cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc

Analysis

max time kernel
180s
max time network
44s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 23:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe
Size

166KB
MD5

d64fa99d2a140d4b61e789aa92300ee5
SHA1

185fb46412606d593bdef665c272e0665cedd85a
SHA256

cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc
SHA512

39eb81ea533f905d572f69ce0477ccf7cb2e43723eaac53509ee45148bdcfae5369830d4637d2530977458b4894d2b1e7a0de5ffa7a125845a53994455ad56d0
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DEcOOb:gDCwfG1bnxLEcOu

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VUIIVLGQ = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VUIIVLGQ = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VUIIVLGQ = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
764	avscan.exe
1944	avscan.exe
756	hosts.exe
556	hosts.exe
1560	avscan.exe
1068	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1996	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe
1996	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe
764	avscan.exe
756	hosts.exe
756	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe
File created	\??\c:\windows\W_X_C.bat	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe
File opened for modification	C:\Windows\hosts.exe	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1112	REG.exe
1212	REG.exe
1636	REG.exe
952	REG.exe
340	REG.exe
768	REG.exe
568	REG.exe
1576	REG.exe
1896	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
764	avscan.exe
756	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1996	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe
764	avscan.exe
1944	avscan.exe
556	hosts.exe
756	hosts.exe
1560	avscan.exe
1068	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1212	1996	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe	28
PID 1996 wrote to memory of 1212	1996	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe	28
PID 1996 wrote to memory of 1212	1996	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe	28
PID 1996 wrote to memory of 1212	1996	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe	28
PID 1996 wrote to memory of 764	1996	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe	30
PID 1996 wrote to memory of 764	1996	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe	30
PID 1996 wrote to memory of 764	1996	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe	30
PID 1996 wrote to memory of 764	1996	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe	30
PID 764 wrote to memory of 1944	764	avscan.exe	31
PID 764 wrote to memory of 1944	764	avscan.exe	31
PID 764 wrote to memory of 1944	764	avscan.exe	31
PID 764 wrote to memory of 1944	764	avscan.exe	31
PID 764 wrote to memory of 1876	764	avscan.exe	32
PID 764 wrote to memory of 1876	764	avscan.exe	32
PID 764 wrote to memory of 1876	764	avscan.exe	32
PID 764 wrote to memory of 1876	764	avscan.exe	32
PID 1996 wrote to memory of 1356	1996	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe	34
PID 1996 wrote to memory of 1356	1996	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe	34
PID 1996 wrote to memory of 1356	1996	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe	34
PID 1996 wrote to memory of 1356	1996	cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe	34
PID 1876 wrote to memory of 756	1876	cmd.exe	36
PID 1876 wrote to memory of 756	1876	cmd.exe	36
PID 1876 wrote to memory of 756	1876	cmd.exe	36
PID 1876 wrote to memory of 756	1876	cmd.exe	36
PID 1356 wrote to memory of 556	1356	cmd.exe	37
PID 1356 wrote to memory of 556	1356	cmd.exe	37
PID 1356 wrote to memory of 556	1356	cmd.exe	37
PID 1356 wrote to memory of 556	1356	cmd.exe	37
PID 1356 wrote to memory of 980	1356	cmd.exe	39
PID 1356 wrote to memory of 980	1356	cmd.exe	39
PID 1356 wrote to memory of 980	1356	cmd.exe	39
PID 1356 wrote to memory of 980	1356	cmd.exe	39
PID 1876 wrote to memory of 336	1876	cmd.exe	38
PID 1876 wrote to memory of 336	1876	cmd.exe	38
PID 1876 wrote to memory of 336	1876	cmd.exe	38
PID 1876 wrote to memory of 336	1876	cmd.exe	38
PID 756 wrote to memory of 1560	756	hosts.exe	40
PID 756 wrote to memory of 1560	756	hosts.exe	40
PID 756 wrote to memory of 1560	756	hosts.exe	40
PID 756 wrote to memory of 1560	756	hosts.exe	40
PID 756 wrote to memory of 1348	756	hosts.exe	41
PID 756 wrote to memory of 1348	756	hosts.exe	41
PID 756 wrote to memory of 1348	756	hosts.exe	41
PID 756 wrote to memory of 1348	756	hosts.exe	41
PID 1348 wrote to memory of 1068	1348	cmd.exe	43
PID 1348 wrote to memory of 1068	1348	cmd.exe	43
PID 1348 wrote to memory of 1068	1348	cmd.exe	43
PID 1348 wrote to memory of 1068	1348	cmd.exe	43
PID 1348 wrote to memory of 1792	1348	cmd.exe	44
PID 1348 wrote to memory of 1792	1348	cmd.exe	44
PID 1348 wrote to memory of 1792	1348	cmd.exe	44
PID 1348 wrote to memory of 1792	1348	cmd.exe	44
PID 764 wrote to memory of 1636	764	avscan.exe	45
PID 764 wrote to memory of 1636	764	avscan.exe	45
PID 764 wrote to memory of 1636	764	avscan.exe	45
PID 764 wrote to memory of 1636	764	avscan.exe	45
PID 756 wrote to memory of 952	756	hosts.exe	47
PID 756 wrote to memory of 952	756	hosts.exe	47
PID 756 wrote to memory of 952	756	hosts.exe	47
PID 756 wrote to memory of 952	756	hosts.exe	47
PID 764 wrote to memory of 568	764	avscan.exe	49
PID 764 wrote to memory of 568	764	avscan.exe	49
PID 764 wrote to memory of 568	764	avscan.exe	49
PID 764 wrote to memory of 568	764	avscan.exe	49

C:\Users\Admin\AppData\Local\Temp\cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe
"C:\Users\Admin\AppData\Local\Temp\cb3396b9b9f7f5869fb81d50a73e123a08c0ae17d2c4591a726fa210a984fefc.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1212
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:756
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1560
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1068
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1792
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:952
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:340
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1576
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1896
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:336
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1636
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:568
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:768
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:556
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
380KB

MD5
e2a219869478052a6cc6734c55138241

SHA1
ec7e21c9991b5e986b0833a406f7695121e538f1

SHA256
d337844660ef741b5e412d87b7436f4fba3378a530d08b31adc87b8c6714ee48

SHA512
3bde75799be57b45616bf3bafaee21e6db31669d2a27252de6a346bc9a144a2df0745e255a7409ee6e8f9a407e923d30c66eb59c75b1908b8562caa011530059

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
713KB

MD5
ec7ac3d8a6bb858b59d07ecf540fd079

SHA1
ae5456095c8090d8b4c30e48c4a50042c8a6b58f

SHA256
a50df677f4041aeb06fd451fe8a70e79e6911fabbe269731b6f3d50628b39af5

SHA512
581a54cecb43363b96a347c30e2b23e6a890e30e36be30034779eeae05c50fe2ea4421b98d56ec2ff9c512c1a55ec899b786f4497789caf8610df4fdfe75d9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
713KB

MD5
2a951b6f8ab673d66cb754d955369a98

SHA1
27412708cce8639007d58049931973e0994476a6

SHA256
039fa6aed8be08a083eca270ddad1ec4d15e5499446d11c85a2b89a4481f98bb

SHA512
ceb8a71afd9492d0d980f5f784806b2d4361d0e63dd5209e8a045490f65a0bfcdc3a8ae7bb7a5699cd49a63542a346b393378e3a493d13402753c47b0b5a5044

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
879KB

MD5
72f572ebc1b63c8ded56523a3dc5bded

SHA1
01b9ea06c958a6e8d9897348874c5e04919a93a5

SHA256
e5dbab6f3205afa63d40dd5c50c6f119e3dae31fe89cbe80efe885607d619e71

SHA512
878975f456823229d2dde972af26641db28012879c9302eb02fc7a7a9f954db774ec52ffcafff99e8136bd8dfac65441bed354ac1baeef12334af8f843a60448

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.0MB

MD5
3125044ad25d240e5959dd5238759526

SHA1
93ca23ed6f1388b431d4319ee1885f6cc55c9976

SHA256
f868b03bff03aca9420dfb1b6849813efe2b881912ca14b74673010d95c170c4

SHA512
717b418bffdb95bcd2f09a2560fae84d7a1c9d66c53f86c47a1fd2dc7fbe529bacc4db7dc4f407326a3c9a6a0a5fcc03eeb70651e1b43613e880b580633631d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.2MB

MD5
2321eddaa71686bbdf40719287aa0642

SHA1
47f6314394b146d772a4b8b018002c37970e04bd

SHA256
d2fbf5eb7f4348b8f3b8ce18249d7698887f3495b1068a161d44f97c1ba27d9b

SHA512
16c5c99367d3fe0ea8e4441ca32a8fa22378972b4d042c3e756b7e74161ded14a6ea08d23b05aec1117c262c9dd8bcdfd2486b31de84cdaad44b68ba8db4c77b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.2MB

MD5
8d486e5e3a246c379b528a26d06c0505

SHA1
8a2b253c027215fab21be65694e8993a58af61b1

SHA256
73483308962d863a7595ae8ac9c2ef3d9dafe4fa66c0ffe49726f27865cc3381

SHA512
9420086793f9a79d9262f2801b981ce1d53270d8169da4436ea660e02023c9eb00ae74e5c9da8ed2462e10af0cb439859a322b19091c46abb23bc6ac28615cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
166KB

MD5
a1f32b94458f3ff5b9fdcef1074157e0

SHA1
a39d2e23e3c6318c0fb12ad5ba69298be57355be

SHA256
9e48a56bac83e40c9deaa75222e457e1ab273e78c1f31947f7446215ca3cc3d6

SHA512
1f4bb044200673edecf4460b9995c28181f94cfde728e9e6a55d9b0f04246a948310cbf16fb1290ee276286bf62439f9bf17108ae87ddaa5f2fdb71c5948a86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
166KB

MD5
a1f32b94458f3ff5b9fdcef1074157e0

SHA1
a39d2e23e3c6318c0fb12ad5ba69298be57355be

SHA256
9e48a56bac83e40c9deaa75222e457e1ab273e78c1f31947f7446215ca3cc3d6

SHA512
1f4bb044200673edecf4460b9995c28181f94cfde728e9e6a55d9b0f04246a948310cbf16fb1290ee276286bf62439f9bf17108ae87ddaa5f2fdb71c5948a86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
166KB

MD5
a1f32b94458f3ff5b9fdcef1074157e0

SHA1
a39d2e23e3c6318c0fb12ad5ba69298be57355be

SHA256
9e48a56bac83e40c9deaa75222e457e1ab273e78c1f31947f7446215ca3cc3d6

SHA512
1f4bb044200673edecf4460b9995c28181f94cfde728e9e6a55d9b0f04246a948310cbf16fb1290ee276286bf62439f9bf17108ae87ddaa5f2fdb71c5948a86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
166KB

MD5
a1f32b94458f3ff5b9fdcef1074157e0

SHA1
a39d2e23e3c6318c0fb12ad5ba69298be57355be

SHA256
9e48a56bac83e40c9deaa75222e457e1ab273e78c1f31947f7446215ca3cc3d6

SHA512
1f4bb044200673edecf4460b9995c28181f94cfde728e9e6a55d9b0f04246a948310cbf16fb1290ee276286bf62439f9bf17108ae87ddaa5f2fdb71c5948a86f

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
bb5f0d81909924d647dc29f49c1ab135

SHA1
3f69821597fc6e1bf95639ed73729d5b28d30571

SHA256
71a89829e758fce2196f5ae1fce0af4110c85b65f1cacbd9d34394843a0e9563

SHA512
e4459b6d398a439a6c086e1fbec0ce713c530f8c6ff9237fa080eb3fed35fcb938d88eb70bef32fe5d7853435c3cca5a25c207473239c460633ac30e302765ab

Download Submit
C:\Windows\hosts.exe

Filesize
166KB

MD5
f7225aba2ef07bc58fb7bf5771d5eb29

SHA1
9ca1a011f9a0ab04783e36f3be301b9c40098d08

SHA256
5d50eaa51c7f73af19c83f523bf772a97733ad5059ba775c96917bfe1714482f

SHA512
f3c48969f1640e4f80a5e01607d12cb59eddf3e765251ca5f5aa59d1f211099b8139568523f6ad8931901e13e9a375ea40b1fdb3b8671e9ed5fc984f74016114

Download Submit
C:\Windows\hosts.exe

Filesize
166KB

MD5
f7225aba2ef07bc58fb7bf5771d5eb29

SHA1
9ca1a011f9a0ab04783e36f3be301b9c40098d08

SHA256
5d50eaa51c7f73af19c83f523bf772a97733ad5059ba775c96917bfe1714482f

SHA512
f3c48969f1640e4f80a5e01607d12cb59eddf3e765251ca5f5aa59d1f211099b8139568523f6ad8931901e13e9a375ea40b1fdb3b8671e9ed5fc984f74016114

Download Submit
C:\Windows\hosts.exe

Filesize
166KB

MD5
f7225aba2ef07bc58fb7bf5771d5eb29

SHA1
9ca1a011f9a0ab04783e36f3be301b9c40098d08

SHA256
5d50eaa51c7f73af19c83f523bf772a97733ad5059ba775c96917bfe1714482f

SHA512
f3c48969f1640e4f80a5e01607d12cb59eddf3e765251ca5f5aa59d1f211099b8139568523f6ad8931901e13e9a375ea40b1fdb3b8671e9ed5fc984f74016114

Download Submit
C:\Windows\hosts.exe

Filesize
166KB

MD5
f7225aba2ef07bc58fb7bf5771d5eb29

SHA1
9ca1a011f9a0ab04783e36f3be301b9c40098d08

SHA256
5d50eaa51c7f73af19c83f523bf772a97733ad5059ba775c96917bfe1714482f

SHA512
f3c48969f1640e4f80a5e01607d12cb59eddf3e765251ca5f5aa59d1f211099b8139568523f6ad8931901e13e9a375ea40b1fdb3b8671e9ed5fc984f74016114

Download Submit
C:\windows\hosts.exe

Filesize
166KB

MD5
f7225aba2ef07bc58fb7bf5771d5eb29

SHA1
9ca1a011f9a0ab04783e36f3be301b9c40098d08

SHA256
5d50eaa51c7f73af19c83f523bf772a97733ad5059ba775c96917bfe1714482f

SHA512
f3c48969f1640e4f80a5e01607d12cb59eddf3e765251ca5f5aa59d1f211099b8139568523f6ad8931901e13e9a375ea40b1fdb3b8671e9ed5fc984f74016114

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
166KB

MD5
a1f32b94458f3ff5b9fdcef1074157e0

SHA1
a39d2e23e3c6318c0fb12ad5ba69298be57355be

SHA256
9e48a56bac83e40c9deaa75222e457e1ab273e78c1f31947f7446215ca3cc3d6

SHA512
1f4bb044200673edecf4460b9995c28181f94cfde728e9e6a55d9b0f04246a948310cbf16fb1290ee276286bf62439f9bf17108ae87ddaa5f2fdb71c5948a86f

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
166KB

MD5
a1f32b94458f3ff5b9fdcef1074157e0

SHA1
a39d2e23e3c6318c0fb12ad5ba69298be57355be

SHA256
9e48a56bac83e40c9deaa75222e457e1ab273e78c1f31947f7446215ca3cc3d6

SHA512
1f4bb044200673edecf4460b9995c28181f94cfde728e9e6a55d9b0f04246a948310cbf16fb1290ee276286bf62439f9bf17108ae87ddaa5f2fdb71c5948a86f

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
166KB

MD5
a1f32b94458f3ff5b9fdcef1074157e0

SHA1
a39d2e23e3c6318c0fb12ad5ba69298be57355be

SHA256
9e48a56bac83e40c9deaa75222e457e1ab273e78c1f31947f7446215ca3cc3d6

SHA512
1f4bb044200673edecf4460b9995c28181f94cfde728e9e6a55d9b0f04246a948310cbf16fb1290ee276286bf62439f9bf17108ae87ddaa5f2fdb71c5948a86f

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
166KB

MD5
a1f32b94458f3ff5b9fdcef1074157e0

SHA1
a39d2e23e3c6318c0fb12ad5ba69298be57355be

SHA256
9e48a56bac83e40c9deaa75222e457e1ab273e78c1f31947f7446215ca3cc3d6

SHA512
1f4bb044200673edecf4460b9995c28181f94cfde728e9e6a55d9b0f04246a948310cbf16fb1290ee276286bf62439f9bf17108ae87ddaa5f2fdb71c5948a86f

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
166KB

MD5
a1f32b94458f3ff5b9fdcef1074157e0

SHA1
a39d2e23e3c6318c0fb12ad5ba69298be57355be

SHA256
9e48a56bac83e40c9deaa75222e457e1ab273e78c1f31947f7446215ca3cc3d6

SHA512
1f4bb044200673edecf4460b9995c28181f94cfde728e9e6a55d9b0f04246a948310cbf16fb1290ee276286bf62439f9bf17108ae87ddaa5f2fdb71c5948a86f

Download Submit
memory/1996-58-0x0000000074A41000-0x0000000074A43000-memory.dmp

Filesize
8KB

Download
memory/1996-56-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads