84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828

Analysis

max time kernel
136s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe
Size

226KB
MD5

0d13f8270761d939d0170e7c079d1f32
SHA1

21aa183e1de96e0d73ad7b43107be043cca172db
SHA256

84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828
SHA512

f68bf97a2cee8aceb3ac41b068a5d5e58b1621c33db2be6dcc9bece64ce83d41e3be3ae565e0b795e290a6369306d44f8f8b43f56d77d8d5418e6b4ac11bc66b
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQyMWoe0c8TilDcq1svVuaulvCN:gDCwfG1bnxLERRh5yc8TO91XFi

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ORXGKKZC = "W_X_C.bat"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ORXGKKZC = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ORXGKKZC = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
2008	avscan.exe
2028	avscan.exe
1868	hosts.exe
1516	hosts.exe
1280	avscan.exe
2036	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1976	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe
1976	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe
2008	avscan.exe
1868	hosts.exe
1868	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe
File created	\??\c:\windows\W_X_C.bat	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe
File opened for modification	C:\Windows\hosts.exe	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
2000	REG.exe
1112	REG.exe
616	REG.exe
1060	REG.exe
1596	REG.exe
1628	REG.exe
1620	REG.exe
2016	REG.exe
948	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2008	avscan.exe
1868	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1976	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe
2008	avscan.exe
2028	avscan.exe
1868	hosts.exe
1516	hosts.exe
1280	avscan.exe
2036	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2000	1976	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe	26
PID 1976 wrote to memory of 2000	1976	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe	26
PID 1976 wrote to memory of 2000	1976	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe	26
PID 1976 wrote to memory of 2000	1976	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe	26
PID 1976 wrote to memory of 2008	1976	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe	28
PID 1976 wrote to memory of 2008	1976	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe	28
PID 1976 wrote to memory of 2008	1976	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe	28
PID 1976 wrote to memory of 2008	1976	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe	28
PID 2008 wrote to memory of 2028	2008	avscan.exe	29
PID 2008 wrote to memory of 2028	2008	avscan.exe	29
PID 2008 wrote to memory of 2028	2008	avscan.exe	29
PID 2008 wrote to memory of 2028	2008	avscan.exe	29
PID 2008 wrote to memory of 1148	2008	avscan.exe	30
PID 2008 wrote to memory of 1148	2008	avscan.exe	30
PID 2008 wrote to memory of 1148	2008	avscan.exe	30
PID 2008 wrote to memory of 1148	2008	avscan.exe	30
PID 1976 wrote to memory of 1808	1976	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe	31
PID 1976 wrote to memory of 1808	1976	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe	31
PID 1976 wrote to memory of 1808	1976	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe	31
PID 1976 wrote to memory of 1808	1976	84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe	31
PID 1808 wrote to memory of 1868	1808	cmd.exe	35
PID 1808 wrote to memory of 1868	1808	cmd.exe	35
PID 1808 wrote to memory of 1868	1808	cmd.exe	35
PID 1808 wrote to memory of 1868	1808	cmd.exe	35
PID 1148 wrote to memory of 1516	1148	cmd.exe	34
PID 1148 wrote to memory of 1516	1148	cmd.exe	34
PID 1148 wrote to memory of 1516	1148	cmd.exe	34
PID 1148 wrote to memory of 1516	1148	cmd.exe	34
PID 1868 wrote to memory of 1280	1868	hosts.exe	36
PID 1868 wrote to memory of 1280	1868	hosts.exe	36
PID 1868 wrote to memory of 1280	1868	hosts.exe	36
PID 1868 wrote to memory of 1280	1868	hosts.exe	36
PID 1868 wrote to memory of 1696	1868	hosts.exe	37
PID 1868 wrote to memory of 1696	1868	hosts.exe	37
PID 1868 wrote to memory of 1696	1868	hosts.exe	37
PID 1868 wrote to memory of 1696	1868	hosts.exe	37
PID 1696 wrote to memory of 2036	1696	cmd.exe	39
PID 1696 wrote to memory of 2036	1696	cmd.exe	39
PID 1696 wrote to memory of 2036	1696	cmd.exe	39
PID 1696 wrote to memory of 2036	1696	cmd.exe	39
PID 1808 wrote to memory of 1392	1808	cmd.exe	42
PID 1808 wrote to memory of 1392	1808	cmd.exe	42
PID 1808 wrote to memory of 1392	1808	cmd.exe	42
PID 1808 wrote to memory of 1392	1808	cmd.exe	42
PID 1696 wrote to memory of 1968	1696	cmd.exe	40
PID 1696 wrote to memory of 1968	1696	cmd.exe	40
PID 1696 wrote to memory of 1968	1696	cmd.exe	40
PID 1696 wrote to memory of 1968	1696	cmd.exe	40
PID 1148 wrote to memory of 1264	1148	cmd.exe	41
PID 1148 wrote to memory of 1264	1148	cmd.exe	41
PID 1148 wrote to memory of 1264	1148	cmd.exe	41
PID 1148 wrote to memory of 1264	1148	cmd.exe	41
PID 2008 wrote to memory of 1596	2008	avscan.exe	43
PID 2008 wrote to memory of 1596	2008	avscan.exe	43
PID 2008 wrote to memory of 1596	2008	avscan.exe	43
PID 2008 wrote to memory of 1596	2008	avscan.exe	43
PID 1868 wrote to memory of 1628	1868	hosts.exe	45
PID 1868 wrote to memory of 1628	1868	hosts.exe	45
PID 1868 wrote to memory of 1628	1868	hosts.exe	45
PID 1868 wrote to memory of 1628	1868	hosts.exe	45
PID 2008 wrote to memory of 1620	2008	avscan.exe	47
PID 2008 wrote to memory of 1620	2008	avscan.exe	47
PID 2008 wrote to memory of 1620	2008	avscan.exe	47
PID 2008 wrote to memory of 1620	2008	avscan.exe	47

C:\Users\Admin\AppData\Local\Temp\84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe
"C:\Users\Admin\AppData\Local\Temp\84f9e3fe3e45d1ec2809a510ac1bd2a813cd3464bb9a8dee1857a5ff306b2828.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1516
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1264
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1596
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1620
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:948
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1280
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2036
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:1968
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1628
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1112
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:2016
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1060
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
501KB

MD5
48628f4ea64bc99e388b8fc3cdab92eb

SHA1
1feaf82705f4e3406fc0724f3bc4feff92f7a3f8

SHA256
dc2b467a1b626712243b2f35ded4f74a617ff4b76466237587d699328eca6d72

SHA512
05e87d2c103ba5bb407e2f9ee1c2a39a713d34fef802a2ed99ab55b5aac58845be4fe9ff2b868f7a828526992d1070bb2baf713a8a386a8365aadec3d78f0ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
728KB

MD5
ba4b619ac22bb8125fd3ec77e488ebc7

SHA1
3bb98dc6b68417b9a1df7432c157c91c9abc3628

SHA256
adb2c0c4b9e7917a9a26c24af94e5472e5bac9c678c33031570bc2cd0d820c14

SHA512
4e302d7311afead016c8bfcb8c3cd05b1aa1b9d067205c3432bd6d7fe350818aaa3a959fa05c574a1a5a2e2e140d9301a40041c015a8ce81c966d82f475704c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
954KB

MD5
ca2860ba4298376f5fa9d3db6ca94996

SHA1
82fc5147f2f93617dacd38612a04b72f7ff21196

SHA256
2b960c087d466265d03ec43e796ca2856e991379bfb0157d3fae2e516296ddf4

SHA512
6beb3b688346fa396acec5837421f26d9114deb0d45738cb5e0c6bd9d3e76b541d773c6dd379a51a3bfc19c0db8eb5dacb9f9db5512a060a3e63ae957b4584db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.2MB

MD5
f1acee9a677cfae2272743d9729580e9

SHA1
7d35c3e5f2b58e53a24f351b11ea99cbd3e2b187

SHA256
c4f498a83ef92196cb169cbbf8cb952ea844021b7548ca9d290c2bbb488a2ff6

SHA512
3877567f9b112a936992011510ff63cf27846ac4e7af4a3db39374e7d22c348a92d819bf2adf4fb5497b982a643e811c5204e0b0f0132bcd548e51bda89f1b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.4MB

MD5
94e2dc6f3075fc82a69bf66b3ad5a262

SHA1
38dc99bb45a018c18a13bc6fe4f8bdecdfe495cd

SHA256
3b8cbf253c9fb3029229675ebbe21378f5ef9de86af8f3e56fb0c408edfd0892

SHA512
7366b8c85cccdf69b6ec856692f7b09982642fa0923c655ba4192bd49eee066cf894690ef4fabc3be80701ba0baa86d940e56dda2bf068d1df140c63a54e8a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.6MB

MD5
0cb495a1eab6d38eb0f80a6d3890eba3

SHA1
0dd9e10a91cd2ec4c4f4ad1ae7263e1bb3916675

SHA256
4ff1f76fb0e032b45918a0c094303964863210b88ea034e2fccc01eb7e956834

SHA512
389c88cd98ed79c734200d9876230ab180e99a1812f905b688da4358b5c9ca33458b18bb088f3d1a6f744581e7ed1fc06491943b82fe97009ec806791a73f094

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.8MB

MD5
c6c6130dff31417c73d32b46fe4fc5c4

SHA1
8603a1a2949c87efc979c073c132c5e61504d5d2

SHA256
dd025b02d21db5809b0e48f72d9940673ae51a2f22d05e2da09f7d6a6c9167f8

SHA512
72db895d29bcad56003d7c7bd0dc9b5b5130b2aaa1b8328961eb1fec82cb8a99788e51850a2960d4bf3c07a790f13064086dcccb30486f53b198323d205ee422

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
226KB

MD5
2dd81db4c72b0ced0447bede9c25a8c5

SHA1
96606ca510ed8adad9a0d3ac0dfb401b688b9032

SHA256
bc32df8bf39c5bf2fc899692b47adc55600483ea0404ce7493625b83cff0c803

SHA512
060176df9e79028fdebc89a56d6e57d3da87cc55545dc18c178ea1b7cf78db59e789df5bedaa0dff546af72ff5ac0a8b981240d9eef9ccd2ad0d30eb4c0c1135

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
226KB

MD5
2dd81db4c72b0ced0447bede9c25a8c5

SHA1
96606ca510ed8adad9a0d3ac0dfb401b688b9032

SHA256
bc32df8bf39c5bf2fc899692b47adc55600483ea0404ce7493625b83cff0c803

SHA512
060176df9e79028fdebc89a56d6e57d3da87cc55545dc18c178ea1b7cf78db59e789df5bedaa0dff546af72ff5ac0a8b981240d9eef9ccd2ad0d30eb4c0c1135

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
226KB

MD5
2dd81db4c72b0ced0447bede9c25a8c5

SHA1
96606ca510ed8adad9a0d3ac0dfb401b688b9032

SHA256
bc32df8bf39c5bf2fc899692b47adc55600483ea0404ce7493625b83cff0c803

SHA512
060176df9e79028fdebc89a56d6e57d3da87cc55545dc18c178ea1b7cf78db59e789df5bedaa0dff546af72ff5ac0a8b981240d9eef9ccd2ad0d30eb4c0c1135

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
226KB

MD5
2dd81db4c72b0ced0447bede9c25a8c5

SHA1
96606ca510ed8adad9a0d3ac0dfb401b688b9032

SHA256
bc32df8bf39c5bf2fc899692b47adc55600483ea0404ce7493625b83cff0c803

SHA512
060176df9e79028fdebc89a56d6e57d3da87cc55545dc18c178ea1b7cf78db59e789df5bedaa0dff546af72ff5ac0a8b981240d9eef9ccd2ad0d30eb4c0c1135

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
6cb1a862c5d3015502be64b07c6b5ec7

SHA1
055b4b97bd55f4f0f47fd8c981fc216709e91936

SHA256
6ae3ae6c1d057e9376efd0711d9912dfddebd9f8a8b257cee104cba98195c48e

SHA512
5f8f0cdbbd70f06bc8783c0e762208a3c54daf0f2b064abd450116cb31963d0802bc59648e868d647031e0e321d151a20f1b71ccba613f6e1c0c7fbb7ee974ab

Download Submit
C:\Windows\hosts.exe

Filesize
226KB

MD5
47655374e96aa25c4a002091b2545a4f

SHA1
3e41c78deb2b02c10e37a570030324354a0773c2

SHA256
cc746a1d0ef8d488017a64388cbd71910578b6d6a3cc384aa66074d01a29d188

SHA512
5ec2d9e5b6ec5a0a089be18a703e476e06930bcfb7d9e9b39559e5ba629b84bc59b3f3668c88635835437acd77ebb3a54eefb0f714edbc23b3af9fcf34f4703e

Download Submit
C:\Windows\hosts.exe

Filesize
226KB

MD5
47655374e96aa25c4a002091b2545a4f

SHA1
3e41c78deb2b02c10e37a570030324354a0773c2

SHA256
cc746a1d0ef8d488017a64388cbd71910578b6d6a3cc384aa66074d01a29d188

SHA512
5ec2d9e5b6ec5a0a089be18a703e476e06930bcfb7d9e9b39559e5ba629b84bc59b3f3668c88635835437acd77ebb3a54eefb0f714edbc23b3af9fcf34f4703e

Download Submit
C:\Windows\hosts.exe

Filesize
226KB

MD5
47655374e96aa25c4a002091b2545a4f

SHA1
3e41c78deb2b02c10e37a570030324354a0773c2

SHA256
cc746a1d0ef8d488017a64388cbd71910578b6d6a3cc384aa66074d01a29d188

SHA512
5ec2d9e5b6ec5a0a089be18a703e476e06930bcfb7d9e9b39559e5ba629b84bc59b3f3668c88635835437acd77ebb3a54eefb0f714edbc23b3af9fcf34f4703e

Download Submit
C:\Windows\hosts.exe

Filesize
226KB

MD5
47655374e96aa25c4a002091b2545a4f

SHA1
3e41c78deb2b02c10e37a570030324354a0773c2

SHA256
cc746a1d0ef8d488017a64388cbd71910578b6d6a3cc384aa66074d01a29d188

SHA512
5ec2d9e5b6ec5a0a089be18a703e476e06930bcfb7d9e9b39559e5ba629b84bc59b3f3668c88635835437acd77ebb3a54eefb0f714edbc23b3af9fcf34f4703e

Download Submit
C:\windows\hosts.exe

Filesize
226KB

MD5
47655374e96aa25c4a002091b2545a4f

SHA1
3e41c78deb2b02c10e37a570030324354a0773c2

SHA256
cc746a1d0ef8d488017a64388cbd71910578b6d6a3cc384aa66074d01a29d188

SHA512
5ec2d9e5b6ec5a0a089be18a703e476e06930bcfb7d9e9b39559e5ba629b84bc59b3f3668c88635835437acd77ebb3a54eefb0f714edbc23b3af9fcf34f4703e

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
226KB

MD5
2dd81db4c72b0ced0447bede9c25a8c5

SHA1
96606ca510ed8adad9a0d3ac0dfb401b688b9032

SHA256
bc32df8bf39c5bf2fc899692b47adc55600483ea0404ce7493625b83cff0c803

SHA512
060176df9e79028fdebc89a56d6e57d3da87cc55545dc18c178ea1b7cf78db59e789df5bedaa0dff546af72ff5ac0a8b981240d9eef9ccd2ad0d30eb4c0c1135

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
226KB

MD5
2dd81db4c72b0ced0447bede9c25a8c5

SHA1
96606ca510ed8adad9a0d3ac0dfb401b688b9032

SHA256
bc32df8bf39c5bf2fc899692b47adc55600483ea0404ce7493625b83cff0c803

SHA512
060176df9e79028fdebc89a56d6e57d3da87cc55545dc18c178ea1b7cf78db59e789df5bedaa0dff546af72ff5ac0a8b981240d9eef9ccd2ad0d30eb4c0c1135

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
226KB

MD5
2dd81db4c72b0ced0447bede9c25a8c5

SHA1
96606ca510ed8adad9a0d3ac0dfb401b688b9032

SHA256
bc32df8bf39c5bf2fc899692b47adc55600483ea0404ce7493625b83cff0c803

SHA512
060176df9e79028fdebc89a56d6e57d3da87cc55545dc18c178ea1b7cf78db59e789df5bedaa0dff546af72ff5ac0a8b981240d9eef9ccd2ad0d30eb4c0c1135

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
226KB

MD5
2dd81db4c72b0ced0447bede9c25a8c5

SHA1
96606ca510ed8adad9a0d3ac0dfb401b688b9032

SHA256
bc32df8bf39c5bf2fc899692b47adc55600483ea0404ce7493625b83cff0c803

SHA512
060176df9e79028fdebc89a56d6e57d3da87cc55545dc18c178ea1b7cf78db59e789df5bedaa0dff546af72ff5ac0a8b981240d9eef9ccd2ad0d30eb4c0c1135

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
226KB

MD5
2dd81db4c72b0ced0447bede9c25a8c5

SHA1
96606ca510ed8adad9a0d3ac0dfb401b688b9032

SHA256
bc32df8bf39c5bf2fc899692b47adc55600483ea0404ce7493625b83cff0c803

SHA512
060176df9e79028fdebc89a56d6e57d3da87cc55545dc18c178ea1b7cf78db59e789df5bedaa0dff546af72ff5ac0a8b981240d9eef9ccd2ad0d30eb4c0c1135

Download Submit
memory/1976-58-0x0000000074CB1000-0x0000000074CB3000-memory.dmp

Filesize
8KB

Download
memory/1976-56-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads