0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b

Analysis

max time kernel
125s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
21/10/2022, 02:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe
Size

175KB
MD5

72233adb99cb8500659a93deed9d93e7
SHA1

8c5e0775b9315c3815eb1eb4ed7b999499318c1a
SHA256

0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b
SHA512

90375e23ac78d0319e3b58c663669c28599fbbfb5fe6f0b727b4525848c0c2d0f787cf4861c87f4de685ea0c1681bf4c4304729efdbf14f78700e3404e6cf207
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCmT47++M4lJiSp:gDCwfG1bnxM6+MIJ1

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1688	avscan.exe
1720	avscan.exe
1056	hosts.exe
680	hosts.exe
1916	avscan.exe
1800	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1444	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe
1444	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe
1688	avscan.exe
1056	hosts.exe
1056	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe
File created	\??\c:\windows\W_X_C.bat	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe
File opened for modification	C:\Windows\hosts.exe	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1088	REG.exe
516	REG.exe
1920	REG.exe
560	REG.exe
1116	REG.exe
1928	REG.exe
756	REG.exe
988	REG.exe
1148	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1688	avscan.exe
1056	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1444	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe
1688	avscan.exe
1720	avscan.exe
1056	hosts.exe
680	hosts.exe
1916	avscan.exe
1800	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1928	1444	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe	27
PID 1444 wrote to memory of 1928	1444	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe	27
PID 1444 wrote to memory of 1928	1444	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe	27
PID 1444 wrote to memory of 1928	1444	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe	27
PID 1444 wrote to memory of 1688	1444	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe	29
PID 1444 wrote to memory of 1688	1444	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe	29
PID 1444 wrote to memory of 1688	1444	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe	29
PID 1444 wrote to memory of 1688	1444	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe	29
PID 1688 wrote to memory of 1720	1688	avscan.exe	30
PID 1688 wrote to memory of 1720	1688	avscan.exe	30
PID 1688 wrote to memory of 1720	1688	avscan.exe	30
PID 1688 wrote to memory of 1720	1688	avscan.exe	30
PID 1688 wrote to memory of 772	1688	avscan.exe	31
PID 1688 wrote to memory of 772	1688	avscan.exe	31
PID 1688 wrote to memory of 772	1688	avscan.exe	31
PID 1688 wrote to memory of 772	1688	avscan.exe	31
PID 1444 wrote to memory of 536	1444	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe	32
PID 1444 wrote to memory of 536	1444	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe	32
PID 1444 wrote to memory of 536	1444	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe	32
PID 1444 wrote to memory of 536	1444	0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe	32
PID 772 wrote to memory of 1056	772	cmd.exe	36
PID 772 wrote to memory of 1056	772	cmd.exe	36
PID 772 wrote to memory of 1056	772	cmd.exe	36
PID 772 wrote to memory of 1056	772	cmd.exe	36
PID 536 wrote to memory of 680	536	cmd.exe	35
PID 536 wrote to memory of 680	536	cmd.exe	35
PID 536 wrote to memory of 680	536	cmd.exe	35
PID 536 wrote to memory of 680	536	cmd.exe	35
PID 772 wrote to memory of 384	772	cmd.exe	37
PID 772 wrote to memory of 384	772	cmd.exe	37
PID 772 wrote to memory of 384	772	cmd.exe	37
PID 772 wrote to memory of 384	772	cmd.exe	37
PID 536 wrote to memory of 1076	536	cmd.exe	38
PID 536 wrote to memory of 1076	536	cmd.exe	38
PID 536 wrote to memory of 1076	536	cmd.exe	38
PID 536 wrote to memory of 1076	536	cmd.exe	38
PID 1056 wrote to memory of 1916	1056	hosts.exe	39
PID 1056 wrote to memory of 1916	1056	hosts.exe	39
PID 1056 wrote to memory of 1916	1056	hosts.exe	39
PID 1056 wrote to memory of 1916	1056	hosts.exe	39
PID 1056 wrote to memory of 916	1056	hosts.exe	40
PID 1056 wrote to memory of 916	1056	hosts.exe	40
PID 1056 wrote to memory of 916	1056	hosts.exe	40
PID 1056 wrote to memory of 916	1056	hosts.exe	40
PID 916 wrote to memory of 1800	916	cmd.exe	42
PID 916 wrote to memory of 1800	916	cmd.exe	42
PID 916 wrote to memory of 1800	916	cmd.exe	42
PID 916 wrote to memory of 1800	916	cmd.exe	42
PID 916 wrote to memory of 1960	916	cmd.exe	43
PID 916 wrote to memory of 1960	916	cmd.exe	43
PID 916 wrote to memory of 1960	916	cmd.exe	43
PID 916 wrote to memory of 1960	916	cmd.exe	43
PID 1688 wrote to memory of 756	1688	avscan.exe	44
PID 1688 wrote to memory of 756	1688	avscan.exe	44
PID 1688 wrote to memory of 756	1688	avscan.exe	44
PID 1688 wrote to memory of 756	1688	avscan.exe	44
PID 1056 wrote to memory of 988	1056	hosts.exe	46
PID 1056 wrote to memory of 988	1056	hosts.exe	46
PID 1056 wrote to memory of 988	1056	hosts.exe	46
PID 1056 wrote to memory of 988	1056	hosts.exe	46
PID 1688 wrote to memory of 1088	1688	avscan.exe	48
PID 1688 wrote to memory of 1088	1688	avscan.exe	48
PID 1688 wrote to memory of 1088	1688	avscan.exe	48
PID 1688 wrote to memory of 1088	1688	avscan.exe	48

C:\Users\Admin\AppData\Local\Temp\0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe
"C:\Users\Admin\AppData\Local\Temp\0f82feba9e0a27ad85d50aa679d752be2bbd01a2da26288b0ea910d167dd5d4b.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1928
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1916
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:916
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1800
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1960
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:988
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:516
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1148
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1116
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:384
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:756
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1088
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1920
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:680
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
223KB

MD5
de45e15e3b0a20bc8dbdd4e2fe210921

SHA1
af4ddb5120e54f72a66bd7d8e14b77c6a6adf85a

SHA256
64d57318b405558e600116dd776a9ed89c9df87434cb704198d446de3f17ad53

SHA512
901ca90df3f5fc29b2311b57679ee6430ed4743b2db6bcdbeb354167ae6c3d7a316c1a0f9c47a89001443e32c37414306768b12e1f796a25ebc59a07baa10972

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
573KB

MD5
42791cec5cfccbd3a558b954f7fc0923

SHA1
52923ad143bee5f0ab97835d94e8e829db4eb97e

SHA256
4cdd1be765e01c5fcb18e697c46966afe76e33a1bf42dfd6d2da49e586994e67

SHA512
9688255d9237b3eb55951279de75fa4bcb9a80a025516f307031d56d3ab9e2f0fefff51c7d1c1d60b01133122b9b5fc0cfc40b78879cdb293f2cdc6ccb8f23ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
748KB

MD5
71447f81d715c80e59aabbe8c909a3ee

SHA1
ac4d722f509faa18a2d58645a1213db65f4b7c00

SHA256
22ce503ba4e28888e16c247478f56d3c5cdd8b2919e7644abc978b49284fe98c

SHA512
43da396ea750a6d9839dc15f97bc6385813d0ec4a1209b510c855cfd25b007364f3018b8b2dc187f7deacff2f9702acadee84b66bad547a95def799d6c1dafcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
924KB

MD5
94859750d339f50f156a5ea6cb351362

SHA1
bc8e6b18446ba6afc04907546f73ccaadc7fa0ad

SHA256
dede1c19d0892b1c13f4a23541899d7eb9cafcba2cf3828ec96fa390d34209e9

SHA512
ebf8e5574e975b43a53b5b3f2ceda4741dd1da422c355e649b532efccb723a6c1188e6333f5e8da220320771f73540c29f664df0b03ecfe223d4d9c582caa993

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
42e2b6f6b888195e4f0900ccd6142d12

SHA1
516bd9690c41d6c234130725fd5b1820ea838a85

SHA256
7303cff5e7a5950267120f27997c4f1821f82069289df089082b82f06ec8a86d

SHA512
04165e315cf8c8280f32b9eb56be245ee87ac356f56de7d81c3869009189c8564485010285f96865611ca18a6b658bd86cc3f2792d6d5e1dd8bd0ce3416df14a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.2MB

MD5
99a793a0a84c9658441592f007703123

SHA1
f6c66d0f7b89e85bdaf65927ce2db065d52591b8

SHA256
69914593282c7e2e82fc5c898e65ec0c06b1cbe34d165c3349048a4ae44bcc26

SHA512
cd79c954a91a3abf7a8dfeaadd236b3318205cea76e4a87ce92e55763670dd469125d450bb2fd0c168e6bf1323655aded69aa034f902f9464c4871b70c0b31e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.4MB

MD5
6c6abe5848554e173e2ecd84167ac860

SHA1
4519ca3b13f1465507d60eba30b2501be43c77f3

SHA256
9fecc6f1408a07159dad31a5af2fa674739eacfcaad0126723fc683aec191a25

SHA512
c1e85960a0f623c860bb9eef696c4082c8a51719542b5ff66a5243390f44755b845f839e5834c605190ffb2df9c094fcb55bc93e632ae21b8d76afcd5656ccee

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
d5e11660bcb69f6eb9e4665e4a7aefa6

SHA1
fcc0dc664ec4ae421166582986d366542b938b73

SHA256
bebc289424d6e8e2a87f465fac85c2ae40dcf7ba788f8f85de78f5381d0a0d7b

SHA512
fb950f1e19b7962277de7c542242ae33719dd7f3c02f1f18db9dbeb516c23fad596e51b8149f15c482d92a4339956cc4af733518f7c652f165accfe57bc7a215

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
d5e11660bcb69f6eb9e4665e4a7aefa6

SHA1
fcc0dc664ec4ae421166582986d366542b938b73

SHA256
bebc289424d6e8e2a87f465fac85c2ae40dcf7ba788f8f85de78f5381d0a0d7b

SHA512
fb950f1e19b7962277de7c542242ae33719dd7f3c02f1f18db9dbeb516c23fad596e51b8149f15c482d92a4339956cc4af733518f7c652f165accfe57bc7a215

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
d5e11660bcb69f6eb9e4665e4a7aefa6

SHA1
fcc0dc664ec4ae421166582986d366542b938b73

SHA256
bebc289424d6e8e2a87f465fac85c2ae40dcf7ba788f8f85de78f5381d0a0d7b

SHA512
fb950f1e19b7962277de7c542242ae33719dd7f3c02f1f18db9dbeb516c23fad596e51b8149f15c482d92a4339956cc4af733518f7c652f165accfe57bc7a215

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
d5e11660bcb69f6eb9e4665e4a7aefa6

SHA1
fcc0dc664ec4ae421166582986d366542b938b73

SHA256
bebc289424d6e8e2a87f465fac85c2ae40dcf7ba788f8f85de78f5381d0a0d7b

SHA512
fb950f1e19b7962277de7c542242ae33719dd7f3c02f1f18db9dbeb516c23fad596e51b8149f15c482d92a4339956cc4af733518f7c652f165accfe57bc7a215

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
8efab902a61f6cddc318bb5818c2f2e0

SHA1
9608751279ae04ba710d84c61e3937c12950b393

SHA256
a81d0e86c651ead3e4d9c7f64e637006e787c81c8ba3e784648c2786306bfb87

SHA512
aabd0e45609a39584c68c35e16124b399e9a4932bf6c98c22aa8c6ff71b2fbfc80333102960fcfca1abb38b344245f9cdf4cdc0c827c48235f618011a5fbfe18

Download Submit
C:\Windows\hosts.exe

Filesize
175KB

MD5
b598bd279de6472500d2a7049fe1e5ab

SHA1
02d161b4b95a2854419b05d77b16bd1ff9ace753

SHA256
047bd2cc02062bd08cee997a3c171eeda00eea4e21f575622d0243fb70bc4063

SHA512
d0b66874f8efcaad3a3b2f6c6d2229b38941a61d4118c6d97240190d2835c266a1888fb40df5060380875cca2138166c56b3e4f10b9ffe9c4b17fc9661f20bda

Download Submit
C:\Windows\hosts.exe

Filesize
175KB

MD5
b598bd279de6472500d2a7049fe1e5ab

SHA1
02d161b4b95a2854419b05d77b16bd1ff9ace753

SHA256
047bd2cc02062bd08cee997a3c171eeda00eea4e21f575622d0243fb70bc4063

SHA512
d0b66874f8efcaad3a3b2f6c6d2229b38941a61d4118c6d97240190d2835c266a1888fb40df5060380875cca2138166c56b3e4f10b9ffe9c4b17fc9661f20bda

Download Submit
C:\Windows\hosts.exe

Filesize
175KB

MD5
b598bd279de6472500d2a7049fe1e5ab

SHA1
02d161b4b95a2854419b05d77b16bd1ff9ace753

SHA256
047bd2cc02062bd08cee997a3c171eeda00eea4e21f575622d0243fb70bc4063

SHA512
d0b66874f8efcaad3a3b2f6c6d2229b38941a61d4118c6d97240190d2835c266a1888fb40df5060380875cca2138166c56b3e4f10b9ffe9c4b17fc9661f20bda

Download Submit
C:\Windows\hosts.exe

Filesize
175KB

MD5
b598bd279de6472500d2a7049fe1e5ab

SHA1
02d161b4b95a2854419b05d77b16bd1ff9ace753

SHA256
047bd2cc02062bd08cee997a3c171eeda00eea4e21f575622d0243fb70bc4063

SHA512
d0b66874f8efcaad3a3b2f6c6d2229b38941a61d4118c6d97240190d2835c266a1888fb40df5060380875cca2138166c56b3e4f10b9ffe9c4b17fc9661f20bda

Download Submit
C:\windows\hosts.exe

Filesize
175KB

MD5
b598bd279de6472500d2a7049fe1e5ab

SHA1
02d161b4b95a2854419b05d77b16bd1ff9ace753

SHA256
047bd2cc02062bd08cee997a3c171eeda00eea4e21f575622d0243fb70bc4063

SHA512
d0b66874f8efcaad3a3b2f6c6d2229b38941a61d4118c6d97240190d2835c266a1888fb40df5060380875cca2138166c56b3e4f10b9ffe9c4b17fc9661f20bda

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
d5e11660bcb69f6eb9e4665e4a7aefa6

SHA1
fcc0dc664ec4ae421166582986d366542b938b73

SHA256
bebc289424d6e8e2a87f465fac85c2ae40dcf7ba788f8f85de78f5381d0a0d7b

SHA512
fb950f1e19b7962277de7c542242ae33719dd7f3c02f1f18db9dbeb516c23fad596e51b8149f15c482d92a4339956cc4af733518f7c652f165accfe57bc7a215

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
d5e11660bcb69f6eb9e4665e4a7aefa6

SHA1
fcc0dc664ec4ae421166582986d366542b938b73

SHA256
bebc289424d6e8e2a87f465fac85c2ae40dcf7ba788f8f85de78f5381d0a0d7b

SHA512
fb950f1e19b7962277de7c542242ae33719dd7f3c02f1f18db9dbeb516c23fad596e51b8149f15c482d92a4339956cc4af733518f7c652f165accfe57bc7a215

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
d5e11660bcb69f6eb9e4665e4a7aefa6

SHA1
fcc0dc664ec4ae421166582986d366542b938b73

SHA256
bebc289424d6e8e2a87f465fac85c2ae40dcf7ba788f8f85de78f5381d0a0d7b

SHA512
fb950f1e19b7962277de7c542242ae33719dd7f3c02f1f18db9dbeb516c23fad596e51b8149f15c482d92a4339956cc4af733518f7c652f165accfe57bc7a215

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
d5e11660bcb69f6eb9e4665e4a7aefa6

SHA1
fcc0dc664ec4ae421166582986d366542b938b73

SHA256
bebc289424d6e8e2a87f465fac85c2ae40dcf7ba788f8f85de78f5381d0a0d7b

SHA512
fb950f1e19b7962277de7c542242ae33719dd7f3c02f1f18db9dbeb516c23fad596e51b8149f15c482d92a4339956cc4af733518f7c652f165accfe57bc7a215

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
d5e11660bcb69f6eb9e4665e4a7aefa6

SHA1
fcc0dc664ec4ae421166582986d366542b938b73

SHA256
bebc289424d6e8e2a87f465fac85c2ae40dcf7ba788f8f85de78f5381d0a0d7b

SHA512
fb950f1e19b7962277de7c542242ae33719dd7f3c02f1f18db9dbeb516c23fad596e51b8149f15c482d92a4339956cc4af733518f7c652f165accfe57bc7a215

Download Submit
memory/1444-58-0x0000000074721000-0x0000000074723000-memory.dmp

Filesize
8KB

Download
memory/1444-56-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads