	1772	cmd.exe	37
PID 1768 wrote to memory of 1956	1768	hosts.exe	39
PID 1768 wrote to memory of 1956	1768	hosts.exe	39
PID 1768 wrote to memory of 1956	1768	hosts.exe	39
PID 1768 wrote to memory of 1956	1768	hosts.exe	39
PID 1768 wrote to memory of 1832	1768	hosts.exe	40
PID 1768 wrote to memory of 1832	1768	hosts.exe	40
PID 1768 wrote to memory of 1832	1768	hosts.exe	40
PID 1768 wrote to memory of 1832	1768	hosts.exe	40
PID 1832 wrote to memory of 616	1832	cmd.exe	42
PID 1832 wrote to memory of 616	1832	cmd.exe	42
PID 1832 wrote to memory of 616	1832	cmd.exe	42
PID 1832 wrote to memory of 616	1832	cmd.exe	42
PID 1832 wrote to memory of 1056	1832	cmd.exe	43
PID 1832 wrote to memory of 1056	1832	cmd.exe	43
PID 1832 wrote to memory of 1056	1832	cmd.exe	43
PID 1832 wrote to memory of 1056	1832	cmd.exe	43
PID 1744 wrote to memory of 1620	1744	avscan.exe	45
PID 1744 wrote to memory of 1620	1744	avscan.exe	45
PID 1744 wrote to memory of 1620	1744	avscan.exe	45
PID 1744 wrote to memory of 1620	1744	avscan.exe	45
PID 1768 wrote to memory of 1172	1768	hosts.exe	44
PID 1768 wrote to memory of 1172	1768	hosts.exe	44
PID 1768 wrote to memory of 1172	1768	hosts.exe	44
PID 1768 wrote to memory of 1172	1768	hosts.exe	44
PID 1744 wrote to memory of 1920	1744	avscan.exe	49
PID 1744 wrote to memory of 1920	1744	avscan.exe	49
PID 1744 wrote to memory of 1920	1744	avscan.exe	49
PID 1744 wrote to memory of 1920	1744	avscan.exe	49

C:\Users\Admin\AppData\Local\Temp\379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
"C:\Users\Admin\AppData\Local\Temp\379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1152
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1768
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1956
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1832
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:616
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1056
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1172
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1560
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2004
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:284
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1444
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1620
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1920
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1988
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:812
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
488KB

MD5
8d8c53983c82f4ea057d2ca62c2b55c0

SHA1
9409cc718dd9427cff05b2368dcd791208ecc4e2

SHA256
c38a33f4cbfaecf5716cbfb61948f71f18dee8de81d296cac1a8f28a9cb0b5b2

SHA512
6967fac3011299274e6db7f6c01ef0e8731d2e65224ca2e4c65068403f58c3ab2a38f47d705441f63707049cb9a707cac211eb90c61c12d15dfa7401fb9faa6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
928KB

MD5
7ba0f5858cfa3824885d46d3b104dc38

SHA1
87172a8dd47bb466f1e234f2cca62cc806e8f959

SHA256
9229447a709b91a158100b56af321841df8551f947bceb4de372bd131592fcbe

SHA512
e6531b0d5249b1d83b9644502bd6ed379b3056523ea09bd8cadde3a3a152909fdc02afaa1bbba06f1cdc47e5f1faa744ac05f9f977184b53de3f78c7acab3036

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.3MB

MD5
e410bd11eb4e64b94c97d16288108f55

SHA1
22bff2b15e2f31371cf11b48886cfeb6c085d496

SHA256
6ba461a475390d7d24fa8575904d50839c3bf3d0788aa5e22ae1f7699b542170

SHA512
7166706d255bb077afdbced493d88488b7eb7824879606668ee5fa82b96f9a83df6915aea5269a2551bb44f06d569cb84eee3e47d6538590fc1a060bca6e1cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.6MB

MD5
960a1a0148222b0f37c9fb62595924d5

SHA1
c1ee37fd780357524c239be74a084aa0755ff8e8

SHA256
d07d63e2183a78676dbd0deccd3bc1030b2353085a0e94b89135d3a20d2dda0e

SHA512
51b267aca3048932f239d1f2829b731bacde8582d4166530844c4e814155ed8b0031c0f35f3d1c2bf9026be5496aca047bdf97e4956aa11bd351c6a52d22ca8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.8MB

MD5
9b3e06ce4afbbfb6858751a337f64490

SHA1
29ccf2e776f3472a89a2a0b819f94f503aca86e3

SHA256
a63ac09c0011b23f958d7f8dc82b60b73e7d5a9b943bdf79d2a373cc16690e27

SHA512
2373f14859762acbb2ea6a8957c6cc680da5b2f1995e06f6f6a56171384953cefaff987070ec838e63aef976590b4ddb1aad7c3b8e95f5441d9e2243968a8b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
220KB

MD5
212cfed392012ebb58ea3ca0d43cfca4

SHA1
ff331c6e73e01be83dca278a623f73c6511271eb

SHA256
fa9b78ce8159a4ee126c3cff5846b3391691a8d88c18d659661c693bf4963118

SHA512
d080670ea55050f94b4e3a45e51ca2e3ed88b950445b9ef483107040d2f00f101f6397f5efaee00bca5440f31578f8e3a61e79a0591a0f7ce73b5eaea94ad1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
220KB

MD5
212cfed392012ebb58ea3ca0d43cfca4

SHA1
ff331c6e73e01be83dca278a623f73c6511271eb

SHA256
fa9b78ce8159a4ee126c3cff5846b3391691a8d88c18d659661c693bf4963118

SHA512
d080670ea55050f94b4e3a45e51ca2e3ed88b950445b9ef483107040d2f00f101f6397f5efaee00bca5440f31578f8e3a61e79a0591a0f7ce73b5eaea94ad1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
220KB

MD5
212cfed392012ebb58ea3ca0d43cfca4

SHA1
ff331c6e73e01be83dca278a623f73c6511271eb

SHA256
fa9b78ce8159a4ee126c3cff5846b3391691a8d88c18d659661c693bf4963118

SHA512
d080670ea55050f94b4e3a45e51ca2e3ed88b950445b9ef483107040d2f00f101f6397f5efaee00bca5440f31578f8e3a61e79a0591a0f7ce73b5eaea94ad1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
220KB

MD5
212cfed392012ebb58ea3ca0d43cfca4

SHA1
ff331c6e73e01be83dca278a623f73c6511271eb

SHA256
fa9b78ce8159a4ee126c3cff5846b3391691a8d88c18d659661c693bf4963118

SHA512
d080670ea55050f94b4e3a45e51ca2e3ed88b950445b9ef483107040d2f00f101f6397f5efaee00bca5440f31578f8e3a61e79a0591a0f7ce73b5eaea94ad1a5

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
b147c267b47c4a6cfa3a72c41407541b

SHA1
062231bf7639b26f92e6d5ef78d515f8eaa9639d

SHA256
c9b7b5b912ab24c729de962727ac33835dd58f17754f9368ac702b9987f3baf6

SHA512
4f646fee7eaa29f33604b3f349b3d90a65bec39fdbe80bac6dcd2cd67b17475e51f833a66a5207d3008fede867792605bab132d6672e206bfefaa83aa344ac64

Download Submit
C:\Windows\hosts.exe

Filesize
220KB

MD5
0468ea1550f16adb813ab978ed9afdfd

SHA1
2ba94242c90c71291652f9404b43b9fd32b542a7

SHA256
e99628a259d9d8735dd203da50dd6918b484dead62dfc300e8b3f024e33361cd

SHA512
b6a2cd8a6febc0082904135626f53f220e607f581cdda1c1496b6bf8ca48a904fe43223f6b1cec2b55beb8dc90bd70c7ef103d92269220f1108333a5dd7d5973

Download Submit
C:\Windows\hosts.exe

Filesize
220KB

MD5
0468ea1550f16adb813ab978ed9afdfd

SHA1
2ba94242c90c71291652f9404b43b9fd32b542a7

SHA256
e99628a259d9d8735dd203da50dd6918b484dead62dfc300e8b3f024e33361cd

SHA512
b6a2cd8a6febc0082904135626f53f220e607f581cdda1c1496b6bf8ca48a904fe43223f6b1cec2b55beb8dc90bd70c7ef103d92269220f1108333a5dd7d5973

Download Submit
C:\Windows\hosts.exe

Filesize
220KB

MD5
0468ea1550f16adb813ab978ed9afdfd

SHA1
2ba94242c90c71291652f9404b43b9fd32b542a7

SHA256
e99628a259d9d8735dd203da50dd6918b484dead62dfc300e8b3f024e33361cd

SHA512
b6a2cd8a6febc0082904135626f53f220e607f581cdda1c1496b6bf8ca48a904fe43223f6b1cec2b55beb8dc90bd70c7ef103d92269220f1108333a5dd7d5973

Download Submit
C:\Windows\hosts.exe

Filesize
220KB

MD5
0468ea1550f16adb813ab978ed9afdfd

SHA1
2ba94242c90c71291652f9404b43b9fd32b542a7

SHA256
e99628a259d9d8735dd203da50dd6918b484dead62dfc300e8b3f024e33361cd

SHA512
b6a2cd8a6febc0082904135626f53f220e607f581cdda1c1496b6bf8ca48a904fe43223f6b1cec2b55beb8dc90bd70c7ef103d92269220f1108333a5dd7d5973

Download Submit
C:\windows\hosts.exe

Filesize
220KB

MD5
0468ea1550f16adb813ab978ed9afdfd

SHA1
2ba94242c90c71291652f9404b43b9fd32b542a7

SHA256
e99628a259d9d8735dd203da50dd6918b484dead62dfc300e8b3f024e33361cd

SHA512
b6a2cd8a6febc0082904135626f53f220e607f581cdda1c1496b6bf8ca48a904fe43223f6b1cec2b55beb8dc90bd70c7ef103d92269220f1108333a5dd7d5973

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
220KB

MD5
212cfed392012ebb58ea3ca0d43cfca4

SHA1
ff331c6e73e01be83dca278a623f73c6511271eb

SHA256
fa9b78ce8159a4ee126c3cff5846b3391691a8d88c18d659661c693bf4963118

SHA512
d080670ea55050f94b4e3a45e51ca2e3ed88b950445b9ef483107040d2f00f101f6397f5efaee00bca5440f31578f8e3a61e79a0591a0f7ce73b5eaea94ad1a5

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
220KB

MD5
212cfed392012ebb58ea3ca0d43cfca4

SHA1
ff331c6e73e01be83dca278a623f73c6511271eb

SHA256
fa9b78ce8159a4ee126c3cff5846b3391691a8d88c18d659661c693bf4963118

SHA512
d080670ea55050f94b4e3a45e51ca2e3ed88b950445b9ef483107040d2f00f101f6397f5efaee00bca5440f31578f8e3a61e79a0591a0f7ce73b5eaea94ad1a5

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
220KB

MD5
212cfed392012ebb58ea3ca0d43cfca4

SHA1
ff331c6e73e01be83dca278a623f73c6511271eb

SHA256
fa9b78ce8159a4ee126c3cff5846b3391691a8d88c18d659661c693bf4963118

SHA512
d080670ea55050f94b4e3a45e51ca2e3ed88b950445b9ef483107040d2f00f101f6397f5efaee00bca5440f31578f8e3a61e79a0591a0f7ce73b5eaea94ad1a5

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
220KB

MD5
212cfed392012ebb58ea3ca0d43cfca4

SHA1
ff331c6e73e01be83dca278a623f73c6511271eb

SHA256
fa9b78ce8159a4ee126c3cff5846b3391691a8d88c18d659661c693bf4963118

SHA512
d080670ea55050f94b4e3a45e51ca2e3ed88b950445b9ef483107040d2f00f101f6397f5efaee00bca5440f31578f8e3a61e79a0591a0f7ce73b5eaea94ad1a5

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
220KB

MD5
212cfed392012ebb58ea3ca0d43cfca4

SHA1
ff331c6e73e01be83dca278a623f73c6511271eb

SHA256
fa9b78ce8159a4ee126c3cff5846b3391691a8d88c18d659661c693bf4963118

SHA512
d080670ea55050f94b4e3a45e51ca2e3ed88b950445b9ef483107040d2f00f101f6397f5efaee00bca5440f31578f8e3a61e79a0591a0f7ce73b5eaea94ad1a5

Download Submit
memory/1500-56-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1500-58-0x0000000074381000-0x0000000074383000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads