3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1

Analysis

max time kernel
127s
max time network
51s
platform
windows7_x64
resource
win7v20210408
submitted
13-05-2021 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe
Size

375KB
MD5

bc22725a285b7498e1b6389462cc59b4
SHA1

f87eee2da7ed9e90fba9453138e57bb983910be0
SHA256

3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1
SHA512

39b73760ddd3bca6654beb7afdbbe94035a6f07eccc4bac9a64261dba67228b86115d213ec69c89d9b68b5b910a0bb70c6f77d52f811367fe207475a38c5783e

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\QWOCTUPM = "W_X_C.bat"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\QWOCTUPM = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\QWOCTUPM = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

Processes:

avscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid process

1680 avscan.exe
1452 avscan.exe
1188 hosts.exe
864 hosts.exe
452 avscan.exe
1664 hosts.exe

pid	process
1680	avscan.exe
1452	avscan.exe
1188	hosts.exe
864	hosts.exe
452	avscan.exe
1664	hosts.exe

Loads dropped DLL 5 IoCs

Processes:

3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exeavscan.exehosts.exe

pid	process
1840	3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe
1840	3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe
1680	avscan.exe
1188	hosts.exe
1188	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exeavscan.exehosts.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

Processes:

3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exeavscan.exehosts.exe

description	ioc	process
File created	C:\windows\W_X_C.vbs	3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe
File created	\??\c:\windows\W_X_C.bat	3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe
File opened for modification	C:\Windows\hosts.exe	3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exe

pid process

1988 REG.exe
1512 REG.exe
1688 REG.exe
1012 REG.exe
880 REG.exe
336 REG.exe
1648 REG.exe
1032 REG.exe
1664 REG.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

avscan.exehosts.exe

pid process

1680 avscan.exe
1188 hosts.exe

pid	process
1988	REG.exe
1512	REG.exe
1688	REG.exe
1012	REG.exe
880	REG.exe
336	REG.exe
1648	REG.exe
1032	REG.exe
1664	REG.exe

pid	process
1680	avscan.exe
1188	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exeavscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid	process
1840	3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe
1680	avscan.exe
1452	avscan.exe
864	hosts.exe
1188	hosts.exe
452	avscan.exe
1664	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exeavscan.execmd.execmd.exehosts.execmd.exe

description	pid	process	target process
PID 1840 wrote to memory of 1988	1840	3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe	REG.exe
PID 1840 wrote to memory of 1988	1840	3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe	REG.exe
PID 1840 wrote to memory of 1988	1840	3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe	REG.exe
PID 1840 wrote to memory of 1988	1840	3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe	REG.exe
PID 1840 wrote to memory of 1680	1840	3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe	avscan.exe
PID 1840 wrote to memory of 1680	1840	3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe	avscan.exe
PID 1840 wrote to memory of 1680	1840	3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe	avscan.exe
PID 1840 wrote to memory of 1680	1840	3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe	avscan.exe
PID 1680 wrote to memory of 1452	1680	avscan.exe	avscan.exe
PID 1680 wrote to memory of 1452	1680	avscan.exe	avscan.exe
PID 1680 wrote to memory of 1452	1680	avscan.exe	avscan.exe
PID 1680 wrote to memory of 1452	1680	avscan.exe	avscan.exe
PID 1680 wrote to memory of 1504	1680	avscan.exe	cmd.exe
PID 1680 wrote to memory of 1504	1680	avscan.exe	cmd.exe
PID 1680 wrote to memory of 1504	1680	avscan.exe	cmd.exe
PID 1680 wrote to memory of 1504	1680	avscan.exe	cmd.exe
PID 1840 wrote to memory of 1600	1840	3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe	cmd.exe
PID 1840 wrote to memory of 1600	1840	3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe	cmd.exe
PID 1840 wrote to memory of 1600	1840	3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe	cmd.exe
PID 1840 wrote to memory of 1600	1840	3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe	cmd.exe
PID 1600 wrote to memory of 1188	1600	cmd.exe	hosts.exe
PID 1600 wrote to memory of 1188	1600	cmd.exe	hosts.exe
PID 1600 wrote to memory of 1188	1600	cmd.exe	hosts.exe
PID 1600 wrote to memory of 1188	1600	cmd.exe	hosts.exe
PID 1504 wrote to memory of 864	1504	cmd.exe	hosts.exe
PID 1504 wrote to memory of 864	1504	cmd.exe	hosts.exe
PID 1504 wrote to memory of 864	1504	cmd.exe	hosts.exe
PID 1504 wrote to memory of 864	1504	cmd.exe	hosts.exe
PID 1188 wrote to memory of 452	1188	hosts.exe	avscan.exe
PID 1188 wrote to memory of 452	1188	hosts.exe	avscan.exe
PID 1188 wrote to memory of 452	1188	hosts.exe	avscan.exe
PID 1188 wrote to memory of 452	1188	hosts.exe	avscan.exe
PID 1188 wrote to memory of 1932	1188	hosts.exe	cmd.exe
PID 1188 wrote to memory of 1932	1188	hosts.exe	cmd.exe
PID 1188 wrote to memory of 1932	1188	hosts.exe	cmd.exe
PID 1188 wrote to memory of 1932	1188	hosts.exe	cmd.exe
PID 1504 wrote to memory of 924	1504	cmd.exe	WScript.exe
PID 1504 wrote to memory of 924	1504	cmd.exe	WScript.exe
PID 1504 wrote to memory of 924	1504	cmd.exe	WScript.exe
PID 1504 wrote to memory of 924	1504	cmd.exe	WScript.exe
PID 1600 wrote to memory of 1160	1600	cmd.exe	WScript.exe
PID 1600 wrote to memory of 1160	1600	cmd.exe	WScript.exe
PID 1600 wrote to memory of 1160	1600	cmd.exe	WScript.exe
PID 1600 wrote to memory of 1160	1600	cmd.exe	WScript.exe
PID 1932 wrote to memory of 1664	1932	cmd.exe	hosts.exe
PID 1932 wrote to memory of 1664	1932	cmd.exe	hosts.exe
PID 1932 wrote to memory of 1664	1932	cmd.exe	hosts.exe
PID 1932 wrote to memory of 1664	1932	cmd.exe	hosts.exe
PID 1932 wrote to memory of 800	1932	cmd.exe	WScript.exe
PID 1932 wrote to memory of 800	1932	cmd.exe	WScript.exe
PID 1932 wrote to memory of 800	1932	cmd.exe	WScript.exe
PID 1932 wrote to memory of 800	1932	cmd.exe	WScript.exe
PID 1680 wrote to memory of 336	1680	avscan.exe	REG.exe
PID 1680 wrote to memory of 336	1680	avscan.exe	REG.exe
PID 1680 wrote to memory of 336	1680	avscan.exe	REG.exe
PID 1680 wrote to memory of 336	1680	avscan.exe	REG.exe
PID 1188 wrote to memory of 1648	1188	hosts.exe	REG.exe
PID 1188 wrote to memory of 1648	1188	hosts.exe	REG.exe
PID 1188 wrote to memory of 1648	1188	hosts.exe	REG.exe
PID 1188 wrote to memory of 1648	1188	hosts.exe	REG.exe
PID 1680 wrote to memory of 1512	1680	avscan.exe	REG.exe
PID 1680 wrote to memory of 1512	1680	avscan.exe	REG.exe
PID 1680 wrote to memory of 1512	1680	avscan.exe	REG.exe
PID 1680 wrote to memory of 1512	1680	avscan.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe
"C:\Users\Admin\AppData\Local\Temp\3facc445894405f975ef70d3993f6d02c7fe3d143e5ee363bb7d578c6abb0db1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
2⤵
- Modifies registry key
PID:1988

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1452

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\windows\hosts.exe
C:\windows\hosts.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:864

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
4⤵
- Adds policy Run key to start application
PID:924

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:336

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:1512

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:1012

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:1664

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\windows\hosts.exe
C:\windows\hosts.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:452

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\windows\hosts.exe
C:\windows\hosts.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
5⤵
- Adds policy Run key to start application
PID:800

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
4⤵
- Modifies registry key
PID:1648

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
4⤵
- Modifies registry key
PID:1688

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
4⤵
- Modifies registry key
PID:1032

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
4⤵
- Modifies registry key
PID:880

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
3⤵
- Adds policy Run key to start application
PID:1160

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
972cf459337a47ebcb0110dfe7df1ab3

SHA1
afcd0abde95ac11e98b6cc2c61ebc740ea3f38b5

SHA256
a3889202b0f6c4fa5be53f4cd38cdab8d0782df67a6f266a776ae316659b5633

SHA512
ff5ee43d665ab44fa920a5cb23ad648ff7b71afd2f63ec00a464f1822ad85495e3417ee239c2726fc2ea2fa717896d8f918748300e3bd05a7cbf56464a7e9f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
ceea5fcc6d0ff9da8f20a478f27ba7ee

SHA1
1f25cc9459f24ff5f51fcec21a2d07b2eba90d08

SHA256
3b1a94582e94b76591bad2ed78678502b7e177ab842a8b08eb843b7ef6f03d74

SHA512
3f9db23c7d48bb638ee342f3daa96ca81a24e615e3da7a3d9b2fe1ce0e45cdd85b8cf70774221aa3b2a63a404efcbc7f47b4e9f4d98fcfb5b2e26f0b3a8457cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
6a368d3a958cd320e866200522a6ff7a

SHA1
d0694026939d3ee6446f64c55fef9afc745b78c4

SHA256
e6a5aa0656bde644d7d0065d8d634cb0a8537e065d37c502d4bc532d58cd27d4

SHA512
d4ee7907f4ddb3426097e89e8f46b0fe8c59bcc6e6e637adea366f96e4b35f6e9f75970e1e1707db2dc348515c4ed52b9d0cd0c0832ae834c319bde32cbc76fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
e943ca7794801eb90ce0163435bf926b

SHA1
9ca4b6bd9b7eebea01a177f9458416bb56d74d1f

SHA256
a79fff7dd1e2d7dadccbb05e44ba72afd713110173eb8e6293090bfaeda93f24

SHA512
a9d07e4e4ea190482543924deabd23c6f695c70cfc07c46d7d8c24337ca14afb3c1459a373acc9f606979f0132fca56adf9be0b58fa40977df3c14eb2025784b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
bee9deb722d4bd2662bcaf7b9ae3d910

SHA1
16f72ae6a5ed55bdc4e725b45faea9630b753909

SHA256
7617576156a41790daa319fa21337fbfe6e94e721d692645f5910eaa25f66f82

SHA512
1f59ac593981da00533411f24febbfc310424d030cce102a47aa070661c2ef4300ec951aa322f43ed72103ed3754b6e7770953c706dc56d83f841c378026026e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
df54117032108d1c4c06aad7994a7511

SHA1
49d94c01e368a6e58556b5afb14f372de63e2f00

SHA256
7321bb7c0cfe256e921b82912bbcda4bf852d1890131c66f3fd44162e74eedca

SHA512
5fb7095b93bc1866fd5d101217ca3e170aa1bb9ebeeaffdf0a82e87d6f4bacbeb104b0d0f2536fae45155978de94789a1c10fcc71e976a4bff4eba1f48ddf658

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
MD5
abf2d81fa7ee92e27c646af8faede8d4

SHA1
2a3ec3aee725e6d15eb61a5c0e640293e4b9c950

SHA256
4ad6a135bf200138491751d612d414bfdae8cf7235af0abc1d385d1748015e60

SHA512
573d129f46381cb8166487c35e96f7fb231ea1751fc40da0e380e2f88f3493d614dab07088d5117108ef8d1495c704b96fcbd9c5d854ae14eef235bce6c96d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
817f292217639843e7cb4a5b8528ed83

SHA1
a91290306e8426b415779854c1230e4a04d1bfe8

SHA256
e0ece1a2c53e892ad822fbbf8c84970ad7405f3610e5df12cdeff35ea0b16938

SHA512
62035f109c9ff3ca78b02768867f0665d8750c03d4d941a0a7c9ad14e2951742782c1894135516e39fa80af6f70c522742ea87136cb901d3919a160814c9b85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
817f292217639843e7cb4a5b8528ed83

SHA1
a91290306e8426b415779854c1230e4a04d1bfe8

SHA256
e0ece1a2c53e892ad822fbbf8c84970ad7405f3610e5df12cdeff35ea0b16938

SHA512
62035f109c9ff3ca78b02768867f0665d8750c03d4d941a0a7c9ad14e2951742782c1894135516e39fa80af6f70c522742ea87136cb901d3919a160814c9b85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
817f292217639843e7cb4a5b8528ed83

SHA1
a91290306e8426b415779854c1230e4a04d1bfe8

SHA256
e0ece1a2c53e892ad822fbbf8c84970ad7405f3610e5df12cdeff35ea0b16938

SHA512
62035f109c9ff3ca78b02768867f0665d8750c03d4d941a0a7c9ad14e2951742782c1894135516e39fa80af6f70c522742ea87136cb901d3919a160814c9b85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
817f292217639843e7cb4a5b8528ed83

SHA1
a91290306e8426b415779854c1230e4a04d1bfe8

SHA256
e0ece1a2c53e892ad822fbbf8c84970ad7405f3610e5df12cdeff35ea0b16938

SHA512
62035f109c9ff3ca78b02768867f0665d8750c03d4d941a0a7c9ad14e2951742782c1894135516e39fa80af6f70c522742ea87136cb901d3919a160814c9b85f

Download Submit
C:\Windows\W_X_C.vbs
MD5
c07e50e3569474ee860ffae64b53eb63

SHA1
9e01a9296097458ce32dbbe440e26f6050f1c807

SHA256
aada8080235b5cce6e29aee4c46056ca82494483751a4126d8beddc476bcfb89

SHA512
19b8a39bd143ef58f12263a811ea2fb016596898deb7a63cd7a38373f1d111474a6d7666e4d7e3921f11ea012b9f96501631ada353e065d3d1313ef4ebdb1888

Download Submit
C:\Windows\hosts.exe
MD5
23f39b8eb8fba77d0440b27353d4a538

SHA1
f8c900b6dabe6e4d34aee9ba239c693a2d25edb6

SHA256
1f876af26bc6303a4f216d8fd3b7deecd6a2dcfda9af3284bc8d8d196a21bb4f

SHA512
87ca46bd5b7b3d4f1710d5533bede5a5a4051ce67ce308d4204597931c49b2ac76252f51f4891bd07a3582d703efaf43ee8040d9ff9c9573af3852fa751e1eb7

Download Submit
C:\Windows\hosts.exe
MD5
23f39b8eb8fba77d0440b27353d4a538

SHA1
f8c900b6dabe6e4d34aee9ba239c693a2d25edb6

SHA256
1f876af26bc6303a4f216d8fd3b7deecd6a2dcfda9af3284bc8d8d196a21bb4f

SHA512
87ca46bd5b7b3d4f1710d5533bede5a5a4051ce67ce308d4204597931c49b2ac76252f51f4891bd07a3582d703efaf43ee8040d9ff9c9573af3852fa751e1eb7

Download Submit
C:\Windows\hosts.exe
MD5
23f39b8eb8fba77d0440b27353d4a538

SHA1
f8c900b6dabe6e4d34aee9ba239c693a2d25edb6

SHA256
1f876af26bc6303a4f216d8fd3b7deecd6a2dcfda9af3284bc8d8d196a21bb4f

SHA512
87ca46bd5b7b3d4f1710d5533bede5a5a4051ce67ce308d4204597931c49b2ac76252f51f4891bd07a3582d703efaf43ee8040d9ff9c9573af3852fa751e1eb7

Download Submit
C:\Windows\hosts.exe
MD5
23f39b8eb8fba77d0440b27353d4a538

SHA1
f8c900b6dabe6e4d34aee9ba239c693a2d25edb6

SHA256
1f876af26bc6303a4f216d8fd3b7deecd6a2dcfda9af3284bc8d8d196a21bb4f

SHA512
87ca46bd5b7b3d4f1710d5533bede5a5a4051ce67ce308d4204597931c49b2ac76252f51f4891bd07a3582d703efaf43ee8040d9ff9c9573af3852fa751e1eb7

Download Submit
C:\windows\hosts.exe
MD5
23f39b8eb8fba77d0440b27353d4a538

SHA1
f8c900b6dabe6e4d34aee9ba239c693a2d25edb6

SHA256
1f876af26bc6303a4f216d8fd3b7deecd6a2dcfda9af3284bc8d8d196a21bb4f

SHA512
87ca46bd5b7b3d4f1710d5533bede5a5a4051ce67ce308d4204597931c49b2ac76252f51f4891bd07a3582d703efaf43ee8040d9ff9c9573af3852fa751e1eb7

Download Submit
\??\c:\windows\W_X_C.bat
MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
817f292217639843e7cb4a5b8528ed83

SHA1
a91290306e8426b415779854c1230e4a04d1bfe8

SHA256
e0ece1a2c53e892ad822fbbf8c84970ad7405f3610e5df12cdeff35ea0b16938

SHA512
62035f109c9ff3ca78b02768867f0665d8750c03d4d941a0a7c9ad14e2951742782c1894135516e39fa80af6f70c522742ea87136cb901d3919a160814c9b85f

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
817f292217639843e7cb4a5b8528ed83

SHA1
a91290306e8426b415779854c1230e4a04d1bfe8

SHA256
e0ece1a2c53e892ad822fbbf8c84970ad7405f3610e5df12cdeff35ea0b16938

SHA512
62035f109c9ff3ca78b02768867f0665d8750c03d4d941a0a7c9ad14e2951742782c1894135516e39fa80af6f70c522742ea87136cb901d3919a160814c9b85f

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
817f292217639843e7cb4a5b8528ed83

SHA1
a91290306e8426b415779854c1230e4a04d1bfe8

SHA256
e0ece1a2c53e892ad822fbbf8c84970ad7405f3610e5df12cdeff35ea0b16938

SHA512
62035f109c9ff3ca78b02768867f0665d8750c03d4d941a0a7c9ad14e2951742782c1894135516e39fa80af6f70c522742ea87136cb901d3919a160814c9b85f

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
817f292217639843e7cb4a5b8528ed83

SHA1
a91290306e8426b415779854c1230e4a04d1bfe8

SHA256
e0ece1a2c53e892ad822fbbf8c84970ad7405f3610e5df12cdeff35ea0b16938

SHA512
62035f109c9ff3ca78b02768867f0665d8750c03d4d941a0a7c9ad14e2951742782c1894135516e39fa80af6f70c522742ea87136cb901d3919a160814c9b85f

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe
MD5
817f292217639843e7cb4a5b8528ed83

SHA1
a91290306e8426b415779854c1230e4a04d1bfe8

SHA256
e0ece1a2c53e892ad822fbbf8c84970ad7405f3610e5df12cdeff35ea0b16938

SHA512
62035f109c9ff3ca78b02768867f0665d8750c03d4d941a0a7c9ad14e2951742782c1894135516e39fa80af6f70c522742ea87136cb901d3919a160814c9b85f

Download Submit
memory/336-139-0x0000000000000000-mapping.dmp

Download
memory/452-112-0x0000000000000000-mapping.dmp

Download
memory/452-116-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/800-130-0x0000000000000000-mapping.dmp

Download
memory/864-93-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/864-90-0x0000000000000000-mapping.dmp

Download
memory/880-153-0x0000000000000000-mapping.dmp

Download
memory/924-121-0x0000000000000000-mapping.dmp

Download
memory/1012-147-0x0000000000000000-mapping.dmp

Download
memory/1032-149-0x0000000000000000-mapping.dmp

Download
memory/1160-122-0x0000000000000000-mapping.dmp

Download
memory/1188-89-0x0000000000000000-mapping.dmp

Download
memory/1188-94-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1452-79-0x0000000000000000-mapping.dmp

Download
memory/1452-81-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1504-86-0x0000000000000000-mapping.dmp

Download
memory/1512-143-0x0000000000000000-mapping.dmp

Download
memory/1600-87-0x0000000000000000-mapping.dmp

Download
memory/1648-141-0x0000000000000000-mapping.dmp

Download
memory/1664-151-0x0000000000000000-mapping.dmp

Download
memory/1664-123-0x0000000000000000-mapping.dmp

Download
memory/1664-126-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1680-72-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1680-70-0x0000000000000000-mapping.dmp

Download
memory/1688-145-0x0000000000000000-mapping.dmp

Download
memory/1840-66-0x0000000000401000-0x000000000041D000-memory.dmp

Filesize
112KB

Download
memory/1840-65-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/1840-64-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1840-60-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1840-61-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1932-120-0x0000000000000000-mapping.dmp

Download
memory/1988-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads