32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee

Analysis

max time kernel
123s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
Size

277KB
MD5

51df6c86fbfd306188018609adba4068
SHA1

6169ea83c701474374f08be9220e8a16fb628386
SHA256

32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee
SHA512

60ef0f212ff87b1fd2284e860360d746d410dcfa052d168babc867712d9d0ca2fb8fe5583118b5e29ff372e34dd1e501be24fa31fc112cb3c61bbf485e7d2c9f
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCmp+Mm1tfYBDjJFdrRlow2sRxDZc91HvHaHv:gDCwfG1bnxM1SF9FdbokZcvHm

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
676	avscan.exe
1888	avscan.exe
840	hosts.exe
1540	hosts.exe
1108	avscan.exe
1212	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1168	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
1168	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
676	avscan.exe
840	hosts.exe
840	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
File created	\??\c:\windows\W_X_C.bat	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
File opened for modification	C:\Windows\hosts.exe	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1684	REG.exe
1028	REG.exe
956	REG.exe
548	REG.exe
320	REG.exe
1936	REG.exe
1768	REG.exe
1104	REG.exe
1628	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
676	avscan.exe
840	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1168	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
676	avscan.exe
1888	avscan.exe
840	hosts.exe
1540	hosts.exe
1108	avscan.exe
1212	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 1628	1168	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	27
PID 1168 wrote to memory of 1628	1168	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	27
PID 1168 wrote to memory of 1628	1168	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	27
PID 1168 wrote to memory of 1628	1168	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	27
PID 1168 wrote to memory of 676	1168	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	29
PID 1168 wrote to memory of 676	1168	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	29
PID 1168 wrote to memory of 676	1168	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	29
PID 1168 wrote to memory of 676	1168	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	29
PID 676 wrote to memory of 1888	676	avscan.exe	30
PID 676 wrote to memory of 1888	676	avscan.exe	30
PID 676 wrote to memory of 1888	676	avscan.exe	30
PID 676 wrote to memory of 1888	676	avscan.exe	30
PID 676 wrote to memory of 868	676	avscan.exe	31
PID 676 wrote to memory of 868	676	avscan.exe	31
PID 676 wrote to memory of 868	676	avscan.exe	31
PID 676 wrote to memory of 868	676	avscan.exe	31
PID 1168 wrote to memory of 984	1168	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	33
PID 1168 wrote to memory of 984	1168	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	33
PID 1168 wrote to memory of 984	1168	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	33
PID 1168 wrote to memory of 984	1168	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	33
PID 868 wrote to memory of 840	868	cmd.exe	36
PID 868 wrote to memory of 840	868	cmd.exe	36
PID 868 wrote to memory of 840	868	cmd.exe	36
PID 868 wrote to memory of 840	868	cmd.exe	36
PID 984 wrote to memory of 1540	984	cmd.exe	35
PID 984 wrote to memory of 1540	984	cmd.exe	35
PID 984 wrote to memory of 1540	984	cmd.exe	35
PID 984 wrote to memory of 1540	984	cmd.exe	35
PID 840 wrote to memory of 1108	840	hosts.exe	37
PID 840 wrote to memory of 1108	840	hosts.exe	37
PID 840 wrote to memory of 1108	840	hosts.exe	37
PID 840 wrote to memory of 1108	840	hosts.exe	37
PID 984 wrote to memory of 1908	984	cmd.exe	38
PID 984 wrote to memory of 1908	984	cmd.exe	38
PID 984 wrote to memory of 1908	984	cmd.exe	38
PID 984 wrote to memory of 1908	984	cmd.exe	38
PID 840 wrote to memory of 1800	840	hosts.exe	39
PID 840 wrote to memory of 1800	840	hosts.exe	39
PID 840 wrote to memory of 1800	840	hosts.exe	39
PID 840 wrote to memory of 1800	840	hosts.exe	39
PID 1800 wrote to memory of 1212	1800	cmd.exe	41
PID 1800 wrote to memory of 1212	1800	cmd.exe	41
PID 1800 wrote to memory of 1212	1800	cmd.exe	41
PID 1800 wrote to memory of 1212	1800	cmd.exe	41
PID 868 wrote to memory of 2020	868	cmd.exe	42
PID 868 wrote to memory of 2020	868	cmd.exe	42
PID 868 wrote to memory of 2020	868	cmd.exe	42
PID 868 wrote to memory of 2020	868	cmd.exe	42
PID 1800 wrote to memory of 1556	1800	cmd.exe	43
PID 1800 wrote to memory of 1556	1800	cmd.exe	43
PID 1800 wrote to memory of 1556	1800	cmd.exe	43
PID 1800 wrote to memory of 1556	1800	cmd.exe	43
PID 676 wrote to memory of 1028	676	avscan.exe	44
PID 676 wrote to memory of 1028	676	avscan.exe	44
PID 676 wrote to memory of 1028	676	avscan.exe	44
PID 676 wrote to memory of 1028	676	avscan.exe	44
PID 840 wrote to memory of 956	840	hosts.exe	46
PID 840 wrote to memory of 956	840	hosts.exe	46
PID 840 wrote to memory of 956	840	hosts.exe	46
PID 840 wrote to memory of 956	840	hosts.exe	46
PID 676 wrote to memory of 548	676	avscan.exe	48
PID 676 wrote to memory of 548	676	avscan.exe	48
PID 676 wrote to memory of 548	676	avscan.exe	48
PID 676 wrote to memory of 548	676	avscan.exe	48

C:\Users\Admin\AppData\Local\Temp\32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
"C:\Users\Admin\AppData\Local\Temp\32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1628
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:840
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1108
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1212
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1556
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:956
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:320
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1684
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1104
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:2020
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1028
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:548
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1936
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1540
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
325KB

MD5
4288b51ecd9358d68f9f103c4160d832

SHA1
b1f098dd684426f223295c6f13e3fa4a53674b02

SHA256
5402ddb139cfb7794cdc8e69b1aa077202ae14da5e092a75ce4fc816a7089e20

SHA512
8d8b5641541012063d06e70c360aca48ab84fdb9d2b892d9919d8045936a99797a29a67a2639f519270fcbd1300cb4fbc6ec664c72fff113fe1ec8ce8a49aa3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
881KB

MD5
a21c5dd375863bd0cf2f941a419c9106

SHA1
458ad2edf8e1a1ca95a2c8dd6897aea4a8deaf34

SHA256
5fe125e6d8c004d45a1f77417ed0bce124a0856258a10199de304f862d454420

SHA512
d3d5c18c636317718e91b9cc782257f7c2002268c2bbc26dd574c3f3fc0b584014752ebf6cf3e14acd8635a3cac32c6f6883f43f0b2057ca34a1554259ef548a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
d14351df0aec7f759bbece7febf85d9d

SHA1
1ee0e96345dcd75acb478ad4d574de7a5912ffa7

SHA256
68125b2cd4da6c26e37a1312cba6d135d02747ce4bc65e208d9f2b51717cb30f

SHA512
f8a1383bea60aa7e14556e11c426f23f95cc1a45e9658d7b4842fc157e1c162b2ea224f9e60a490608ddea534186f97686adb247516e34ea9827753271c673e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.4MB

MD5
a113e2f08db06c7b11ade9ed2399e973

SHA1
bf7fe14f8cac962cdfef39bd4b0edb4904f1f222

SHA256
122671bf64cf2174f2b0dac1f367c7abde201ebb8c097f4e97b48c46b026bb1a

SHA512
540441c599f0115e9b9b7a79307e0307b6519739a8a87191a51f329a99489fcc067fdee22615d3a1bfaf1211c2f0cfde904e3737a96481ad875054e03faaded0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.7MB

MD5
0be7ceae2dc596237ac8192cde3807d5

SHA1
b424122eedde7bcad7f5b536a6a62528639ea705

SHA256
6eb945feb9a9c851e4a920aa4f4e9afedbf72ea0aaffdab2f82b66cb34f866cd

SHA512
73ede7385fc6e1c7fbdd8084e4fe3708013325d1714dbb823d6872bfbc8f712caed60df5c14de1aed07565725a861da3ca82e725d8cc0229dba09a16ececba69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.2MB

MD5
94a2dab8cdf40543170078a16e3537d3

SHA1
5d2eed442268910f7f9664dce3cbe3a55692fba9

SHA256
cf93cdc5856ca1a10cbd209e7a325e83415a01e6f70e196934eabdfdb64bbb8a

SHA512
bb4f158a97605989332887dbae241c28c1957dee8e852b40b7c780005a1e07ef10ea331aefbfd47127b20f5a024943cbade651fb26e072d9397263c695eeae83

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.2MB

MD5
ccb10b5cd111f96f7c58483c382e8c18

SHA1
ac866afc549fe94d834a80397fe4f5643496be8d

SHA256
695d7139179c0f665370463bb568f5a8f55f1d9608c2c61032629b7524cf1839

SHA512
1139b1ccf9b0b485611b0fb755d5cfe6ab0c289e3c56e58a23d08a184f9f6bd29d6305cd68e8ea77c01bacdc3d669c44584d1ef8b8d9f94dc735a0ff2c300c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
277KB

MD5
15c5dbfa6093a18aa9be561a19f8eec6

SHA1
9dd644df9aa81240f4ffc92cfe1172646414486f

SHA256
5381ea9d0a1c2bad690a394484e978f7bee70d929fe828f863e56f1c25c8eb91

SHA512
6f54abfbb0800e3114cc382977f8eab64160137e0316f4055d90b17e04a9f276b9a8673c50615ab2329dc102606741b78bc672e40e278031ca2cd3bd9a7d7078

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
277KB

MD5
15c5dbfa6093a18aa9be561a19f8eec6

SHA1
9dd644df9aa81240f4ffc92cfe1172646414486f

SHA256
5381ea9d0a1c2bad690a394484e978f7bee70d929fe828f863e56f1c25c8eb91

SHA512
6f54abfbb0800e3114cc382977f8eab64160137e0316f4055d90b17e04a9f276b9a8673c50615ab2329dc102606741b78bc672e40e278031ca2cd3bd9a7d7078

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
277KB

MD5
15c5dbfa6093a18aa9be561a19f8eec6

SHA1
9dd644df9aa81240f4ffc92cfe1172646414486f

SHA256
5381ea9d0a1c2bad690a394484e978f7bee70d929fe828f863e56f1c25c8eb91

SHA512
6f54abfbb0800e3114cc382977f8eab64160137e0316f4055d90b17e04a9f276b9a8673c50615ab2329dc102606741b78bc672e40e278031ca2cd3bd9a7d7078

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
277KB

MD5
15c5dbfa6093a18aa9be561a19f8eec6

SHA1
9dd644df9aa81240f4ffc92cfe1172646414486f

SHA256
5381ea9d0a1c2bad690a394484e978f7bee70d929fe828f863e56f1c25c8eb91

SHA512
6f54abfbb0800e3114cc382977f8eab64160137e0316f4055d90b17e04a9f276b9a8673c50615ab2329dc102606741b78bc672e40e278031ca2cd3bd9a7d7078

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
8efab902a61f6cddc318bb5818c2f2e0

SHA1
9608751279ae04ba710d84c61e3937c12950b393

SHA256
a81d0e86c651ead3e4d9c7f64e637006e787c81c8ba3e784648c2786306bfb87

SHA512
aabd0e45609a39584c68c35e16124b399e9a4932bf6c98c22aa8c6ff71b2fbfc80333102960fcfca1abb38b344245f9cdf4cdc0c827c48235f618011a5fbfe18

Download Submit
C:\Windows\hosts.exe

Filesize
277KB

MD5
3ed602ed2a3a967dd822d1d996975bd6

SHA1
14a84ed325a1121f9159ba8664e2ba87cc36f5d7

SHA256
1571e19252e22aa7ebe0d094146564abdf8fc38e4cfb2844b9691463c6d9eca4

SHA512
f550c673b429bce889404dbd89bd59644e94bf4793108151bc85dc40300c2df4cc052a1ccc2c575d3e3ef6b66e3d2a4f11cff62b07c5c8042104fd6cdd2ecd67

Download Submit
C:\Windows\hosts.exe

Filesize
277KB

MD5
3ed602ed2a3a967dd822d1d996975bd6

SHA1
14a84ed325a1121f9159ba8664e2ba87cc36f5d7

SHA256
1571e19252e22aa7ebe0d094146564abdf8fc38e4cfb2844b9691463c6d9eca4

SHA512
f550c673b429bce889404dbd89bd59644e94bf4793108151bc85dc40300c2df4cc052a1ccc2c575d3e3ef6b66e3d2a4f11cff62b07c5c8042104fd6cdd2ecd67

Download Submit
C:\Windows\hosts.exe

Filesize
277KB

MD5
3ed602ed2a3a967dd822d1d996975bd6

SHA1
14a84ed325a1121f9159ba8664e2ba87cc36f5d7

SHA256
1571e19252e22aa7ebe0d094146564abdf8fc38e4cfb2844b9691463c6d9eca4

SHA512
f550c673b429bce889404dbd89bd59644e94bf4793108151bc85dc40300c2df4cc052a1ccc2c575d3e3ef6b66e3d2a4f11cff62b07c5c8042104fd6cdd2ecd67

Download Submit
C:\Windows\hosts.exe

Filesize
277KB

MD5
3ed602ed2a3a967dd822d1d996975bd6

SHA1
14a84ed325a1121f9159ba8664e2ba87cc36f5d7

SHA256
1571e19252e22aa7ebe0d094146564abdf8fc38e4cfb2844b9691463c6d9eca4

SHA512
f550c673b429bce889404dbd89bd59644e94bf4793108151bc85dc40300c2df4cc052a1ccc2c575d3e3ef6b66e3d2a4f11cff62b07c5c8042104fd6cdd2ecd67

Download Submit
C:\windows\hosts.exe

Filesize
277KB

MD5
3ed602ed2a3a967dd822d1d996975bd6

SHA1
14a84ed325a1121f9159ba8664e2ba87cc36f5d7

SHA256
1571e19252e22aa7ebe0d094146564abdf8fc38e4cfb2844b9691463c6d9eca4

SHA512
f550c673b429bce889404dbd89bd59644e94bf4793108151bc85dc40300c2df4cc052a1ccc2c575d3e3ef6b66e3d2a4f11cff62b07c5c8042104fd6cdd2ecd67

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
277KB

MD5
15c5dbfa6093a18aa9be561a19f8eec6

SHA1
9dd644df9aa81240f4ffc92cfe1172646414486f

SHA256
5381ea9d0a1c2bad690a394484e978f7bee70d929fe828f863e56f1c25c8eb91

SHA512
6f54abfbb0800e3114cc382977f8eab64160137e0316f4055d90b17e04a9f276b9a8673c50615ab2329dc102606741b78bc672e40e278031ca2cd3bd9a7d7078

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
277KB

MD5
15c5dbfa6093a18aa9be561a19f8eec6

SHA1
9dd644df9aa81240f4ffc92cfe1172646414486f

SHA256
5381ea9d0a1c2bad690a394484e978f7bee70d929fe828f863e56f1c25c8eb91

SHA512
6f54abfbb0800e3114cc382977f8eab64160137e0316f4055d90b17e04a9f276b9a8673c50615ab2329dc102606741b78bc672e40e278031ca2cd3bd9a7d7078

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
277KB

MD5
15c5dbfa6093a18aa9be561a19f8eec6

SHA1
9dd644df9aa81240f4ffc92cfe1172646414486f

SHA256
5381ea9d0a1c2bad690a394484e978f7bee70d929fe828f863e56f1c25c8eb91

SHA512
6f54abfbb0800e3114cc382977f8eab64160137e0316f4055d90b17e04a9f276b9a8673c50615ab2329dc102606741b78bc672e40e278031ca2cd3bd9a7d7078

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
277KB

MD5
15c5dbfa6093a18aa9be561a19f8eec6

SHA1
9dd644df9aa81240f4ffc92cfe1172646414486f

SHA256
5381ea9d0a1c2bad690a394484e978f7bee70d929fe828f863e56f1c25c8eb91

SHA512
6f54abfbb0800e3114cc382977f8eab64160137e0316f4055d90b17e04a9f276b9a8673c50615ab2329dc102606741b78bc672e40e278031ca2cd3bd9a7d7078

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
277KB

MD5
15c5dbfa6093a18aa9be561a19f8eec6

SHA1
9dd644df9aa81240f4ffc92cfe1172646414486f

SHA256
5381ea9d0a1c2bad690a394484e978f7bee70d929fe828f863e56f1c25c8eb91

SHA512
6f54abfbb0800e3114cc382977f8eab64160137e0316f4055d90b17e04a9f276b9a8673c50615ab2329dc102606741b78bc672e40e278031ca2cd3bd9a7d7078

Download Submit
memory/1168-56-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/1168-58-0x00000000745E1000-0x00000000745E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads