89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f

Analysis

max time kernel
126s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 13:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe
Size

334KB
MD5

0efd3a0125f336e49c14d2a87dc22802
SHA1

05339ba9a1c955e176ae52deb35f72df10b7803f
SHA256

89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f
SHA512

879ad312a299123556f5b6e254223c85b6e321f52c08aed4c9a1f9470314d22e25a68c983d57fa4019f4f78350ad194569bdf39dfa76f1779751d1b5d9f1810d
SSDEEP

6144:gDCwfG1bnxG8M58+DCwfG1bnxG8M58FqvA:g72bnI55X72bnI55cqvA

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1584	avscan.exe
1776	avscan.exe
2028	hosts.exe
1760	hosts.exe
1380	avscan.exe
1092	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1156	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe
1156	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe
1584	avscan.exe
2028	hosts.exe
2028	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe
File created	\??\c:\windows\W_X_C.bat	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe
File opened for modification	C:\Windows\hosts.exe	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1868	REG.exe
756	REG.exe
1100	REG.exe
1020	REG.exe
896	REG.exe
1176	REG.exe
1508	REG.exe
1612	REG.exe
1576	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1584	avscan.exe
2028	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1156	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe
1584	avscan.exe
1776	avscan.exe
2028	hosts.exe
1760	hosts.exe
1380	avscan.exe
1092	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 896	1156	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	27
PID 1156 wrote to memory of 896	1156	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	27
PID 1156 wrote to memory of 896	1156	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	27
PID 1156 wrote to memory of 896	1156	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	27
PID 1156 wrote to memory of 1584	1156	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	29
PID 1156 wrote to memory of 1584	1156	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	29
PID 1156 wrote to memory of 1584	1156	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	29
PID 1156 wrote to memory of 1584	1156	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	29
PID 1584 wrote to memory of 1776	1584	avscan.exe	30
PID 1584 wrote to memory of 1776	1584	avscan.exe	30
PID 1584 wrote to memory of 1776	1584	avscan.exe	30
PID 1584 wrote to memory of 1776	1584	avscan.exe	30
PID 1584 wrote to memory of 816	1584	avscan.exe	31
PID 1584 wrote to memory of 816	1584	avscan.exe	31
PID 1584 wrote to memory of 816	1584	avscan.exe	31
PID 1584 wrote to memory of 816	1584	avscan.exe	31
PID 1156 wrote to memory of 1012	1156	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	33
PID 1156 wrote to memory of 1012	1156	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	33
PID 1156 wrote to memory of 1012	1156	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	33
PID 1156 wrote to memory of 1012	1156	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	33
PID 816 wrote to memory of 2028	816	cmd.exe	36
PID 816 wrote to memory of 2028	816	cmd.exe	36
PID 816 wrote to memory of 2028	816	cmd.exe	36
PID 816 wrote to memory of 2028	816	cmd.exe	36
PID 1012 wrote to memory of 1760	1012	cmd.exe	35
PID 1012 wrote to memory of 1760	1012	cmd.exe	35
PID 1012 wrote to memory of 1760	1012	cmd.exe	35
PID 1012 wrote to memory of 1760	1012	cmd.exe	35
PID 1012 wrote to memory of 1492	1012	cmd.exe	37
PID 1012 wrote to memory of 1492	1012	cmd.exe	37
PID 1012 wrote to memory of 1492	1012	cmd.exe	37
PID 1012 wrote to memory of 1492	1012	cmd.exe	37
PID 816 wrote to memory of 1980	816	cmd.exe	38
PID 816 wrote to memory of 1980	816	cmd.exe	38
PID 816 wrote to memory of 1980	816	cmd.exe	38
PID 816 wrote to memory of 1980	816	cmd.exe	38
PID 2028 wrote to memory of 1380	2028	hosts.exe	39
PID 2028 wrote to memory of 1380	2028	hosts.exe	39
PID 2028 wrote to memory of 1380	2028	hosts.exe	39
PID 2028 wrote to memory of 1380	2028	hosts.exe	39
PID 2028 wrote to memory of 1892	2028	hosts.exe	40
PID 2028 wrote to memory of 1892	2028	hosts.exe	40
PID 2028 wrote to memory of 1892	2028	hosts.exe	40
PID 2028 wrote to memory of 1892	2028	hosts.exe	40
PID 1892 wrote to memory of 1092	1892	cmd.exe	42
PID 1892 wrote to memory of 1092	1892	cmd.exe	42
PID 1892 wrote to memory of 1092	1892	cmd.exe	42
PID 1892 wrote to memory of 1092	1892	cmd.exe	42
PID 1892 wrote to memory of 1136	1892	cmd.exe	43
PID 1892 wrote to memory of 1136	1892	cmd.exe	43
PID 1892 wrote to memory of 1136	1892	cmd.exe	43
PID 1892 wrote to memory of 1136	1892	cmd.exe	43
PID 1584 wrote to memory of 1176	1584	avscan.exe	44
PID 1584 wrote to memory of 1176	1584	avscan.exe	44
PID 1584 wrote to memory of 1176	1584	avscan.exe	44
PID 1584 wrote to memory of 1176	1584	avscan.exe	44
PID 2028 wrote to memory of 1868	2028	hosts.exe	46
PID 2028 wrote to memory of 1868	2028	hosts.exe	46
PID 2028 wrote to memory of 1868	2028	hosts.exe	46
PID 2028 wrote to memory of 1868	2028	hosts.exe	46
PID 2028 wrote to memory of 756	2028	hosts.exe	48
PID 2028 wrote to memory of 756	2028	hosts.exe	48
PID 2028 wrote to memory of 756	2028	hosts.exe	48
PID 2028 wrote to memory of 756	2028	hosts.exe	48

C:\Users\Admin\AppData\Local\Temp\89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe
"C:\Users\Admin\AppData\Local\Temp\89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:896
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1776
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1380
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1892
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1092
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1136
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1868
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:756
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1508
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1576
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1980
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1176
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1100
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1020
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1760
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
717KB

MD5
539650a579ab6cfecddd227475515563

SHA1
391d3f45cf6e3c450bf05f9822eb29c1b32b9fdf

SHA256
fb5ace565f810e9d5c99b6eb775327c8872f3689f2738dfb5efe1c62a7a8d425

SHA512
7a0b52ed8aa4707d1dc188e32b81d9a025d5aca167a2c3da915806ffadfac88006a6b26477ad0c8c1fd68888739b0a7b548806ad8bc69caeec8232068922c030

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.4MB

MD5
faaf04b06e5df9a66f88924b49033b98

SHA1
9edd9f18a355815a904fc6ce6327d3ef0885fc84

SHA256
954767a4a24c244077b9e3ee99875a79ab1c9722eadff45f74f34fe298258f6b

SHA512
3e80c3c196f3bed2888734dd449ad3b38c2bbf5e1dad8eac30024c4cf3e20a9dc6436b96fc9183db46049303dc8f4968213d99e0cd46cf2330e1c3e6587243d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.0MB

MD5
7ee8a02dd0871b1d000a71fc993fbd0e

SHA1
065e1ee413ece5f18c084acd40e59c3d0b889b6c

SHA256
6878e3396b749cd535167588b00de8ee083354b1191da1b59f89c39de130623a

SHA512
42f82dc16e758523830e22e86851f61a3fcefe5e94b6a75d37ff6079446aef3b1f6ca945e0728710bd4d1b3611467edb4137e3159377da896ee9141b94449937

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.0MB

MD5
7bd17439b466b699743a1be755033347

SHA1
d39a3ca75f3ba5275404344c9561d52be8e77003

SHA256
517c2d70a94fcd71ab70f2f492fda2027abf5f4856e9022020ddcf2d57d5a4c9

SHA512
9fb539423e9d4206a988ed57d679b69ba116ef0aa10087d4aeef7f7cef0f7da56fac588f54ddb954b8d6ab77d1c4180df281c0057616f9e2a9a0abfc77ebd3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.7MB

MD5
f9111df9563daf3d924f3ba138e4449e

SHA1
c0bf5d0b40bbdbe8ab14d3580ab2c385f6a16fd4

SHA256
16dda5b0686150f81d393d2787c3a0fd347abc8078be09d19ce938a3f501ab99

SHA512
49821b1684179061986199da69e33d3895e365b20a4c4ee6a15a68b647a55bcc8889098ecf7082437e041e568ed9d074bd0d8785713fe1c40dbf898b12746ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.7MB

MD5
7056b4441f2d570c88d41647244b60ab

SHA1
e0b983239b84f71fa54f2c5199fd33bbd2348917

SHA256
89b6a15415ddd5b1ca00490145f584c2a12dd7a2dc89ccdcf85912be09241bfc

SHA512
d7ba9ffadb69555ae2bb0c8beb1787129bba4879414af1beb418ba15dba3abdf804f132acdbfe6ec1c5751903b7535427fa56eba8fb6a67e93b69430ef2febfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
334KB

MD5
9f3f389429f4e2aa176873276285a9ba

SHA1
f322c4dc661aa32c21f461b7f476f296a689919d

SHA256
f3a21706b199c77c956b735690ac7d6a6b8a86f72133aaeb1ce11b6b8d73413b

SHA512
75a91d0f8633f21cdec0aa842de47f43d6552cd3044b9784dc95742f09c4da4e4b25d265a86a49cbdd987fdd49fa3ca7bf3582e1bbac033298bb7dff045f9664

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
334KB

MD5
9f3f389429f4e2aa176873276285a9ba

SHA1
f322c4dc661aa32c21f461b7f476f296a689919d

SHA256
f3a21706b199c77c956b735690ac7d6a6b8a86f72133aaeb1ce11b6b8d73413b

SHA512
75a91d0f8633f21cdec0aa842de47f43d6552cd3044b9784dc95742f09c4da4e4b25d265a86a49cbdd987fdd49fa3ca7bf3582e1bbac033298bb7dff045f9664

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
334KB

MD5
9f3f389429f4e2aa176873276285a9ba

SHA1
f322c4dc661aa32c21f461b7f476f296a689919d

SHA256
f3a21706b199c77c956b735690ac7d6a6b8a86f72133aaeb1ce11b6b8d73413b

SHA512
75a91d0f8633f21cdec0aa842de47f43d6552cd3044b9784dc95742f09c4da4e4b25d265a86a49cbdd987fdd49fa3ca7bf3582e1bbac033298bb7dff045f9664

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
334KB

MD5
9f3f389429f4e2aa176873276285a9ba

SHA1
f322c4dc661aa32c21f461b7f476f296a689919d

SHA256
f3a21706b199c77c956b735690ac7d6a6b8a86f72133aaeb1ce11b6b8d73413b

SHA512
75a91d0f8633f21cdec0aa842de47f43d6552cd3044b9784dc95742f09c4da4e4b25d265a86a49cbdd987fdd49fa3ca7bf3582e1bbac033298bb7dff045f9664

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
8efab902a61f6cddc318bb5818c2f2e0

SHA1
9608751279ae04ba710d84c61e3937c12950b393

SHA256
a81d0e86c651ead3e4d9c7f64e637006e787c81c8ba3e784648c2786306bfb87

SHA512
aabd0e45609a39584c68c35e16124b399e9a4932bf6c98c22aa8c6ff71b2fbfc80333102960fcfca1abb38b344245f9cdf4cdc0c827c48235f618011a5fbfe18

Download Submit
C:\Windows\hosts.exe

Filesize
334KB

MD5
35205f8b0c8ab307bca126269217cc89

SHA1
95b70d5b8d67b5ae0b6fca495379c793beb5b8ce

SHA256
544cdfddc700ddfaa4bdd792b58eb25f90d80b686ddfee79f43be23da701d7f7

SHA512
2d8cd3373b2afe184ed3fe2794122f94a7e8cd6128b36ed229017cffdd836c1ebce361fe0d77eb586d769bd934395e34dfe2f6fb10e8aee8324e1a4abc2ea377

Download Submit
C:\Windows\hosts.exe

Filesize
334KB

MD5
35205f8b0c8ab307bca126269217cc89

SHA1
95b70d5b8d67b5ae0b6fca495379c793beb5b8ce

SHA256
544cdfddc700ddfaa4bdd792b58eb25f90d80b686ddfee79f43be23da701d7f7

SHA512
2d8cd3373b2afe184ed3fe2794122f94a7e8cd6128b36ed229017cffdd836c1ebce361fe0d77eb586d769bd934395e34dfe2f6fb10e8aee8324e1a4abc2ea377

Download Submit
C:\Windows\hosts.exe

Filesize
334KB

MD5
35205f8b0c8ab307bca126269217cc89

SHA1
95b70d5b8d67b5ae0b6fca495379c793beb5b8ce

SHA256
544cdfddc700ddfaa4bdd792b58eb25f90d80b686ddfee79f43be23da701d7f7

SHA512
2d8cd3373b2afe184ed3fe2794122f94a7e8cd6128b36ed229017cffdd836c1ebce361fe0d77eb586d769bd934395e34dfe2f6fb10e8aee8324e1a4abc2ea377

Download Submit
C:\Windows\hosts.exe

Filesize
334KB

MD5
35205f8b0c8ab307bca126269217cc89

SHA1
95b70d5b8d67b5ae0b6fca495379c793beb5b8ce

SHA256
544cdfddc700ddfaa4bdd792b58eb25f90d80b686ddfee79f43be23da701d7f7

SHA512
2d8cd3373b2afe184ed3fe2794122f94a7e8cd6128b36ed229017cffdd836c1ebce361fe0d77eb586d769bd934395e34dfe2f6fb10e8aee8324e1a4abc2ea377

Download Submit
C:\windows\hosts.exe

Filesize
334KB

MD5
35205f8b0c8ab307bca126269217cc89

SHA1
95b70d5b8d67b5ae0b6fca495379c793beb5b8ce

SHA256
544cdfddc700ddfaa4bdd792b58eb25f90d80b686ddfee79f43be23da701d7f7

SHA512
2d8cd3373b2afe184ed3fe2794122f94a7e8cd6128b36ed229017cffdd836c1ebce361fe0d77eb586d769bd934395e34dfe2f6fb10e8aee8324e1a4abc2ea377

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
334KB

MD5
9f3f389429f4e2aa176873276285a9ba

SHA1
f322c4dc661aa32c21f461b7f476f296a689919d

SHA256
f3a21706b199c77c956b735690ac7d6a6b8a86f72133aaeb1ce11b6b8d73413b

SHA512
75a91d0f8633f21cdec0aa842de47f43d6552cd3044b9784dc95742f09c4da4e4b25d265a86a49cbdd987fdd49fa3ca7bf3582e1bbac033298bb7dff045f9664

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
334KB

MD5
9f3f389429f4e2aa176873276285a9ba

SHA1
f322c4dc661aa32c21f461b7f476f296a689919d

SHA256
f3a21706b199c77c956b735690ac7d6a6b8a86f72133aaeb1ce11b6b8d73413b

SHA512
75a91d0f8633f21cdec0aa842de47f43d6552cd3044b9784dc95742f09c4da4e4b25d265a86a49cbdd987fdd49fa3ca7bf3582e1bbac033298bb7dff045f9664

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
334KB

MD5
9f3f389429f4e2aa176873276285a9ba

SHA1
f322c4dc661aa32c21f461b7f476f296a689919d

SHA256
f3a21706b199c77c956b735690ac7d6a6b8a86f72133aaeb1ce11b6b8d73413b

SHA512
75a91d0f8633f21cdec0aa842de47f43d6552cd3044b9784dc95742f09c4da4e4b25d265a86a49cbdd987fdd49fa3ca7bf3582e1bbac033298bb7dff045f9664

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
334KB

MD5
9f3f389429f4e2aa176873276285a9ba

SHA1
f322c4dc661aa32c21f461b7f476f296a689919d

SHA256
f3a21706b199c77c956b735690ac7d6a6b8a86f72133aaeb1ce11b6b8d73413b

SHA512
75a91d0f8633f21cdec0aa842de47f43d6552cd3044b9784dc95742f09c4da4e4b25d265a86a49cbdd987fdd49fa3ca7bf3582e1bbac033298bb7dff045f9664

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
334KB

MD5
9f3f389429f4e2aa176873276285a9ba

SHA1
f322c4dc661aa32c21f461b7f476f296a689919d

SHA256
f3a21706b199c77c956b735690ac7d6a6b8a86f72133aaeb1ce11b6b8d73413b

SHA512
75a91d0f8633f21cdec0aa842de47f43d6552cd3044b9784dc95742f09c4da4e4b25d265a86a49cbdd987fdd49fa3ca7bf3582e1bbac033298bb7dff045f9664

Download Submit
memory/1156-58-0x0000000074571000-0x0000000074573000-memory.dmp

Filesize
8KB

Download
memory/1156-56-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads