9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87

Analysis

max time kernel
138s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe
Size

775KB
MD5

6181dcc0e984b0d0ac6d3bdbe7de5678
SHA1

c1c3e8c738f274ed483322f42c55ab3ba41e99b5
SHA256

9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87
SHA512

24310cad7b1e6aa4558e87ae4383d90e8522457819be04a72bb7bfb5af13258af360e2b9f086db13609ba5501bde788146ec1a1b0879bcf2bb3b99b8157dfe5e
SSDEEP

12288:g72bnuwsO0ADREQ772bnuwsO0ADREQTkTQyH:g72zp9EE72zp9E1QK

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1452	avscan.exe
1756	avscan.exe
1896	hosts.exe
1324	hosts.exe
576	avscan.exe
1316	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1160	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe
1160	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe
1452	avscan.exe
1324	hosts.exe
1324	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe
File created	\??\c:\windows\W_X_C.bat	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe
File opened for modification	C:\Windows\hosts.exe	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1136	REG.exe
1572	REG.exe
1244	REG.exe
2028	REG.exe
872	REG.exe
1456	REG.exe
1956	REG.exe
912	REG.exe
1608	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1452	avscan.exe
1324	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1160	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe
1452	avscan.exe
1756	avscan.exe
1896	hosts.exe
1324	hosts.exe
576	avscan.exe
1316	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1456	1160	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe	28
PID 1160 wrote to memory of 1456	1160	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe	28
PID 1160 wrote to memory of 1456	1160	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe	28
PID 1160 wrote to memory of 1456	1160	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe	28
PID 1160 wrote to memory of 1452	1160	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe	30
PID 1160 wrote to memory of 1452	1160	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe	30
PID 1160 wrote to memory of 1452	1160	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe	30
PID 1160 wrote to memory of 1452	1160	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe	30
PID 1452 wrote to memory of 1756	1452	avscan.exe	31
PID 1452 wrote to memory of 1756	1452	avscan.exe	31
PID 1452 wrote to memory of 1756	1452	avscan.exe	31
PID 1452 wrote to memory of 1756	1452	avscan.exe	31
PID 1452 wrote to memory of 1224	1452	avscan.exe	32
PID 1452 wrote to memory of 1224	1452	avscan.exe	32
PID 1452 wrote to memory of 1224	1452	avscan.exe	32
PID 1452 wrote to memory of 1224	1452	avscan.exe	32
PID 1160 wrote to memory of 528	1160	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe	35
PID 1160 wrote to memory of 528	1160	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe	35
PID 1160 wrote to memory of 528	1160	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe	35
PID 1160 wrote to memory of 528	1160	9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe	35
PID 1224 wrote to memory of 1896	1224	cmd.exe	36
PID 1224 wrote to memory of 1896	1224	cmd.exe	36
PID 1224 wrote to memory of 1896	1224	cmd.exe	36
PID 1224 wrote to memory of 1896	1224	cmd.exe	36
PID 528 wrote to memory of 1324	528	cmd.exe	37
PID 528 wrote to memory of 1324	528	cmd.exe	37
PID 528 wrote to memory of 1324	528	cmd.exe	37
PID 528 wrote to memory of 1324	528	cmd.exe	37
PID 1324 wrote to memory of 576	1324	hosts.exe	38
PID 1324 wrote to memory of 576	1324	hosts.exe	38
PID 1324 wrote to memory of 576	1324	hosts.exe	38
PID 1324 wrote to memory of 576	1324	hosts.exe	38
PID 1324 wrote to memory of 1584	1324	hosts.exe	41
PID 1324 wrote to memory of 1584	1324	hosts.exe	41
PID 1324 wrote to memory of 1584	1324	hosts.exe	41
PID 1324 wrote to memory of 1584	1324	hosts.exe	41
PID 1224 wrote to memory of 596	1224	cmd.exe	40
PID 1224 wrote to memory of 596	1224	cmd.exe	40
PID 1224 wrote to memory of 596	1224	cmd.exe	40
PID 1224 wrote to memory of 596	1224	cmd.exe	40
PID 528 wrote to memory of 1960	528	cmd.exe	39
PID 528 wrote to memory of 1960	528	cmd.exe	39
PID 528 wrote to memory of 1960	528	cmd.exe	39
PID 528 wrote to memory of 1960	528	cmd.exe	39
PID 1584 wrote to memory of 1316	1584	cmd.exe	43
PID 1584 wrote to memory of 1316	1584	cmd.exe	43
PID 1584 wrote to memory of 1316	1584	cmd.exe	43
PID 1584 wrote to memory of 1316	1584	cmd.exe	43
PID 1584 wrote to memory of 1844	1584	cmd.exe	44
PID 1584 wrote to memory of 1844	1584	cmd.exe	44
PID 1584 wrote to memory of 1844	1584	cmd.exe	44
PID 1584 wrote to memory of 1844	1584	cmd.exe	44
PID 1452 wrote to memory of 1136	1452	avscan.exe	45
PID 1452 wrote to memory of 1136	1452	avscan.exe	45
PID 1452 wrote to memory of 1136	1452	avscan.exe	45
PID 1452 wrote to memory of 1136	1452	avscan.exe	45
PID 1324 wrote to memory of 1956	1324	hosts.exe	47
PID 1324 wrote to memory of 1956	1324	hosts.exe	47
PID 1324 wrote to memory of 1956	1324	hosts.exe	47
PID 1324 wrote to memory of 1956	1324	hosts.exe	47
PID 1452 wrote to memory of 1572	1452	avscan.exe	49
PID 1452 wrote to memory of 1572	1452	avscan.exe	49
PID 1452 wrote to memory of 1572	1452	avscan.exe	49
PID 1452 wrote to memory of 1572	1452	avscan.exe	49

C:\Users\Admin\AppData\Local\Temp\9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe
"C:\Users\Admin\AppData\Local\Temp\9a25c7125083aa08700889082a1d830344e4bbc6a441b22600d4d40ca507da87.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1456
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1896
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:596
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1136
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1572
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2028
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:576
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1316
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:1844
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1956
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1244
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:912
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:872
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.3MB

MD5
0b46d1a9e989bc8d39f5ee2e77010a73

SHA1
7dfe08012e9461448bf9a9e490a7071bf7921f10

SHA256
03d21d65efb5379fb6fe7e4b920124e346ecebded557cbe5b82b935fcfea90b6

SHA512
31f54be6e342f9063c547f830c102da74a11f9e7186695184d9aac9821544f802f8258f06fadb580326c47fe5894c5cd5e5233127453df3080561321fe303ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.3MB

MD5
0b46d1a9e989bc8d39f5ee2e77010a73

SHA1
7dfe08012e9461448bf9a9e490a7071bf7921f10

SHA256
03d21d65efb5379fb6fe7e4b920124e346ecebded557cbe5b82b935fcfea90b6

SHA512
31f54be6e342f9063c547f830c102da74a11f9e7186695184d9aac9821544f802f8258f06fadb580326c47fe5894c5cd5e5233127453df3080561321fe303ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
3.1MB

MD5
54d2ed1284cc71993130cf904ccf4a21

SHA1
4e7f6fdfffc49a11bc64191af1299dc856c542c5

SHA256
a9cbaa73c8095794b3455cbd286d0b759121f8ca50d6621ce1dd60cbb618a13c

SHA512
ac8f8af36048607e3ad5933eb19a8f142eb58c1190078ff8e8ae91ff47ea8b89833be2e24dbcc5d892c6a71640f988ac8e3e7e9dd760f95e31990157c2955aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
3.1MB

MD5
54d2ed1284cc71993130cf904ccf4a21

SHA1
4e7f6fdfffc49a11bc64191af1299dc856c542c5

SHA256
a9cbaa73c8095794b3455cbd286d0b759121f8ca50d6621ce1dd60cbb618a13c

SHA512
ac8f8af36048607e3ad5933eb19a8f142eb58c1190078ff8e8ae91ff47ea8b89833be2e24dbcc5d892c6a71640f988ac8e3e7e9dd760f95e31990157c2955aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
4.6MB

MD5
3f0ecb899aacb2e409b71d4cee7b57d7

SHA1
1b1d1cae637fc8b5b98712a4215f652f49e2b020

SHA256
a37dcaf04df79cbfb6d399e6565a217c2767555779fbebb74e506ac0e2863fc8

SHA512
1d2697ae17a85fec26e640e800791aee1af3a359634b309bf6ce14e3143c8e35f17540ec5ac2b43b4745a75e87a872027548f021642625c9d60db2873d3bf39c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
5.3MB

MD5
c598f09245afcade988f67fe06f3e736

SHA1
25903c5398e8b1cf4751bbee8d9eb91bdc013765

SHA256
2c9f604ccb22244476af8b67ec0733803586749b235499d5ca19110a870e543e

SHA512
6edd3b1c68d4bedfb9f77f9abc3938c24f1a0ac1f16fc0a712589fa4f00d9a6ebc815f041ccfbe558a5b9bea27756ff6d5fc6e88a153f9fbe2c893faf4251861

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
775KB

MD5
21b74738249b1d88201206001a3014c1

SHA1
feda60aac0cb2238b27b9166c18a7e142e3719b4

SHA256
7350fed65e307cdd5e72696d228cdf9bee582315d6285aa11e5d76bab6fba4a2

SHA512
8909b89bbfd1a4b14f7c7d5848d7f1e3cf7103bfebc63cf82c0b33821070ea47523dfa269136b4d35bb28d916f9292ff00822e0bd9581e0e2563cba0b426757c

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
775KB

MD5
21b74738249b1d88201206001a3014c1

SHA1
feda60aac0cb2238b27b9166c18a7e142e3719b4

SHA256
7350fed65e307cdd5e72696d228cdf9bee582315d6285aa11e5d76bab6fba4a2

SHA512
8909b89bbfd1a4b14f7c7d5848d7f1e3cf7103bfebc63cf82c0b33821070ea47523dfa269136b4d35bb28d916f9292ff00822e0bd9581e0e2563cba0b426757c

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
775KB

MD5
21b74738249b1d88201206001a3014c1

SHA1
feda60aac0cb2238b27b9166c18a7e142e3719b4

SHA256
7350fed65e307cdd5e72696d228cdf9bee582315d6285aa11e5d76bab6fba4a2

SHA512
8909b89bbfd1a4b14f7c7d5848d7f1e3cf7103bfebc63cf82c0b33821070ea47523dfa269136b4d35bb28d916f9292ff00822e0bd9581e0e2563cba0b426757c

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
775KB

MD5
21b74738249b1d88201206001a3014c1

SHA1
feda60aac0cb2238b27b9166c18a7e142e3719b4

SHA256
7350fed65e307cdd5e72696d228cdf9bee582315d6285aa11e5d76bab6fba4a2

SHA512
8909b89bbfd1a4b14f7c7d5848d7f1e3cf7103bfebc63cf82c0b33821070ea47523dfa269136b4d35bb28d916f9292ff00822e0bd9581e0e2563cba0b426757c

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
9eb0c6074d8e54f7da6508b5f6809e78

SHA1
61f003a28c45377e9fc641a0dd1382e6931c11f0

SHA256
df6f01f8c7c5ad4b1e66d19309ad60f0189bc607d7a07c184d9d94abd29c3ee8

SHA512
f6db15038cf4312647c59574cf2352c132c36cd060293977427b719066e5519838c6fed059d3a1d4e3277b575d9132d29d150c45cebd8a3852e705f3297f6d08

Download Submit
C:\Windows\hosts.exe

Filesize
775KB

MD5
1af7973ef315dd1d25e24d75e761b731

SHA1
3daa2a157220ae8e2a56c27be1ac4b61a902fda8

SHA256
3ba4e431462583e9345ed2733fd41a30d973a71f7d35ee50a548b16c5fa74488

SHA512
80fa74146ea86066a0b13dc4e6a8269ff0a4dca548a85593ece5ac80567d70cceb43e40ac296fcfc9790c4891e030515aededfd8fd08b3762c494c3296f808c8

Download Submit
C:\Windows\hosts.exe

Filesize
775KB

MD5
1af7973ef315dd1d25e24d75e761b731

SHA1
3daa2a157220ae8e2a56c27be1ac4b61a902fda8

SHA256
3ba4e431462583e9345ed2733fd41a30d973a71f7d35ee50a548b16c5fa74488

SHA512
80fa74146ea86066a0b13dc4e6a8269ff0a4dca548a85593ece5ac80567d70cceb43e40ac296fcfc9790c4891e030515aededfd8fd08b3762c494c3296f808c8

Download Submit
C:\Windows\hosts.exe

Filesize
775KB

MD5
1af7973ef315dd1d25e24d75e761b731

SHA1
3daa2a157220ae8e2a56c27be1ac4b61a902fda8

SHA256
3ba4e431462583e9345ed2733fd41a30d973a71f7d35ee50a548b16c5fa74488

SHA512
80fa74146ea86066a0b13dc4e6a8269ff0a4dca548a85593ece5ac80567d70cceb43e40ac296fcfc9790c4891e030515aededfd8fd08b3762c494c3296f808c8

Download Submit
C:\Windows\hosts.exe

Filesize
775KB

MD5
1af7973ef315dd1d25e24d75e761b731

SHA1
3daa2a157220ae8e2a56c27be1ac4b61a902fda8

SHA256
3ba4e431462583e9345ed2733fd41a30d973a71f7d35ee50a548b16c5fa74488

SHA512
80fa74146ea86066a0b13dc4e6a8269ff0a4dca548a85593ece5ac80567d70cceb43e40ac296fcfc9790c4891e030515aededfd8fd08b3762c494c3296f808c8

Download Submit
C:\windows\hosts.exe

Filesize
775KB

MD5
1af7973ef315dd1d25e24d75e761b731

SHA1
3daa2a157220ae8e2a56c27be1ac4b61a902fda8

SHA256
3ba4e431462583e9345ed2733fd41a30d973a71f7d35ee50a548b16c5fa74488

SHA512
80fa74146ea86066a0b13dc4e6a8269ff0a4dca548a85593ece5ac80567d70cceb43e40ac296fcfc9790c4891e030515aededfd8fd08b3762c494c3296f808c8

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
775KB

MD5
21b74738249b1d88201206001a3014c1

SHA1
feda60aac0cb2238b27b9166c18a7e142e3719b4

SHA256
7350fed65e307cdd5e72696d228cdf9bee582315d6285aa11e5d76bab6fba4a2

SHA512
8909b89bbfd1a4b14f7c7d5848d7f1e3cf7103bfebc63cf82c0b33821070ea47523dfa269136b4d35bb28d916f9292ff00822e0bd9581e0e2563cba0b426757c

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
775KB

MD5
21b74738249b1d88201206001a3014c1

SHA1
feda60aac0cb2238b27b9166c18a7e142e3719b4

SHA256
7350fed65e307cdd5e72696d228cdf9bee582315d6285aa11e5d76bab6fba4a2

SHA512
8909b89bbfd1a4b14f7c7d5848d7f1e3cf7103bfebc63cf82c0b33821070ea47523dfa269136b4d35bb28d916f9292ff00822e0bd9581e0e2563cba0b426757c

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
775KB

MD5
21b74738249b1d88201206001a3014c1

SHA1
feda60aac0cb2238b27b9166c18a7e142e3719b4

SHA256
7350fed65e307cdd5e72696d228cdf9bee582315d6285aa11e5d76bab6fba4a2

SHA512
8909b89bbfd1a4b14f7c7d5848d7f1e3cf7103bfebc63cf82c0b33821070ea47523dfa269136b4d35bb28d916f9292ff00822e0bd9581e0e2563cba0b426757c

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
775KB

MD5
21b74738249b1d88201206001a3014c1

SHA1
feda60aac0cb2238b27b9166c18a7e142e3719b4

SHA256
7350fed65e307cdd5e72696d228cdf9bee582315d6285aa11e5d76bab6fba4a2

SHA512
8909b89bbfd1a4b14f7c7d5848d7f1e3cf7103bfebc63cf82c0b33821070ea47523dfa269136b4d35bb28d916f9292ff00822e0bd9581e0e2563cba0b426757c

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
775KB

MD5
21b74738249b1d88201206001a3014c1

SHA1
feda60aac0cb2238b27b9166c18a7e142e3719b4

SHA256
7350fed65e307cdd5e72696d228cdf9bee582315d6285aa11e5d76bab6fba4a2

SHA512
8909b89bbfd1a4b14f7c7d5848d7f1e3cf7103bfebc63cf82c0b33821070ea47523dfa269136b4d35bb28d916f9292ff00822e0bd9581e0e2563cba0b426757c

Download Submit
memory/1160-58-0x0000000074641000-0x0000000074643000-memory.dmp

Filesize
8KB

Download
memory/1160-56-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads