95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd

Analysis

max time kernel
160s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe
Size

440KB
MD5

f0e8813f4e340eb2a86706269be3bf69
SHA1

619704feaf9390ae81abdb1f06addeecd0c7d6d9
SHA256

95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd
SHA512

c5dfc54bd86b47147958839c5893fa15c0dfce222da29c8c6aa51c371480158af4b7f44097cd01eb6a2f1ceca355611c8a19fbe7fcd1bcd30396de6f898592cd
SSDEEP

6144:gDCwfG1bnxHXu+K+wDCwfG1bnxHXu+K+SLtDg5XHeYDmR:g72bng+K+w72bng+K+AoH6R

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
2008	avscan.exe
1976	avscan.exe
1276	hosts.exe
1824	hosts.exe
1220	avscan.exe
976	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1900	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe
1900	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe
2008	avscan.exe
1276	hosts.exe
1276	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe
File created	\??\c:\windows\W_X_C.bat	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe
File opened for modification	C:\Windows\hosts.exe	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1104	REG.exe
1208	REG.exe
908	REG.exe
1896	REG.exe
1080	REG.exe
1976	REG.exe
1928	REG.exe
1900	REG.exe
588	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2008	avscan.exe
1276	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1900	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe
2008	avscan.exe
1976	avscan.exe
1276	hosts.exe
1824	hosts.exe
1220	avscan.exe
976	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1104	1900	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe	27
PID 1900 wrote to memory of 1104	1900	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe	27
PID 1900 wrote to memory of 1104	1900	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe	27
PID 1900 wrote to memory of 1104	1900	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe	27
PID 1900 wrote to memory of 2008	1900	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe	29
PID 1900 wrote to memory of 2008	1900	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe	29
PID 1900 wrote to memory of 2008	1900	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe	29
PID 1900 wrote to memory of 2008	1900	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe	29
PID 2008 wrote to memory of 1976	2008	avscan.exe	30
PID 2008 wrote to memory of 1976	2008	avscan.exe	30
PID 2008 wrote to memory of 1976	2008	avscan.exe	30
PID 2008 wrote to memory of 1976	2008	avscan.exe	30
PID 2008 wrote to memory of 1720	2008	avscan.exe	31
PID 2008 wrote to memory of 1720	2008	avscan.exe	31
PID 2008 wrote to memory of 1720	2008	avscan.exe	31
PID 2008 wrote to memory of 1720	2008	avscan.exe	31
PID 1900 wrote to memory of 1776	1900	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe	33
PID 1900 wrote to memory of 1776	1900	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe	33
PID 1900 wrote to memory of 1776	1900	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe	33
PID 1900 wrote to memory of 1776	1900	95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe	33
PID 1720 wrote to memory of 1276	1720	cmd.exe	35
PID 1720 wrote to memory of 1276	1720	cmd.exe	35
PID 1720 wrote to memory of 1276	1720	cmd.exe	35
PID 1720 wrote to memory of 1276	1720	cmd.exe	35
PID 1776 wrote to memory of 1824	1776	cmd.exe	37
PID 1776 wrote to memory of 1824	1776	cmd.exe	37
PID 1776 wrote to memory of 1824	1776	cmd.exe	37
PID 1776 wrote to memory of 1824	1776	cmd.exe	37
PID 1276 wrote to memory of 1220	1276	hosts.exe	36
PID 1276 wrote to memory of 1220	1276	hosts.exe	36
PID 1276 wrote to memory of 1220	1276	hosts.exe	36
PID 1276 wrote to memory of 1220	1276	hosts.exe	36
PID 1720 wrote to memory of 1528	1720	cmd.exe	40
PID 1720 wrote to memory of 1528	1720	cmd.exe	40
PID 1720 wrote to memory of 1528	1720	cmd.exe	40
PID 1720 wrote to memory of 1528	1720	cmd.exe	40
PID 1276 wrote to memory of 1660	1276	hosts.exe	39
PID 1276 wrote to memory of 1660	1276	hosts.exe	39
PID 1276 wrote to memory of 1660	1276	hosts.exe	39
PID 1276 wrote to memory of 1660	1276	hosts.exe	39
PID 1776 wrote to memory of 1768	1776	cmd.exe	38
PID 1776 wrote to memory of 1768	1776	cmd.exe	38
PID 1776 wrote to memory of 1768	1776	cmd.exe	38
PID 1776 wrote to memory of 1768	1776	cmd.exe	38
PID 1660 wrote to memory of 976	1660	cmd.exe	42
PID 1660 wrote to memory of 976	1660	cmd.exe	42
PID 1660 wrote to memory of 976	1660	cmd.exe	42
PID 1660 wrote to memory of 976	1660	cmd.exe	42
PID 1660 wrote to memory of 1640	1660	cmd.exe	43
PID 1660 wrote to memory of 1640	1660	cmd.exe	43
PID 1660 wrote to memory of 1640	1660	cmd.exe	43
PID 1660 wrote to memory of 1640	1660	cmd.exe	43
PID 1276 wrote to memory of 1208	1276	hosts.exe	44
PID 1276 wrote to memory of 1208	1276	hosts.exe	44
PID 1276 wrote to memory of 1208	1276	hosts.exe	44
PID 1276 wrote to memory of 1208	1276	hosts.exe	44
PID 2008 wrote to memory of 908	2008	avscan.exe	45
PID 2008 wrote to memory of 908	2008	avscan.exe	45
PID 2008 wrote to memory of 908	2008	avscan.exe	45
PID 2008 wrote to memory of 908	2008	avscan.exe	45
PID 1276 wrote to memory of 1896	1276	hosts.exe	49
PID 1276 wrote to memory of 1896	1276	hosts.exe	49
PID 1276 wrote to memory of 1896	1276	hosts.exe	49
PID 1276 wrote to memory of 1896	1276	hosts.exe	49

C:\Users\Admin\AppData\Local\Temp\95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe
"C:\Users\Admin\AppData\Local\Temp\95e0f954181b38f6e76961d68125ee36e391075da4880d83699b261c68101ddd.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1104
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1276
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1220
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:976
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1640
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1208
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1896
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1080
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:588
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1528
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:908
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1928
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1976
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1824
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
929KB

MD5
e62facab325a591bd91efa44bcd1d19b

SHA1
bd185230eb01223433b88ed88149949dbd9a0474

SHA256
1b731e0a50c76ed25a894d24fb096adeab05f1b54cd477af7cd1bb914b8e078c

SHA512
23fb77c0bbde18284d082a451493787b87c93b83fdd353b13eec6bb277042ef22a3ee071757d7035f15ca6f457dbc1c89022c58c818454d1ed74a30abade2738

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.8MB

MD5
8e78a30355c293adea49062a792dab33

SHA1
22d5bfc6481bb67afb81be7786cea6b1f05640e0

SHA256
5b17271512508d0a25bacb0d12b0cc919deec738f241365cfbfadbc9d3c78d72

SHA512
4744782f6dd80aa82a0b131da9b4bde49b9e9a2b076b3b714505475bc91c232ac0008ce3afe751d9b06536e2643f10e468f9f556cb43b84a1e8041218596d47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.8MB

MD5
377cc383deeacd973d3494d794fb5520

SHA1
fb21b51fbdd435422f2a2811a751b86ffdc29edd

SHA256
c37eb0a8f0b20b10728eb337e62fa548aa85bca2b91010fcf7904fa3526c5caa

SHA512
679a8d1c6fa7d0dac4795d5539d4ccbcf869a63fdedd09986e718549e9c62fcff3b8ba8fb46ee3c28d6ffa32581d5b7afb92b69b6ee9c39724016057f8d0a4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.2MB

MD5
482ee1142fd7e45882775557d6e61f42

SHA1
1ca5af5f736ae03be3d9f77a0e9eb73db0a49373

SHA256
860f2d8bf7c1c29e78b21b9417390789a9b6d2494da8653b8faf5affbbc39470

SHA512
a6f8b6b4dc96fff2213cc5095f68af91046161eb9cbb5f0f4fe646c9c325ffaece1f3da2f8f7368b69d49de0c7d4db7d64936a99732cd76cc1476e74db343baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.6MB

MD5
0eddd9f01e19f99368e3a1d77a7dea96

SHA1
870f07687e823d42453a61cb1c904fd696cd503d

SHA256
0ee51f6c7666293643c755e0eebaf2f747613b151d71ac8143c21976da7229ce

SHA512
804d922aaa383d1065f5597ab734e025d346434e1d613049efaadb8a762931585992da2ffc09222eb92f6f01c035b52358fb26ade872c534e3d18e7fd30bbc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.6MB

MD5
ccca83b8ec56faac51c0eae68080f7ff

SHA1
75d483a498182a3d4b4ea6a19401b962a58af760

SHA256
198c5bf41e6ee9284f1b56ebc187284d740c035fce567545bf64de6d4454130c

SHA512
49cae38a16a9e68aa8b0ba92e3d4942fcf8ad38ad6a2e37212206fa819193cce3addca152c09f02168147cfc65c6a3f4079ba3eac3b14b6c3a7935170a9c8514

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
440KB

MD5
6a7f1a50f4341334f3892dcd8746b34b

SHA1
578217dab0d32f81d3b79393271c8f1eda60b60d

SHA256
b7ad18bced7d020d255675e6fcb0bf4cbd17a47b41198fe953194d80622e7ac8

SHA512
a0db6813b6e62cda2c05785bed25a3eb962040f0b59c0793c854fc8062c1b3bbb034308eb8a306fbcccd8fea3d7791c6d6094ba2aa42bf85b91fed63ed63cab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
440KB

MD5
6a7f1a50f4341334f3892dcd8746b34b

SHA1
578217dab0d32f81d3b79393271c8f1eda60b60d

SHA256
b7ad18bced7d020d255675e6fcb0bf4cbd17a47b41198fe953194d80622e7ac8

SHA512
a0db6813b6e62cda2c05785bed25a3eb962040f0b59c0793c854fc8062c1b3bbb034308eb8a306fbcccd8fea3d7791c6d6094ba2aa42bf85b91fed63ed63cab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
440KB

MD5
6a7f1a50f4341334f3892dcd8746b34b

SHA1
578217dab0d32f81d3b79393271c8f1eda60b60d

SHA256
b7ad18bced7d020d255675e6fcb0bf4cbd17a47b41198fe953194d80622e7ac8

SHA512
a0db6813b6e62cda2c05785bed25a3eb962040f0b59c0793c854fc8062c1b3bbb034308eb8a306fbcccd8fea3d7791c6d6094ba2aa42bf85b91fed63ed63cab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
440KB

MD5
6a7f1a50f4341334f3892dcd8746b34b

SHA1
578217dab0d32f81d3b79393271c8f1eda60b60d

SHA256
b7ad18bced7d020d255675e6fcb0bf4cbd17a47b41198fe953194d80622e7ac8

SHA512
a0db6813b6e62cda2c05785bed25a3eb962040f0b59c0793c854fc8062c1b3bbb034308eb8a306fbcccd8fea3d7791c6d6094ba2aa42bf85b91fed63ed63cab2

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
9eb0c6074d8e54f7da6508b5f6809e78

SHA1
61f003a28c45377e9fc641a0dd1382e6931c11f0

SHA256
df6f01f8c7c5ad4b1e66d19309ad60f0189bc607d7a07c184d9d94abd29c3ee8

SHA512
f6db15038cf4312647c59574cf2352c132c36cd060293977427b719066e5519838c6fed059d3a1d4e3277b575d9132d29d150c45cebd8a3852e705f3297f6d08

Download Submit
C:\Windows\hosts.exe

Filesize
440KB

MD5
37f2f391bdf3ce71094a3c74b7223396

SHA1
6671ffff7f59b855487970dd235c4864455cc9b3

SHA256
941e92b652bab766492a2edd14094e723d3ccd5bf631e1996750557f02fee416

SHA512
97d5bebadae40bfa78d3699cc173be38151e66128e463af45fe7c03ebe960b787e2fe389e4aec2d3f92b8aad96ceb46160414e6bc0ef3b4c0a119bfbcbdfe19c

Download Submit
C:\Windows\hosts.exe

Filesize
440KB

MD5
37f2f391bdf3ce71094a3c74b7223396

SHA1
6671ffff7f59b855487970dd235c4864455cc9b3

SHA256
941e92b652bab766492a2edd14094e723d3ccd5bf631e1996750557f02fee416

SHA512
97d5bebadae40bfa78d3699cc173be38151e66128e463af45fe7c03ebe960b787e2fe389e4aec2d3f92b8aad96ceb46160414e6bc0ef3b4c0a119bfbcbdfe19c

Download Submit
C:\Windows\hosts.exe

Filesize
440KB

MD5
37f2f391bdf3ce71094a3c74b7223396

SHA1
6671ffff7f59b855487970dd235c4864455cc9b3

SHA256
941e92b652bab766492a2edd14094e723d3ccd5bf631e1996750557f02fee416

SHA512
97d5bebadae40bfa78d3699cc173be38151e66128e463af45fe7c03ebe960b787e2fe389e4aec2d3f92b8aad96ceb46160414e6bc0ef3b4c0a119bfbcbdfe19c

Download Submit
C:\Windows\hosts.exe

Filesize
440KB

MD5
37f2f391bdf3ce71094a3c74b7223396

SHA1
6671ffff7f59b855487970dd235c4864455cc9b3

SHA256
941e92b652bab766492a2edd14094e723d3ccd5bf631e1996750557f02fee416

SHA512
97d5bebadae40bfa78d3699cc173be38151e66128e463af45fe7c03ebe960b787e2fe389e4aec2d3f92b8aad96ceb46160414e6bc0ef3b4c0a119bfbcbdfe19c

Download Submit
C:\windows\hosts.exe

Filesize
440KB

MD5
37f2f391bdf3ce71094a3c74b7223396

SHA1
6671ffff7f59b855487970dd235c4864455cc9b3

SHA256
941e92b652bab766492a2edd14094e723d3ccd5bf631e1996750557f02fee416

SHA512
97d5bebadae40bfa78d3699cc173be38151e66128e463af45fe7c03ebe960b787e2fe389e4aec2d3f92b8aad96ceb46160414e6bc0ef3b4c0a119bfbcbdfe19c

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
440KB

MD5
6a7f1a50f4341334f3892dcd8746b34b

SHA1
578217dab0d32f81d3b79393271c8f1eda60b60d

SHA256
b7ad18bced7d020d255675e6fcb0bf4cbd17a47b41198fe953194d80622e7ac8

SHA512
a0db6813b6e62cda2c05785bed25a3eb962040f0b59c0793c854fc8062c1b3bbb034308eb8a306fbcccd8fea3d7791c6d6094ba2aa42bf85b91fed63ed63cab2

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
440KB

MD5
6a7f1a50f4341334f3892dcd8746b34b

SHA1
578217dab0d32f81d3b79393271c8f1eda60b60d

SHA256
b7ad18bced7d020d255675e6fcb0bf4cbd17a47b41198fe953194d80622e7ac8

SHA512
a0db6813b6e62cda2c05785bed25a3eb962040f0b59c0793c854fc8062c1b3bbb034308eb8a306fbcccd8fea3d7791c6d6094ba2aa42bf85b91fed63ed63cab2

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
440KB

MD5
6a7f1a50f4341334f3892dcd8746b34b

SHA1
578217dab0d32f81d3b79393271c8f1eda60b60d

SHA256
b7ad18bced7d020d255675e6fcb0bf4cbd17a47b41198fe953194d80622e7ac8

SHA512
a0db6813b6e62cda2c05785bed25a3eb962040f0b59c0793c854fc8062c1b3bbb034308eb8a306fbcccd8fea3d7791c6d6094ba2aa42bf85b91fed63ed63cab2

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
440KB

MD5
6a7f1a50f4341334f3892dcd8746b34b

SHA1
578217dab0d32f81d3b79393271c8f1eda60b60d

SHA256
b7ad18bced7d020d255675e6fcb0bf4cbd17a47b41198fe953194d80622e7ac8

SHA512
a0db6813b6e62cda2c05785bed25a3eb962040f0b59c0793c854fc8062c1b3bbb034308eb8a306fbcccd8fea3d7791c6d6094ba2aa42bf85b91fed63ed63cab2

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
440KB

MD5
6a7f1a50f4341334f3892dcd8746b34b

SHA1
578217dab0d32f81d3b79393271c8f1eda60b60d

SHA256
b7ad18bced7d020d255675e6fcb0bf4cbd17a47b41198fe953194d80622e7ac8

SHA512
a0db6813b6e62cda2c05785bed25a3eb962040f0b59c0793c854fc8062c1b3bbb034308eb8a306fbcccd8fea3d7791c6d6094ba2aa42bf85b91fed63ed63cab2

Download Submit
memory/1900-58-0x0000000074241000-0x0000000074243000-memory.dmp

Filesize
8KB

Download
memory/1900-56-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads