11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b

Analysis

max time kernel
126s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 18:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe
Size

238KB
MD5

07b7b3bc960cb41c13bc784d06747a49
SHA1

6cd96f5e4292a239c80033d6b7444d6e9c56d320
SHA256

11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b
SHA512

47dd8e3168243cc32c8f5a1bceb0d86d86d7f36e42c343a397c82cbb3301549f1eb49f548f3db1f6d01717a77cbbda590bd67f272d584b99e314b3bcbaa243f6
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQyMWoe0c8TilDcq1FG4JDP8Kn:gDCwfG1bnxLERRh5yc8TO91FG4JDPfn

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1680	avscan.exe
1696	avscan.exe
680	hosts.exe
1464	hosts.exe
2036	avscan.exe
1412	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1444	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe
1444	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe
1680	avscan.exe
680	hosts.exe
680	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe
File created	\??\c:\windows\W_X_C.bat	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1964	REG.exe
1404	REG.exe
1716	REG.exe
1564	REG.exe
556	REG.exe
2028	REG.exe
1928	REG.exe
1996	REG.exe
1592	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1680	avscan.exe
680	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1444	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe
1680	avscan.exe
1696	avscan.exe
680	hosts.exe
1464	hosts.exe
2036	avscan.exe
1412	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1928	1444	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe	27
PID 1444 wrote to memory of 1928	1444	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe	27
PID 1444 wrote to memory of 1928	1444	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe	27
PID 1444 wrote to memory of 1928	1444	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe	27
PID 1444 wrote to memory of 1680	1444	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe	29
PID 1444 wrote to memory of 1680	1444	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe	29
PID 1444 wrote to memory of 1680	1444	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe	29
PID 1444 wrote to memory of 1680	1444	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe	29
PID 1680 wrote to memory of 1696	1680	avscan.exe	30
PID 1680 wrote to memory of 1696	1680	avscan.exe	30
PID 1680 wrote to memory of 1696	1680	avscan.exe	30
PID 1680 wrote to memory of 1696	1680	avscan.exe	30
PID 1680 wrote to memory of 772	1680	avscan.exe	31
PID 1680 wrote to memory of 772	1680	avscan.exe	31
PID 1680 wrote to memory of 772	1680	avscan.exe	31
PID 1680 wrote to memory of 772	1680	avscan.exe	31
PID 1444 wrote to memory of 536	1444	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe	32
PID 1444 wrote to memory of 536	1444	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe	32
PID 1444 wrote to memory of 536	1444	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe	32
PID 1444 wrote to memory of 536	1444	11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe	32
PID 772 wrote to memory of 680	772	cmd.exe	36
PID 772 wrote to memory of 680	772	cmd.exe	36
PID 772 wrote to memory of 680	772	cmd.exe	36
PID 772 wrote to memory of 680	772	cmd.exe	36
PID 536 wrote to memory of 1464	536	cmd.exe	35
PID 536 wrote to memory of 1464	536	cmd.exe	35
PID 536 wrote to memory of 1464	536	cmd.exe	35
PID 536 wrote to memory of 1464	536	cmd.exe	35
PID 680 wrote to memory of 2036	680	hosts.exe	37
PID 680 wrote to memory of 2036	680	hosts.exe	37
PID 680 wrote to memory of 2036	680	hosts.exe	37
PID 680 wrote to memory of 2036	680	hosts.exe	37
PID 772 wrote to memory of 1480	772	cmd.exe	38
PID 772 wrote to memory of 1480	772	cmd.exe	38
PID 772 wrote to memory of 1480	772	cmd.exe	38
PID 772 wrote to memory of 1480	772	cmd.exe	38
PID 536 wrote to memory of 1916	536	cmd.exe	39
PID 536 wrote to memory of 1916	536	cmd.exe	39
PID 536 wrote to memory of 1916	536	cmd.exe	39
PID 536 wrote to memory of 1916	536	cmd.exe	39
PID 680 wrote to memory of 856	680	hosts.exe	40
PID 680 wrote to memory of 856	680	hosts.exe	40
PID 680 wrote to memory of 856	680	hosts.exe	40
PID 680 wrote to memory of 856	680	hosts.exe	40
PID 856 wrote to memory of 1412	856	cmd.exe	42
PID 856 wrote to memory of 1412	856	cmd.exe	42
PID 856 wrote to memory of 1412	856	cmd.exe	42
PID 856 wrote to memory of 1412	856	cmd.exe	42
PID 856 wrote to memory of 1960	856	cmd.exe	43
PID 856 wrote to memory of 1960	856	cmd.exe	43
PID 856 wrote to memory of 1960	856	cmd.exe	43
PID 856 wrote to memory of 1960	856	cmd.exe	43
PID 1680 wrote to memory of 1996	1680	avscan.exe	44
PID 1680 wrote to memory of 1996	1680	avscan.exe	44
PID 1680 wrote to memory of 1996	1680	avscan.exe	44
PID 1680 wrote to memory of 1996	1680	avscan.exe	44
PID 680 wrote to memory of 1964	680	hosts.exe	46
PID 680 wrote to memory of 1964	680	hosts.exe	46
PID 680 wrote to memory of 1964	680	hosts.exe	46
PID 680 wrote to memory of 1964	680	hosts.exe	46
PID 1680 wrote to memory of 1716	1680	avscan.exe	49
PID 1680 wrote to memory of 1716	1680	avscan.exe	49
PID 1680 wrote to memory of 1716	1680	avscan.exe	49
PID 1680 wrote to memory of 1716	1680	avscan.exe	49

C:\Users\Admin\AppData\Local\Temp\11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe
"C:\Users\Admin\AppData\Local\Temp\11c1ba20732e3766fad4b2d512576335f03b1d748e6d6e58461d5f70da69d68b.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1928
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:680
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2036
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:856
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1412
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1960
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1964
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1404
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1564
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2028
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1480
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1996
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1716
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1592
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1464
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
286KB

MD5
6faa139cd615b637493464c30aecfcd0

SHA1
eeb7e2f03d7025fb4dca038bcca859375e959941

SHA256
18f19fae9981b8526371f6a1c4bedc5cb2d6837c8bfe0f86e143504add0f3dd7

SHA512
9b9139543dc724d98dab2c710d98ed51ad2535a77543682fdab9f74085632adb0b8e6963f8b1aeaf68bd34fc3d2281779da44ef5e53fbe261e7c21e31b2f6331

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
762KB

MD5
387775dd2e3e36c6cad1620d591d2cc2

SHA1
fcbc4793b8e559cfca9aa6609316c04b9c18f1eb

SHA256
a0d268c4b1581d6880f011d41c651c97f05a46a912cfecbdc15d85dad4e44275

SHA512
634e7e18e64002871cf0f57ce9cd735da24cd17137e3ec61cc74cb262f6ce3162020a7ceaee8d7e71413749ca5cd5cc5bae68ccd37b231841c9933a53055988d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.2MB

MD5
f956bb9c12840b5e230f7cb919db59e5

SHA1
2b9e6563e93221ccf39e13b057d28f38d394e717

SHA256
85f151256005c31ec4eaeffea2c16307c9c8bd46199b187cf796f89db97a38b4

SHA512
62017206eec2bd746a8afd867ef2026c3495862ba43dc5b00f72dc57b37f601c2f42215ba149160309f34ad600c6a608c4f8b3e8a0bd35f6b7d298600a44c736

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.2MB

MD5
feaf876ac32ee515489f7cf2c86a659f

SHA1
fb49c6ef1d98800d9df158ef836a73201184c551

SHA256
25a83417b1d9761ff4793b49655978ee92444a6fe639917b813248aa56dcb972

SHA512
4f73aba6f0f8e99608436ebf5aa73d210182b601e28294bd3d0abe0f83136282dc60441cf202e8afb0d10179758e9ab9a25d510574eccf72a89d79d0c1b9e82d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.7MB

MD5
37412070e0a2aa331f335ce8b6a7f954

SHA1
879cd85e4cd6ff943489cea03cb361a9247d9ff9

SHA256
6d6484fccdf16318891b2c8ef53d8a004ebd3ce6be11a3a6b2c1de4cd480a56b

SHA512
6ccfc7d481956be307e871d5fccf2c05f2e70e5ccf8aa922bf36516ac26d10279b67e996694c4dc9adc7f847be3b278f6ec4e9d1718f6ea70a5009c01d87bc20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.7MB

MD5
30b9f2c1938664dc09183c5a44cc802c

SHA1
e2500b04cb52ea582235c16317ce805bab3b1b4e

SHA256
1552ec3a285fa4f6cd9ecdbdbab9ac943254deba1d3cef27febaadba5e224690

SHA512
f18edf4e245639a035aed77cc596fc01f8ade3e22992fd190c2736379278a395659a643832869079a1b48747126d49205c9a0f60e86ad5cf9874ff53d13b0101

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
238KB

MD5
a80cb0fafb4aaa36409c9c06fbc2ed64

SHA1
976994eebd9ef9c95de5fe6a98bc09c718e2bddc

SHA256
aeef79c8e144c9cd4d0391f1b4e71e7267468a33baa24c927e426cc6de562183

SHA512
c144bba516f2b5fd8152edd5f1c7c5e82bc5a03973df2ace5cd5021a8882a06badb769fa3d51bdfec52265ddf18c7254aed6d1f20455a12d4c5af882b3b60f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
238KB

MD5
a80cb0fafb4aaa36409c9c06fbc2ed64

SHA1
976994eebd9ef9c95de5fe6a98bc09c718e2bddc

SHA256
aeef79c8e144c9cd4d0391f1b4e71e7267468a33baa24c927e426cc6de562183

SHA512
c144bba516f2b5fd8152edd5f1c7c5e82bc5a03973df2ace5cd5021a8882a06badb769fa3d51bdfec52265ddf18c7254aed6d1f20455a12d4c5af882b3b60f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
238KB

MD5
a80cb0fafb4aaa36409c9c06fbc2ed64

SHA1
976994eebd9ef9c95de5fe6a98bc09c718e2bddc

SHA256
aeef79c8e144c9cd4d0391f1b4e71e7267468a33baa24c927e426cc6de562183

SHA512
c144bba516f2b5fd8152edd5f1c7c5e82bc5a03973df2ace5cd5021a8882a06badb769fa3d51bdfec52265ddf18c7254aed6d1f20455a12d4c5af882b3b60f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
238KB

MD5
a80cb0fafb4aaa36409c9c06fbc2ed64

SHA1
976994eebd9ef9c95de5fe6a98bc09c718e2bddc

SHA256
aeef79c8e144c9cd4d0391f1b4e71e7267468a33baa24c927e426cc6de562183

SHA512
c144bba516f2b5fd8152edd5f1c7c5e82bc5a03973df2ace5cd5021a8882a06badb769fa3d51bdfec52265ddf18c7254aed6d1f20455a12d4c5af882b3b60f82

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
8efab902a61f6cddc318bb5818c2f2e0

SHA1
9608751279ae04ba710d84c61e3937c12950b393

SHA256
a81d0e86c651ead3e4d9c7f64e637006e787c81c8ba3e784648c2786306bfb87

SHA512
aabd0e45609a39584c68c35e16124b399e9a4932bf6c98c22aa8c6ff71b2fbfc80333102960fcfca1abb38b344245f9cdf4cdc0c827c48235f618011a5fbfe18

Download Submit
C:\Windows\hosts.exe

Filesize
238KB

MD5
52c671e377016ee8f9157bd6ca0dea81

SHA1
7a16c18a73917511c0085d89ab52873163f489d1

SHA256
6001e3e187017147f07b0ab2efb4454a0f24e20a3b8f570234461bcfa61ea9d0

SHA512
525024843e64f067807e1f51bf5ec2336ad5ea62a68366a4991d34f9f6dacbd47e186aa8cd452f5e24190e5a8517521382620ea15b3a6c72fbe22ad049002f2c

Download Submit
C:\Windows\hosts.exe

Filesize
238KB

MD5
52c671e377016ee8f9157bd6ca0dea81

SHA1
7a16c18a73917511c0085d89ab52873163f489d1

SHA256
6001e3e187017147f07b0ab2efb4454a0f24e20a3b8f570234461bcfa61ea9d0

SHA512
525024843e64f067807e1f51bf5ec2336ad5ea62a68366a4991d34f9f6dacbd47e186aa8cd452f5e24190e5a8517521382620ea15b3a6c72fbe22ad049002f2c

Download Submit
C:\Windows\hosts.exe

Filesize
238KB

MD5
52c671e377016ee8f9157bd6ca0dea81

SHA1
7a16c18a73917511c0085d89ab52873163f489d1

SHA256
6001e3e187017147f07b0ab2efb4454a0f24e20a3b8f570234461bcfa61ea9d0

SHA512
525024843e64f067807e1f51bf5ec2336ad5ea62a68366a4991d34f9f6dacbd47e186aa8cd452f5e24190e5a8517521382620ea15b3a6c72fbe22ad049002f2c

Download Submit
C:\Windows\hosts.exe

Filesize
238KB

MD5
52c671e377016ee8f9157bd6ca0dea81

SHA1
7a16c18a73917511c0085d89ab52873163f489d1

SHA256
6001e3e187017147f07b0ab2efb4454a0f24e20a3b8f570234461bcfa61ea9d0

SHA512
525024843e64f067807e1f51bf5ec2336ad5ea62a68366a4991d34f9f6dacbd47e186aa8cd452f5e24190e5a8517521382620ea15b3a6c72fbe22ad049002f2c

Download Submit
C:\windows\hosts.exe

Filesize
238KB

MD5
52c671e377016ee8f9157bd6ca0dea81

SHA1
7a16c18a73917511c0085d89ab52873163f489d1

SHA256
6001e3e187017147f07b0ab2efb4454a0f24e20a3b8f570234461bcfa61ea9d0

SHA512
525024843e64f067807e1f51bf5ec2336ad5ea62a68366a4991d34f9f6dacbd47e186aa8cd452f5e24190e5a8517521382620ea15b3a6c72fbe22ad049002f2c

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
238KB

MD5
a80cb0fafb4aaa36409c9c06fbc2ed64

SHA1
976994eebd9ef9c95de5fe6a98bc09c718e2bddc

SHA256
aeef79c8e144c9cd4d0391f1b4e71e7267468a33baa24c927e426cc6de562183

SHA512
c144bba516f2b5fd8152edd5f1c7c5e82bc5a03973df2ace5cd5021a8882a06badb769fa3d51bdfec52265ddf18c7254aed6d1f20455a12d4c5af882b3b60f82

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
238KB

MD5
a80cb0fafb4aaa36409c9c06fbc2ed64

SHA1
976994eebd9ef9c95de5fe6a98bc09c718e2bddc

SHA256
aeef79c8e144c9cd4d0391f1b4e71e7267468a33baa24c927e426cc6de562183

SHA512
c144bba516f2b5fd8152edd5f1c7c5e82bc5a03973df2ace5cd5021a8882a06badb769fa3d51bdfec52265ddf18c7254aed6d1f20455a12d4c5af882b3b60f82

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
238KB

MD5
a80cb0fafb4aaa36409c9c06fbc2ed64

SHA1
976994eebd9ef9c95de5fe6a98bc09c718e2bddc

SHA256
aeef79c8e144c9cd4d0391f1b4e71e7267468a33baa24c927e426cc6de562183

SHA512
c144bba516f2b5fd8152edd5f1c7c5e82bc5a03973df2ace5cd5021a8882a06badb769fa3d51bdfec52265ddf18c7254aed6d1f20455a12d4c5af882b3b60f82

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
238KB

MD5
a80cb0fafb4aaa36409c9c06fbc2ed64

SHA1
976994eebd9ef9c95de5fe6a98bc09c718e2bddc

SHA256
aeef79c8e144c9cd4d0391f1b4e71e7267468a33baa24c927e426cc6de562183

SHA512
c144bba516f2b5fd8152edd5f1c7c5e82bc5a03973df2ace5cd5021a8882a06badb769fa3d51bdfec52265ddf18c7254aed6d1f20455a12d4c5af882b3b60f82

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
238KB

MD5
a80cb0fafb4aaa36409c9c06fbc2ed64

SHA1
976994eebd9ef9c95de5fe6a98bc09c718e2bddc

SHA256
aeef79c8e144c9cd4d0391f1b4e71e7267468a33baa24c927e426cc6de562183

SHA512
c144bba516f2b5fd8152edd5f1c7c5e82bc5a03973df2ace5cd5021a8882a06badb769fa3d51bdfec52265ddf18c7254aed6d1f20455a12d4c5af882b3b60f82

Download Submit
memory/1444-56-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1444-58-0x0000000074721000-0x0000000074723000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads