7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f

Analysis

max time kernel
174s
max time network
59s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe
Size

358KB
MD5

a6f517fad84cd7d9cb03a7f84687921e
SHA1

5c055a105156524c4f41bddac7c5e5b07184df83
SHA256

7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f
SHA512

bf78081dc935efb64ac2c2ed0480dc611566617264a772b268e1d5d0de9e95be9ff3272d5e1f18754bdf340271e614cb5233aec121e23ef0ed2379c270299dec
SSDEEP

6144:gDCwfG1bnxG8DBvnDCwfG1bnxG8DBvGvw:g72bnIOv72bnIOuo

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1720	avscan.exe
868	avscan.exe
1424	hosts.exe
1072	hosts.exe
1932	avscan.exe
632	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1676	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe
1676	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe
1720	avscan.exe
1424	hosts.exe
1424	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe
File created	\??\c:\windows\W_X_C.bat	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe
File opened for modification	C:\Windows\hosts.exe	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1076	REG.exe
1176	REG.exe
2040	REG.exe
2024	REG.exe
1072	REG.exe
1400	REG.exe
1748	REG.exe
964	REG.exe
1620	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1720	avscan.exe
1424	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1676	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe
1720	avscan.exe
868	avscan.exe
1424	hosts.exe
1072	hosts.exe
1932	avscan.exe
632	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1076	1676	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe	28
PID 1676 wrote to memory of 1076	1676	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe	28
PID 1676 wrote to memory of 1076	1676	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe	28
PID 1676 wrote to memory of 1076	1676	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe	28
PID 1676 wrote to memory of 1720	1676	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe	30
PID 1676 wrote to memory of 1720	1676	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe	30
PID 1676 wrote to memory of 1720	1676	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe	30
PID 1676 wrote to memory of 1720	1676	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe	30
PID 1720 wrote to memory of 868	1720	avscan.exe	31
PID 1720 wrote to memory of 868	1720	avscan.exe	31
PID 1720 wrote to memory of 868	1720	avscan.exe	31
PID 1720 wrote to memory of 868	1720	avscan.exe	31
PID 1720 wrote to memory of 776	1720	avscan.exe	32
PID 1720 wrote to memory of 776	1720	avscan.exe	32
PID 1720 wrote to memory of 776	1720	avscan.exe	32
PID 1720 wrote to memory of 776	1720	avscan.exe	32
PID 1676 wrote to memory of 612	1676	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe	33
PID 1676 wrote to memory of 612	1676	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe	33
PID 1676 wrote to memory of 612	1676	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe	33
PID 1676 wrote to memory of 612	1676	7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe	33
PID 612 wrote to memory of 1072	612	cmd.exe	37
PID 612 wrote to memory of 1072	612	cmd.exe	37
PID 612 wrote to memory of 1072	612	cmd.exe	37
PID 612 wrote to memory of 1072	612	cmd.exe	37
PID 776 wrote to memory of 1424	776	cmd.exe	36
PID 776 wrote to memory of 1424	776	cmd.exe	36
PID 776 wrote to memory of 1424	776	cmd.exe	36
PID 776 wrote to memory of 1424	776	cmd.exe	36
PID 1424 wrote to memory of 1932	1424	hosts.exe	38
PID 1424 wrote to memory of 1932	1424	hosts.exe	38
PID 1424 wrote to memory of 1932	1424	hosts.exe	38
PID 1424 wrote to memory of 1932	1424	hosts.exe	38
PID 612 wrote to memory of 1808	612	cmd.exe	39
PID 612 wrote to memory of 1808	612	cmd.exe	39
PID 612 wrote to memory of 1808	612	cmd.exe	39
PID 612 wrote to memory of 1808	612	cmd.exe	39
PID 776 wrote to memory of 1752	776	cmd.exe	40
PID 776 wrote to memory of 1752	776	cmd.exe	40
PID 776 wrote to memory of 1752	776	cmd.exe	40
PID 776 wrote to memory of 1752	776	cmd.exe	40
PID 1424 wrote to memory of 2000	1424	hosts.exe	41
PID 1424 wrote to memory of 2000	1424	hosts.exe	41
PID 1424 wrote to memory of 2000	1424	hosts.exe	41
PID 1424 wrote to memory of 2000	1424	hosts.exe	41
PID 2000 wrote to memory of 632	2000	cmd.exe	43
PID 2000 wrote to memory of 632	2000	cmd.exe	43
PID 2000 wrote to memory of 632	2000	cmd.exe	43
PID 2000 wrote to memory of 632	2000	cmd.exe	43
PID 2000 wrote to memory of 1640	2000	cmd.exe	44
PID 2000 wrote to memory of 1640	2000	cmd.exe	44
PID 2000 wrote to memory of 1640	2000	cmd.exe	44
PID 2000 wrote to memory of 1640	2000	cmd.exe	44
PID 1720 wrote to memory of 1400	1720	avscan.exe	45
PID 1720 wrote to memory of 1400	1720	avscan.exe	45
PID 1720 wrote to memory of 1400	1720	avscan.exe	45
PID 1720 wrote to memory of 1400	1720	avscan.exe	45
PID 1424 wrote to memory of 1748	1424	hosts.exe	47
PID 1424 wrote to memory of 1748	1424	hosts.exe	47
PID 1424 wrote to memory of 1748	1424	hosts.exe	47
PID 1424 wrote to memory of 1748	1424	hosts.exe	47
PID 1720 wrote to memory of 964	1720	avscan.exe	49
PID 1720 wrote to memory of 964	1720	avscan.exe	49
PID 1720 wrote to memory of 964	1720	avscan.exe	49
PID 1720 wrote to memory of 964	1720	avscan.exe	49

C:\Users\Admin\AppData\Local\Temp\7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe
"C:\Users\Admin\AppData\Local\Temp\7006cb71ef9bd03b020f9b6b4a218f8ffbf883af5ee332422d0c81ad26f3552f.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1076
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1424
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1932
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2000
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:632
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1640
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1748
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1176
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2024
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1072
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1752
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1400
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:964
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2040
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1072
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
764KB

MD5
5c47bb3cbe9a1c7ee9c62bca43717f45

SHA1
2319aa901ff1ecfe2f069efb8ce329df14135660

SHA256
fff3cfd665abdd9d6867b9f73eca7ea810d89278d4813cdf480745144fab7c0f

SHA512
9fc38b4c21649f6ee9e2f839570a67350500ff90910ed026b30aa1dbee451ec02cdef59dc18a01c5c3967daeef6f56fd2f37d72a3d65dfcb8a08bcce10385684

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
1526713af080f962c085630127b43451

SHA1
86a25be102ddb7a926083d3519f046643cdce4b7

SHA256
958b1b4c2ca732df551746cf628e81252734f1ce53afae51a3f533ace00a9588

SHA512
3ada3dd1cd76acdb86ce79af88ce2a5008dbc4f71775eaaeef5b411d7c0a244dfeb0a48800132382587030d3c47c34ea07fd57d104e08a1db4e33434fa966ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
1526713af080f962c085630127b43451

SHA1
86a25be102ddb7a926083d3519f046643cdce4b7

SHA256
958b1b4c2ca732df551746cf628e81252734f1ce53afae51a3f533ace00a9588

SHA512
3ada3dd1cd76acdb86ce79af88ce2a5008dbc4f71775eaaeef5b411d7c0a244dfeb0a48800132382587030d3c47c34ea07fd57d104e08a1db4e33434fa966ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.1MB

MD5
74471de2b17f37ec093e41b9c7fb4b22

SHA1
1eabad6213b2206af086f8cec558f26e55e12488

SHA256
ffabf3ae2079d290e32a3f9a6e00bbf3884162ba30f5a6b057a75ff1fa644c69

SHA512
64fbff6ce335025614a87732fe7aaac9b1d50a8a9704b4cd5045ac64e55774cb71294d9f561a00dfd384c689e818be2a2f17d1b9a8d2eb6454f54f9c19d947ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.8MB

MD5
6dacee50622094c491e1e9f1c2f492ef

SHA1
4fb46e6f9caefd34fe27c11278fd322b8847b128

SHA256
39519e278126224f2ad1b82aea039ca5b471f51c9e991b5f14a19a337d1eee1e

SHA512
d544ec0ac27c8937e6ec4f6e33c9ac066547a8453fd7f9b12a8e508b52b53a8d0bb355a0f68b1c91ba07cddeb399f3d3b61db3cee76800192b4a881331e8dbe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.8MB

MD5
3737f56e7d2b21b7ade5a1526091171f

SHA1
23d74bfc1c18d9b3230fbde9a16a5b14fce8aed3

SHA256
fec94850395f8ecd61298ff6c74257dca44fd53e66863f2c8b3b490ef88054a7

SHA512
516cd06d7a4894487f284a3ca7c2c898d79370d341710b7f0dc5aedb7e4ea8c72f3c3e1e01fd45eff1efc70d12272afc8d7ebbb186c1576ca42c5dcfc552c993

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
358KB

MD5
4078b6ca619a4991b3e44c0cec41b28e

SHA1
6f511f9a1fe66304ec2f32e666bac6e5311aed5b

SHA256
87c5de272439e4ed7a9db72b85d295386fac4b426dfd7db454e63356cb444d28

SHA512
9871e5fe1fca4cf9bfd370cbabd70bb77e47422905d5bfb43876ff2d7dbb6cf1525a2e1d58a8f265e35ece8b063ac0334718b7d11dea3c7a7544e80f8279e679

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
358KB

MD5
4078b6ca619a4991b3e44c0cec41b28e

SHA1
6f511f9a1fe66304ec2f32e666bac6e5311aed5b

SHA256
87c5de272439e4ed7a9db72b85d295386fac4b426dfd7db454e63356cb444d28

SHA512
9871e5fe1fca4cf9bfd370cbabd70bb77e47422905d5bfb43876ff2d7dbb6cf1525a2e1d58a8f265e35ece8b063ac0334718b7d11dea3c7a7544e80f8279e679

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
358KB

MD5
4078b6ca619a4991b3e44c0cec41b28e

SHA1
6f511f9a1fe66304ec2f32e666bac6e5311aed5b

SHA256
87c5de272439e4ed7a9db72b85d295386fac4b426dfd7db454e63356cb444d28

SHA512
9871e5fe1fca4cf9bfd370cbabd70bb77e47422905d5bfb43876ff2d7dbb6cf1525a2e1d58a8f265e35ece8b063ac0334718b7d11dea3c7a7544e80f8279e679

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
358KB

MD5
4078b6ca619a4991b3e44c0cec41b28e

SHA1
6f511f9a1fe66304ec2f32e666bac6e5311aed5b

SHA256
87c5de272439e4ed7a9db72b85d295386fac4b426dfd7db454e63356cb444d28

SHA512
9871e5fe1fca4cf9bfd370cbabd70bb77e47422905d5bfb43876ff2d7dbb6cf1525a2e1d58a8f265e35ece8b063ac0334718b7d11dea3c7a7544e80f8279e679

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
9eb0c6074d8e54f7da6508b5f6809e78

SHA1
61f003a28c45377e9fc641a0dd1382e6931c11f0

SHA256
df6f01f8c7c5ad4b1e66d19309ad60f0189bc607d7a07c184d9d94abd29c3ee8

SHA512
f6db15038cf4312647c59574cf2352c132c36cd060293977427b719066e5519838c6fed059d3a1d4e3277b575d9132d29d150c45cebd8a3852e705f3297f6d08

Download Submit
C:\Windows\hosts.exe

Filesize
358KB

MD5
f9725a0e0be72b9738e7923ac4f7d17c

SHA1
81e2bcd103e911c36bfa87ad9ca2a86fccbdcd58

SHA256
4f03491bd7dfbad8344de6379161f0227d4008c6b584d27e2c929fffc7a171ca

SHA512
6306be175b72552a64acbd4aa4e36145d193d17255a41cb3242b27d826b64fa36456b859eaeadfdceb3656a99874cc0c2c348df1d8686dec094fe97e20cec87c

Download Submit
C:\Windows\hosts.exe

Filesize
358KB

MD5
f9725a0e0be72b9738e7923ac4f7d17c

SHA1
81e2bcd103e911c36bfa87ad9ca2a86fccbdcd58

SHA256
4f03491bd7dfbad8344de6379161f0227d4008c6b584d27e2c929fffc7a171ca

SHA512
6306be175b72552a64acbd4aa4e36145d193d17255a41cb3242b27d826b64fa36456b859eaeadfdceb3656a99874cc0c2c348df1d8686dec094fe97e20cec87c

Download Submit
C:\Windows\hosts.exe

Filesize
358KB

MD5
f9725a0e0be72b9738e7923ac4f7d17c

SHA1
81e2bcd103e911c36bfa87ad9ca2a86fccbdcd58

SHA256
4f03491bd7dfbad8344de6379161f0227d4008c6b584d27e2c929fffc7a171ca

SHA512
6306be175b72552a64acbd4aa4e36145d193d17255a41cb3242b27d826b64fa36456b859eaeadfdceb3656a99874cc0c2c348df1d8686dec094fe97e20cec87c

Download Submit
C:\Windows\hosts.exe

Filesize
358KB

MD5
f9725a0e0be72b9738e7923ac4f7d17c

SHA1
81e2bcd103e911c36bfa87ad9ca2a86fccbdcd58

SHA256
4f03491bd7dfbad8344de6379161f0227d4008c6b584d27e2c929fffc7a171ca

SHA512
6306be175b72552a64acbd4aa4e36145d193d17255a41cb3242b27d826b64fa36456b859eaeadfdceb3656a99874cc0c2c348df1d8686dec094fe97e20cec87c

Download Submit
C:\windows\hosts.exe

Filesize
358KB

MD5
f9725a0e0be72b9738e7923ac4f7d17c

SHA1
81e2bcd103e911c36bfa87ad9ca2a86fccbdcd58

SHA256
4f03491bd7dfbad8344de6379161f0227d4008c6b584d27e2c929fffc7a171ca

SHA512
6306be175b72552a64acbd4aa4e36145d193d17255a41cb3242b27d826b64fa36456b859eaeadfdceb3656a99874cc0c2c348df1d8686dec094fe97e20cec87c

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
358KB

MD5
4078b6ca619a4991b3e44c0cec41b28e

SHA1
6f511f9a1fe66304ec2f32e666bac6e5311aed5b

SHA256
87c5de272439e4ed7a9db72b85d295386fac4b426dfd7db454e63356cb444d28

SHA512
9871e5fe1fca4cf9bfd370cbabd70bb77e47422905d5bfb43876ff2d7dbb6cf1525a2e1d58a8f265e35ece8b063ac0334718b7d11dea3c7a7544e80f8279e679

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
358KB

MD5
4078b6ca619a4991b3e44c0cec41b28e

SHA1
6f511f9a1fe66304ec2f32e666bac6e5311aed5b

SHA256
87c5de272439e4ed7a9db72b85d295386fac4b426dfd7db454e63356cb444d28

SHA512
9871e5fe1fca4cf9bfd370cbabd70bb77e47422905d5bfb43876ff2d7dbb6cf1525a2e1d58a8f265e35ece8b063ac0334718b7d11dea3c7a7544e80f8279e679

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
358KB

MD5
4078b6ca619a4991b3e44c0cec41b28e

SHA1
6f511f9a1fe66304ec2f32e666bac6e5311aed5b

SHA256
87c5de272439e4ed7a9db72b85d295386fac4b426dfd7db454e63356cb444d28

SHA512
9871e5fe1fca4cf9bfd370cbabd70bb77e47422905d5bfb43876ff2d7dbb6cf1525a2e1d58a8f265e35ece8b063ac0334718b7d11dea3c7a7544e80f8279e679

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
358KB

MD5
4078b6ca619a4991b3e44c0cec41b28e

SHA1
6f511f9a1fe66304ec2f32e666bac6e5311aed5b

SHA256
87c5de272439e4ed7a9db72b85d295386fac4b426dfd7db454e63356cb444d28

SHA512
9871e5fe1fca4cf9bfd370cbabd70bb77e47422905d5bfb43876ff2d7dbb6cf1525a2e1d58a8f265e35ece8b063ac0334718b7d11dea3c7a7544e80f8279e679

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
358KB

MD5
4078b6ca619a4991b3e44c0cec41b28e

SHA1
6f511f9a1fe66304ec2f32e666bac6e5311aed5b

SHA256
87c5de272439e4ed7a9db72b85d295386fac4b426dfd7db454e63356cb444d28

SHA512
9871e5fe1fca4cf9bfd370cbabd70bb77e47422905d5bfb43876ff2d7dbb6cf1525a2e1d58a8f265e35ece8b063ac0334718b7d11dea3c7a7544e80f8279e679

Download Submit
memory/1676-56-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1676-58-0x00000000746F1000-0x00000000746F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads