2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef

Analysis

max time kernel
124s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe
Size

207KB
MD5

0f5e7c4efcd50e0f8eb1695276a951b9
SHA1

17cc25ca6e577f15444b19038051e475df80861b
SHA256

2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef
SHA512

c5be03e751f63d85bba0e099b9ec32d3cd4f2d21e4b337fbd223a3b1dd969418c8001b9546a9eea30de9f2e9185a7d375e7b191b314c5b5f87b9ee1b1e388b5e
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQ8O7ZnX:gDCwfG1bnxLERRU7d

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
760	avscan.exe
360	avscan.exe
1028	hosts.exe
1364	hosts.exe
1868	avscan.exe
924	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1308	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe
1308	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe
760	avscan.exe
1364	hosts.exe
1364	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe
File created	\??\c:\windows\W_X_C.bat	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe
File opened for modification	C:\Windows\hosts.exe	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
892	REG.exe
1976	REG.exe
1220	REG.exe
1356	REG.exe
284	REG.exe
1692	REG.exe
1172	REG.exe
1740	REG.exe
556	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
760	avscan.exe
1364	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1308	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe
760	avscan.exe
360	avscan.exe
1364	hosts.exe
1028	hosts.exe
1868	avscan.exe
924	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 1220	1308	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe	27
PID 1308 wrote to memory of 1220	1308	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe	27
PID 1308 wrote to memory of 1220	1308	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe	27
PID 1308 wrote to memory of 1220	1308	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe	27
PID 1308 wrote to memory of 760	1308	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe	29
PID 1308 wrote to memory of 760	1308	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe	29
PID 1308 wrote to memory of 760	1308	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe	29
PID 1308 wrote to memory of 760	1308	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe	29
PID 760 wrote to memory of 360	760	avscan.exe	30
PID 760 wrote to memory of 360	760	avscan.exe	30
PID 760 wrote to memory of 360	760	avscan.exe	30
PID 760 wrote to memory of 360	760	avscan.exe	30
PID 760 wrote to memory of 1020	760	avscan.exe	31
PID 760 wrote to memory of 1020	760	avscan.exe	31
PID 760 wrote to memory of 1020	760	avscan.exe	31
PID 760 wrote to memory of 1020	760	avscan.exe	31
PID 1308 wrote to memory of 1472	1308	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe	32
PID 1308 wrote to memory of 1472	1308	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe	32
PID 1308 wrote to memory of 1472	1308	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe	32
PID 1308 wrote to memory of 1472	1308	2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe	32
PID 1472 wrote to memory of 1028	1472	cmd.exe	35
PID 1472 wrote to memory of 1028	1472	cmd.exe	35
PID 1472 wrote to memory of 1028	1472	cmd.exe	35
PID 1472 wrote to memory of 1028	1472	cmd.exe	35
PID 1020 wrote to memory of 1364	1020	cmd.exe	36
PID 1020 wrote to memory of 1364	1020	cmd.exe	36
PID 1020 wrote to memory of 1364	1020	cmd.exe	36
PID 1020 wrote to memory of 1364	1020	cmd.exe	36
PID 1364 wrote to memory of 1868	1364	hosts.exe	37
PID 1364 wrote to memory of 1868	1364	hosts.exe	37
PID 1364 wrote to memory of 1868	1364	hosts.exe	37
PID 1364 wrote to memory of 1868	1364	hosts.exe	37
PID 1020 wrote to memory of 2016	1020	cmd.exe	39
PID 1020 wrote to memory of 2016	1020	cmd.exe	39
PID 1020 wrote to memory of 2016	1020	cmd.exe	39
PID 1020 wrote to memory of 2016	1020	cmd.exe	39
PID 1472 wrote to memory of 968	1472	cmd.exe	38
PID 1472 wrote to memory of 968	1472	cmd.exe	38
PID 1472 wrote to memory of 968	1472	cmd.exe	38
PID 1472 wrote to memory of 968	1472	cmd.exe	38
PID 1364 wrote to memory of 1852	1364	hosts.exe	40
PID 1364 wrote to memory of 1852	1364	hosts.exe	40
PID 1364 wrote to memory of 1852	1364	hosts.exe	40
PID 1364 wrote to memory of 1852	1364	hosts.exe	40
PID 1852 wrote to memory of 924	1852	cmd.exe	42
PID 1852 wrote to memory of 924	1852	cmd.exe	42
PID 1852 wrote to memory of 924	1852	cmd.exe	42
PID 1852 wrote to memory of 924	1852	cmd.exe	42
PID 1852 wrote to memory of 1444	1852	cmd.exe	43
PID 1852 wrote to memory of 1444	1852	cmd.exe	43
PID 1852 wrote to memory of 1444	1852	cmd.exe	43
PID 1852 wrote to memory of 1444	1852	cmd.exe	43
PID 760 wrote to memory of 1740	760	avscan.exe	44
PID 760 wrote to memory of 1740	760	avscan.exe	44
PID 760 wrote to memory of 1740	760	avscan.exe	44
PID 760 wrote to memory of 1740	760	avscan.exe	44
PID 1364 wrote to memory of 1356	1364	hosts.exe	46
PID 1364 wrote to memory of 1356	1364	hosts.exe	46
PID 1364 wrote to memory of 1356	1364	hosts.exe	46
PID 1364 wrote to memory of 1356	1364	hosts.exe	46
PID 760 wrote to memory of 556	760	avscan.exe	48
PID 760 wrote to memory of 556	760	avscan.exe	48
PID 760 wrote to memory of 556	760	avscan.exe	48
PID 760 wrote to memory of 556	760	avscan.exe	48

C:\Users\Admin\AppData\Local\Temp\2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe
"C:\Users\Admin\AppData\Local\Temp\2607f044ff766d27493b4c42fb6dd7b2dd4c50cbb4b916f22e7e023479004bef.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1220
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:360
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1868
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:924
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1444
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1356
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:892
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1692
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1976
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:2016
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1740
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:556
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:284
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1028
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
462KB

MD5
af8e279b881273c6514c3c67dd048250

SHA1
e0b95b979ac9625b693910f645480da5a6c4ab2b

SHA256
64e03e26aa2ab478f14bbd19e5b937202ca3ff991fb56a70f8f1ac2b92e43007

SHA512
6eff04b442b106560db4615faaf4367af38e1cc2b7fe75705f0a790590ce6e638d1e5bda4acf97384b01368c155f5e60de783e907195579cd4e911c891216f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
669KB

MD5
90080509d882f0202e16c51e41a0812a

SHA1
09d9b6134752183a62416c57b943adc9ed59d23a

SHA256
35bd6189e00a25a444c612afec1254e56e98373a04ceaa1a31c9ca8554c2fec3

SHA512
3ea41c1f5d415287e3cfca7b5dbd15ad1477bf4c38c932e578b9c22dcf4d50c05246bb3a267d7405049428b561a48b5a668309be03cf62e0138c24b084a46156

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
877KB

MD5
4d7c64bcaffa146a1f7dc38349f51103

SHA1
68549ada8447e606962759e9eddd77223e68a237

SHA256
54d83eaa38dc64740c660955704dfd5ee7be560a87fa5ceacd76eb0832988ac0

SHA512
7cbd6d493bca8d7ee06dd13d9b4bab7b363f04d93571400f8687a4f3c005ebc87f9f1600faf768231be2d3aa706240145e5557ebc6629a5a0a68168b9dd98742

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
dc84d150586dfb1f1350b9d29ecdc2c2

SHA1
cadd2d4347ff1808a463f138cb5051b5b564ffc7

SHA256
2138c401f85e3d10b162faabe52cab79fa6d21778827131a3fe5c84cf4fc205d

SHA512
94c3531404b565cdfe90bcfa3c8a281523fd7cc32db0044fb2da9fb94dc500f773e96722bf79a8117c4a8e3afe29eb6a093dbde1a26f4562e16877172d5ea8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
dc84d150586dfb1f1350b9d29ecdc2c2

SHA1
cadd2d4347ff1808a463f138cb5051b5b564ffc7

SHA256
2138c401f85e3d10b162faabe52cab79fa6d21778827131a3fe5c84cf4fc205d

SHA512
94c3531404b565cdfe90bcfa3c8a281523fd7cc32db0044fb2da9fb94dc500f773e96722bf79a8117c4a8e3afe29eb6a093dbde1a26f4562e16877172d5ea8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.5MB

MD5
45fc629cd0d83765b2343845c5dcdb49

SHA1
873391aa7fb9f8775f1ef9573e15afe93f2b8374

SHA256
ad8710799ceaf23c4021969f7e0740bc90dfc42ebcc87e4467035bfa7c884c29

SHA512
f07bfc96d218bc1f7b8d8f56f456aaf717fd4a2a007d57625ce23527dcb45a99813b722ef2b29ae2a36bc030937ed8b88fcee71474d335d9782f81d0097b00e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.7MB

MD5
2d816168bc7311f80c61449b7bcc6053

SHA1
693a17bd5ad5b5dfe48af908ef33a8f055a8e832

SHA256
617f4cd980e76aca3997aed5edbbe3e7254155ad56d3f77b9709d12891322d60

SHA512
c80674503188bf6671b65dbc1d12a902f925e6641d2d3af8b8d5e59e014e8430e6304bdb058c323d968905d7ccded783d1f9b21d3ae4533edda12ea538908dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
207KB

MD5
2ad27c0a7038edca079063873f14eb3e

SHA1
851b92b1ef622901df26f631250dffa277e4e07f

SHA256
9a1c7c3833a02b39684f32b06b1e9d704ee7857a2878e2485b2afbe14cf3b570

SHA512
2f0bbb60c467a84f654e46df57dc62494311cf27c2735778b4d6339066bee8bdb90576a8a350c5f6ac443f83db8bdce9feeb915fb2dc1d69755618bbc0470ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
207KB

MD5
2ad27c0a7038edca079063873f14eb3e

SHA1
851b92b1ef622901df26f631250dffa277e4e07f

SHA256
9a1c7c3833a02b39684f32b06b1e9d704ee7857a2878e2485b2afbe14cf3b570

SHA512
2f0bbb60c467a84f654e46df57dc62494311cf27c2735778b4d6339066bee8bdb90576a8a350c5f6ac443f83db8bdce9feeb915fb2dc1d69755618bbc0470ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
207KB

MD5
2ad27c0a7038edca079063873f14eb3e

SHA1
851b92b1ef622901df26f631250dffa277e4e07f

SHA256
9a1c7c3833a02b39684f32b06b1e9d704ee7857a2878e2485b2afbe14cf3b570

SHA512
2f0bbb60c467a84f654e46df57dc62494311cf27c2735778b4d6339066bee8bdb90576a8a350c5f6ac443f83db8bdce9feeb915fb2dc1d69755618bbc0470ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
207KB

MD5
2ad27c0a7038edca079063873f14eb3e

SHA1
851b92b1ef622901df26f631250dffa277e4e07f

SHA256
9a1c7c3833a02b39684f32b06b1e9d704ee7857a2878e2485b2afbe14cf3b570

SHA512
2f0bbb60c467a84f654e46df57dc62494311cf27c2735778b4d6339066bee8bdb90576a8a350c5f6ac443f83db8bdce9feeb915fb2dc1d69755618bbc0470ec3

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
8efab902a61f6cddc318bb5818c2f2e0

SHA1
9608751279ae04ba710d84c61e3937c12950b393

SHA256
a81d0e86c651ead3e4d9c7f64e637006e787c81c8ba3e784648c2786306bfb87

SHA512
aabd0e45609a39584c68c35e16124b399e9a4932bf6c98c22aa8c6ff71b2fbfc80333102960fcfca1abb38b344245f9cdf4cdc0c827c48235f618011a5fbfe18

Download Submit
C:\Windows\hosts.exe

Filesize
207KB

MD5
7ef267f912c769ad8b612867d187269f

SHA1
b39fb2f38fa26af6664c75fe1f9a3d156ff65cd1

SHA256
ae6f9925ee092dc624f7cf9f763e1012638c59c33be407fc6718c29ab524a13f

SHA512
d3c18eee3b78a074d057aeacf8bf2b6a13bc6177180e9d3df1e1186e0841f3e60d516ad1ae3a7890d5e0a453b9dc1641d63cc62a62acbdf211147a786540fa37

Download Submit
C:\Windows\hosts.exe

Filesize
207KB

MD5
7ef267f912c769ad8b612867d187269f

SHA1
b39fb2f38fa26af6664c75fe1f9a3d156ff65cd1

SHA256
ae6f9925ee092dc624f7cf9f763e1012638c59c33be407fc6718c29ab524a13f

SHA512
d3c18eee3b78a074d057aeacf8bf2b6a13bc6177180e9d3df1e1186e0841f3e60d516ad1ae3a7890d5e0a453b9dc1641d63cc62a62acbdf211147a786540fa37

Download Submit
C:\Windows\hosts.exe

Filesize
207KB

MD5
7ef267f912c769ad8b612867d187269f

SHA1
b39fb2f38fa26af6664c75fe1f9a3d156ff65cd1

SHA256
ae6f9925ee092dc624f7cf9f763e1012638c59c33be407fc6718c29ab524a13f

SHA512
d3c18eee3b78a074d057aeacf8bf2b6a13bc6177180e9d3df1e1186e0841f3e60d516ad1ae3a7890d5e0a453b9dc1641d63cc62a62acbdf211147a786540fa37

Download Submit
C:\Windows\hosts.exe

Filesize
207KB

MD5
7ef267f912c769ad8b612867d187269f

SHA1
b39fb2f38fa26af6664c75fe1f9a3d156ff65cd1

SHA256
ae6f9925ee092dc624f7cf9f763e1012638c59c33be407fc6718c29ab524a13f

SHA512
d3c18eee3b78a074d057aeacf8bf2b6a13bc6177180e9d3df1e1186e0841f3e60d516ad1ae3a7890d5e0a453b9dc1641d63cc62a62acbdf211147a786540fa37

Download Submit
C:\windows\hosts.exe

Filesize
207KB

MD5
7ef267f912c769ad8b612867d187269f

SHA1
b39fb2f38fa26af6664c75fe1f9a3d156ff65cd1

SHA256
ae6f9925ee092dc624f7cf9f763e1012638c59c33be407fc6718c29ab524a13f

SHA512
d3c18eee3b78a074d057aeacf8bf2b6a13bc6177180e9d3df1e1186e0841f3e60d516ad1ae3a7890d5e0a453b9dc1641d63cc62a62acbdf211147a786540fa37

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
207KB

MD5
2ad27c0a7038edca079063873f14eb3e

SHA1
851b92b1ef622901df26f631250dffa277e4e07f

SHA256
9a1c7c3833a02b39684f32b06b1e9d704ee7857a2878e2485b2afbe14cf3b570

SHA512
2f0bbb60c467a84f654e46df57dc62494311cf27c2735778b4d6339066bee8bdb90576a8a350c5f6ac443f83db8bdce9feeb915fb2dc1d69755618bbc0470ec3

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
207KB

MD5
2ad27c0a7038edca079063873f14eb3e

SHA1
851b92b1ef622901df26f631250dffa277e4e07f

SHA256
9a1c7c3833a02b39684f32b06b1e9d704ee7857a2878e2485b2afbe14cf3b570

SHA512
2f0bbb60c467a84f654e46df57dc62494311cf27c2735778b4d6339066bee8bdb90576a8a350c5f6ac443f83db8bdce9feeb915fb2dc1d69755618bbc0470ec3

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
207KB

MD5
2ad27c0a7038edca079063873f14eb3e

SHA1
851b92b1ef622901df26f631250dffa277e4e07f

SHA256
9a1c7c3833a02b39684f32b06b1e9d704ee7857a2878e2485b2afbe14cf3b570

SHA512
2f0bbb60c467a84f654e46df57dc62494311cf27c2735778b4d6339066bee8bdb90576a8a350c5f6ac443f83db8bdce9feeb915fb2dc1d69755618bbc0470ec3

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
207KB

MD5
2ad27c0a7038edca079063873f14eb3e

SHA1
851b92b1ef622901df26f631250dffa277e4e07f

SHA256
9a1c7c3833a02b39684f32b06b1e9d704ee7857a2878e2485b2afbe14cf3b570

SHA512
2f0bbb60c467a84f654e46df57dc62494311cf27c2735778b4d6339066bee8bdb90576a8a350c5f6ac443f83db8bdce9feeb915fb2dc1d69755618bbc0470ec3

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
207KB

MD5
2ad27c0a7038edca079063873f14eb3e

SHA1
851b92b1ef622901df26f631250dffa277e4e07f

SHA256
9a1c7c3833a02b39684f32b06b1e9d704ee7857a2878e2485b2afbe14cf3b570

SHA512
2f0bbb60c467a84f654e46df57dc62494311cf27c2735778b4d6339066bee8bdb90576a8a350c5f6ac443f83db8bdce9feeb915fb2dc1d69755618bbc0470ec3

Download Submit
memory/284-114-0x0000000000000000-mapping.dmp

Download
memory/360-68-0x0000000000000000-mapping.dmp

Download
memory/556-110-0x0000000000000000-mapping.dmp

Download
memory/760-61-0x0000000000000000-mapping.dmp

Download
memory/892-112-0x0000000000000000-mapping.dmp

Download
memory/924-96-0x0000000000000000-mapping.dmp

Download
memory/968-95-0x0000000000000000-mapping.dmp

Download
memory/1020-73-0x0000000000000000-mapping.dmp

Download
memory/1028-76-0x0000000000000000-mapping.dmp

Download
memory/1172-119-0x0000000000000000-mapping.dmp

Download
memory/1220-57-0x0000000000000000-mapping.dmp

Download
memory/1308-58-0x0000000074041000-0x0000000074043000-memory.dmp

Filesize
8KB

Download
memory/1308-56-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1356-108-0x0000000000000000-mapping.dmp

Download
memory/1364-77-0x0000000000000000-mapping.dmp

Download
memory/1444-103-0x0000000000000000-mapping.dmp

Download
memory/1472-74-0x0000000000000000-mapping.dmp

Download
memory/1692-116-0x0000000000000000-mapping.dmp

Download
memory/1740-106-0x0000000000000000-mapping.dmp

Download
memory/1852-94-0x0000000000000000-mapping.dmp

Download
memory/1868-86-0x0000000000000000-mapping.dmp

Download
memory/1976-122-0x0000000000000000-mapping.dmp

Download
memory/2016-93-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads