d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27

Analysis

max time kernel
271s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe
Size

207KB
MD5

e73fed1d54a657a7704569f50bc3c09d
SHA1

d63e6c0b3d1d634aa400f462fc1d8681adc09d07
SHA256

d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27
SHA512

84c2427c857dd3cfc7a68c73c443810e3a34438bfecf4eb897c542cef5a43dc3faa72dc73714e2eb31d72f33526a24089122b1c60bd7176761e7c4f4d741a3aa
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQS+2NS55w:gDCwfG1bnxLERRL+2v

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VDWSWJJD = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VDWSWJJD = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VDWSWJJD = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1700	avscan.exe
752	avscan.exe
1544	hosts.exe
868	hosts.exe
1556	avscan.exe
292	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
772	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe
772	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe
1700	avscan.exe
1544	hosts.exe
1544	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe
File created	\??\c:\windows\W_X_C.bat	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe
File opened for modification	C:\Windows\hosts.exe	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1744	REG.exe
1804	REG.exe
936	REG.exe
1480	REG.exe
916	REG.exe
576	REG.exe
1604	REG.exe
1944	REG.exe
1080	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1700	avscan.exe
1544	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
772	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe
1700	avscan.exe
752	avscan.exe
1544	hosts.exe
868	hosts.exe
1556	avscan.exe
292	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 576	772	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe	27
PID 772 wrote to memory of 576	772	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe	27
PID 772 wrote to memory of 576	772	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe	27
PID 772 wrote to memory of 576	772	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe	27
PID 772 wrote to memory of 1700	772	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe	29
PID 772 wrote to memory of 1700	772	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe	29
PID 772 wrote to memory of 1700	772	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe	29
PID 772 wrote to memory of 1700	772	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe	29
PID 1700 wrote to memory of 752	1700	avscan.exe	30
PID 1700 wrote to memory of 752	1700	avscan.exe	30
PID 1700 wrote to memory of 752	1700	avscan.exe	30
PID 1700 wrote to memory of 752	1700	avscan.exe	30
PID 1700 wrote to memory of 1964	1700	avscan.exe	31
PID 1700 wrote to memory of 1964	1700	avscan.exe	31
PID 1700 wrote to memory of 1964	1700	avscan.exe	31
PID 1700 wrote to memory of 1964	1700	avscan.exe	31
PID 772 wrote to memory of 1736	772	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe	32
PID 772 wrote to memory of 1736	772	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe	32
PID 772 wrote to memory of 1736	772	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe	32
PID 772 wrote to memory of 1736	772	d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe	32
PID 1736 wrote to memory of 868	1736	cmd.exe	35
PID 1736 wrote to memory of 868	1736	cmd.exe	35
PID 1736 wrote to memory of 868	1736	cmd.exe	35
PID 1736 wrote to memory of 868	1736	cmd.exe	35
PID 1964 wrote to memory of 1544	1964	cmd.exe	36
PID 1964 wrote to memory of 1544	1964	cmd.exe	36
PID 1964 wrote to memory of 1544	1964	cmd.exe	36
PID 1964 wrote to memory of 1544	1964	cmd.exe	36
PID 1544 wrote to memory of 1556	1544	hosts.exe	38
PID 1544 wrote to memory of 1556	1544	hosts.exe	38
PID 1544 wrote to memory of 1556	1544	hosts.exe	38
PID 1544 wrote to memory of 1556	1544	hosts.exe	38
PID 1964 wrote to memory of 1540	1964	cmd.exe	37
PID 1964 wrote to memory of 1540	1964	cmd.exe	37
PID 1964 wrote to memory of 1540	1964	cmd.exe	37
PID 1964 wrote to memory of 1540	1964	cmd.exe	37
PID 1736 wrote to memory of 1644	1736	cmd.exe	39
PID 1736 wrote to memory of 1644	1736	cmd.exe	39
PID 1736 wrote to memory of 1644	1736	cmd.exe	39
PID 1736 wrote to memory of 1644	1736	cmd.exe	39
PID 1544 wrote to memory of 1276	1544	hosts.exe	40
PID 1544 wrote to memory of 1276	1544	hosts.exe	40
PID 1544 wrote to memory of 1276	1544	hosts.exe	40
PID 1544 wrote to memory of 1276	1544	hosts.exe	40
PID 1276 wrote to memory of 292	1276	cmd.exe	42
PID 1276 wrote to memory of 292	1276	cmd.exe	42
PID 1276 wrote to memory of 292	1276	cmd.exe	42
PID 1276 wrote to memory of 292	1276	cmd.exe	42
PID 1276 wrote to memory of 1716	1276	cmd.exe	43
PID 1276 wrote to memory of 1716	1276	cmd.exe	43
PID 1276 wrote to memory of 1716	1276	cmd.exe	43
PID 1276 wrote to memory of 1716	1276	cmd.exe	43
PID 1700 wrote to memory of 1744	1700	avscan.exe	44
PID 1700 wrote to memory of 1744	1700	avscan.exe	44
PID 1700 wrote to memory of 1744	1700	avscan.exe	44
PID 1700 wrote to memory of 1744	1700	avscan.exe	44
PID 1544 wrote to memory of 1604	1544	hosts.exe	46
PID 1544 wrote to memory of 1604	1544	hosts.exe	46
PID 1544 wrote to memory of 1604	1544	hosts.exe	46
PID 1544 wrote to memory of 1604	1544	hosts.exe	46
PID 1544 wrote to memory of 1080	1544	hosts.exe	49
PID 1544 wrote to memory of 1080	1544	hosts.exe	49
PID 1544 wrote to memory of 1080	1544	hosts.exe	49
PID 1544 wrote to memory of 1080	1544	hosts.exe	49

C:\Users\Admin\AppData\Local\Temp\d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe
"C:\Users\Admin\AppData\Local\Temp\d2240214cc306ac4b5d90cc46025276a904ceec674a5122128cf5910873a9e27.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:576
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1556
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1276
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:292
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1716
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1604
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1080
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1804
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:936
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1540
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1744
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1944
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:916
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:868
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
462KB

MD5
3a8d0162c063a902b5cf79ab8327e8f1

SHA1
4aeac2d627cf4d6fd2403b34907bacd0a0186fef

SHA256
b16429eb9896f788f4e2fa92c1fec8483973ade9db50f85cc5f4ded8376db521

SHA512
77a808e5496a756ce01911adada9dcac3c38fc43da17834df577bd9821b9c2dd255d0158d8c619d4c88dc15bbf5f94f3ded58d2105bd944c3359463827aed391

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
877KB

MD5
143c4d06093c23e16c7cb5d628247c2b

SHA1
36a706d74917dedbd65d3c6a54e4f1ee8b52222d

SHA256
adde9a82650656de7982e8b758c0bee838ea4c874432faea8205cac32f77148f

SHA512
d4607e1472c8d39fa8e56f6f2ba1aa581b0f2223550760b11d4dd3da803868cb317f4b1452ef34868c284a266513f8b1255b8b7c99a150df78a2581c661e1506

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
82468aafb785eb8d09def90d47ba5a8c

SHA1
bdf163d8e50ca47f4e78d8eb9f254cc859b93c35

SHA256
ee7dd654a21b2ef3c9637fbcc6ef7a308dc12c301e51bd5e8b6aef8c59072769

SHA512
ef4c570ff015a5ab08688fc0c45ea337aa6027a100e7971b9bd1b369b12e17df0957cc128e82c6f54d2c451da6d864d94b5adeff873abe6437ddc6f96f88a4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.3MB

MD5
faa639b189022ecd068f9b281993a644

SHA1
df687d76b26411e036f3865c3ff208170a5b8d8c

SHA256
598ba5438b1ecf0ac2695a2d9e32b4122bcbfaae1102162f417c5e3dcfb2fd56

SHA512
90456ffa1eb4d552ddd224416c9a82723ccf8f4d7612484b4b5ac801b0f339a69c4097b22641a9fd30c099a0c74d25de2b29ed158da1268e28c427d9828d5403

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.3MB

MD5
faa639b189022ecd068f9b281993a644

SHA1
df687d76b26411e036f3865c3ff208170a5b8d8c

SHA256
598ba5438b1ecf0ac2695a2d9e32b4122bcbfaae1102162f417c5e3dcfb2fd56

SHA512
90456ffa1eb4d552ddd224416c9a82723ccf8f4d7612484b4b5ac801b0f339a69c4097b22641a9fd30c099a0c74d25de2b29ed158da1268e28c427d9828d5403

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.5MB

MD5
d51ed25d22a999d3a8326a4778a04710

SHA1
8bccddd426b6e71cdde81ac2f0d1919728c22cb3

SHA256
9581616df163b65864dc6b2473cfeb98b60b5b360814ee4078d23a287248f358

SHA512
05c04d82f3939878dfb87537e682ae43ac63efbdff7c23f0814a6d1f60c379248d7519e39546c01d36684d52559548fed4f39aeb18a987678cd702c25a9e1234

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
207KB

MD5
f5e34d8d97fbb23dd4cb346ae2c079b4

SHA1
092d1d58b102ae03c238884e075526c18b5cef64

SHA256
4dcac2810ad773f750dadc1898aa1bf205230b20c1dd53b08a45770cf32f8d34

SHA512
0d0d4ab2c0747c892303d4cc4eb0eebccf4050e0859b4b8d0f52f60d57ae4e5999a40c9386cbd1dfadd451df72da78f2413b65051c3afba537767073b3a53295

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
207KB

MD5
f5e34d8d97fbb23dd4cb346ae2c079b4

SHA1
092d1d58b102ae03c238884e075526c18b5cef64

SHA256
4dcac2810ad773f750dadc1898aa1bf205230b20c1dd53b08a45770cf32f8d34

SHA512
0d0d4ab2c0747c892303d4cc4eb0eebccf4050e0859b4b8d0f52f60d57ae4e5999a40c9386cbd1dfadd451df72da78f2413b65051c3afba537767073b3a53295

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
207KB

MD5
f5e34d8d97fbb23dd4cb346ae2c079b4

SHA1
092d1d58b102ae03c238884e075526c18b5cef64

SHA256
4dcac2810ad773f750dadc1898aa1bf205230b20c1dd53b08a45770cf32f8d34

SHA512
0d0d4ab2c0747c892303d4cc4eb0eebccf4050e0859b4b8d0f52f60d57ae4e5999a40c9386cbd1dfadd451df72da78f2413b65051c3afba537767073b3a53295

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
207KB

MD5
f5e34d8d97fbb23dd4cb346ae2c079b4

SHA1
092d1d58b102ae03c238884e075526c18b5cef64

SHA256
4dcac2810ad773f750dadc1898aa1bf205230b20c1dd53b08a45770cf32f8d34

SHA512
0d0d4ab2c0747c892303d4cc4eb0eebccf4050e0859b4b8d0f52f60d57ae4e5999a40c9386cbd1dfadd451df72da78f2413b65051c3afba537767073b3a53295

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
40e2445dd4f5ff1ea917961b3db832aa

SHA1
a49e162758df59a93c1aed976573fe94fe74c5a8

SHA256
0a89b65ed4e6caf1d6bf8b761f3a3e488207d012806d4d43379d595ff5f3ad28

SHA512
c1720e28bba2b2cf4a3498e6856e4331e3fc3c0e432173cd9c05b88afc0ebca4a018ff49137cf8482353d7bc47175704d98dc2d0b9f217a4465ad37e0b2ab8a7

Download Submit
C:\Windows\hosts.exe

Filesize
207KB

MD5
6527d3f538055420b5d1907b6c214c6c

SHA1
b8e193291e21f7edc304388b57e4adc0bd912229

SHA256
c04e147f766594fc910d9be5a7b7752a91c98ad1d5dbe9eb679af473e145daee

SHA512
e435481a783cbff19add0fbfbb156f0b5ab49adcfe99764049cf60ca506d3b5b3c405bf9c99fdda68a644f624c493940173ca7e097a3458189ade1920df6aca2

Download Submit
C:\Windows\hosts.exe

Filesize
207KB

MD5
6527d3f538055420b5d1907b6c214c6c

SHA1
b8e193291e21f7edc304388b57e4adc0bd912229

SHA256
c04e147f766594fc910d9be5a7b7752a91c98ad1d5dbe9eb679af473e145daee

SHA512
e435481a783cbff19add0fbfbb156f0b5ab49adcfe99764049cf60ca506d3b5b3c405bf9c99fdda68a644f624c493940173ca7e097a3458189ade1920df6aca2

Download Submit
C:\Windows\hosts.exe

Filesize
207KB

MD5
6527d3f538055420b5d1907b6c214c6c

SHA1
b8e193291e21f7edc304388b57e4adc0bd912229

SHA256
c04e147f766594fc910d9be5a7b7752a91c98ad1d5dbe9eb679af473e145daee

SHA512
e435481a783cbff19add0fbfbb156f0b5ab49adcfe99764049cf60ca506d3b5b3c405bf9c99fdda68a644f624c493940173ca7e097a3458189ade1920df6aca2

Download Submit
C:\Windows\hosts.exe

Filesize
207KB

MD5
6527d3f538055420b5d1907b6c214c6c

SHA1
b8e193291e21f7edc304388b57e4adc0bd912229

SHA256
c04e147f766594fc910d9be5a7b7752a91c98ad1d5dbe9eb679af473e145daee

SHA512
e435481a783cbff19add0fbfbb156f0b5ab49adcfe99764049cf60ca506d3b5b3c405bf9c99fdda68a644f624c493940173ca7e097a3458189ade1920df6aca2

Download Submit
C:\windows\hosts.exe

Filesize
207KB

MD5
6527d3f538055420b5d1907b6c214c6c

SHA1
b8e193291e21f7edc304388b57e4adc0bd912229

SHA256
c04e147f766594fc910d9be5a7b7752a91c98ad1d5dbe9eb679af473e145daee

SHA512
e435481a783cbff19add0fbfbb156f0b5ab49adcfe99764049cf60ca506d3b5b3c405bf9c99fdda68a644f624c493940173ca7e097a3458189ade1920df6aca2

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
207KB

MD5
f5e34d8d97fbb23dd4cb346ae2c079b4

SHA1
092d1d58b102ae03c238884e075526c18b5cef64

SHA256
4dcac2810ad773f750dadc1898aa1bf205230b20c1dd53b08a45770cf32f8d34

SHA512
0d0d4ab2c0747c892303d4cc4eb0eebccf4050e0859b4b8d0f52f60d57ae4e5999a40c9386cbd1dfadd451df72da78f2413b65051c3afba537767073b3a53295

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
207KB

MD5
f5e34d8d97fbb23dd4cb346ae2c079b4

SHA1
092d1d58b102ae03c238884e075526c18b5cef64

SHA256
4dcac2810ad773f750dadc1898aa1bf205230b20c1dd53b08a45770cf32f8d34

SHA512
0d0d4ab2c0747c892303d4cc4eb0eebccf4050e0859b4b8d0f52f60d57ae4e5999a40c9386cbd1dfadd451df72da78f2413b65051c3afba537767073b3a53295

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
207KB

MD5
f5e34d8d97fbb23dd4cb346ae2c079b4

SHA1
092d1d58b102ae03c238884e075526c18b5cef64

SHA256
4dcac2810ad773f750dadc1898aa1bf205230b20c1dd53b08a45770cf32f8d34

SHA512
0d0d4ab2c0747c892303d4cc4eb0eebccf4050e0859b4b8d0f52f60d57ae4e5999a40c9386cbd1dfadd451df72da78f2413b65051c3afba537767073b3a53295

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
207KB

MD5
f5e34d8d97fbb23dd4cb346ae2c079b4

SHA1
092d1d58b102ae03c238884e075526c18b5cef64

SHA256
4dcac2810ad773f750dadc1898aa1bf205230b20c1dd53b08a45770cf32f8d34

SHA512
0d0d4ab2c0747c892303d4cc4eb0eebccf4050e0859b4b8d0f52f60d57ae4e5999a40c9386cbd1dfadd451df72da78f2413b65051c3afba537767073b3a53295

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
207KB

MD5
f5e34d8d97fbb23dd4cb346ae2c079b4

SHA1
092d1d58b102ae03c238884e075526c18b5cef64

SHA256
4dcac2810ad773f750dadc1898aa1bf205230b20c1dd53b08a45770cf32f8d34

SHA512
0d0d4ab2c0747c892303d4cc4eb0eebccf4050e0859b4b8d0f52f60d57ae4e5999a40c9386cbd1dfadd451df72da78f2413b65051c3afba537767073b3a53295

Download Submit
memory/292-96-0x0000000000000000-mapping.dmp

Download
memory/576-57-0x0000000000000000-mapping.dmp

Download
memory/752-68-0x0000000000000000-mapping.dmp

Download
memory/772-58-0x00000000746C1000-0x00000000746C3000-memory.dmp

Filesize
8KB

Download
memory/772-56-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/868-76-0x0000000000000000-mapping.dmp

Download
memory/916-115-0x0000000000000000-mapping.dmp

Download
memory/936-118-0x0000000000000000-mapping.dmp

Download
memory/1080-110-0x0000000000000000-mapping.dmp

Download
memory/1276-95-0x0000000000000000-mapping.dmp

Download
memory/1480-121-0x0000000000000000-mapping.dmp

Download
memory/1540-94-0x0000000000000000-mapping.dmp

Download
memory/1544-77-0x0000000000000000-mapping.dmp

Download
memory/1556-89-0x0000000000000000-mapping.dmp

Download
memory/1604-108-0x0000000000000000-mapping.dmp

Download
memory/1644-93-0x0000000000000000-mapping.dmp

Download
memory/1700-61-0x0000000000000000-mapping.dmp

Download
memory/1716-101-0x0000000000000000-mapping.dmp

Download
memory/1736-74-0x0000000000000000-mapping.dmp

Download
memory/1744-106-0x0000000000000000-mapping.dmp

Download
memory/1804-113-0x0000000000000000-mapping.dmp

Download
memory/1944-111-0x0000000000000000-mapping.dmp

Download
memory/1964-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads