49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12

Analysis

max time kernel
130s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe
Size

340KB
MD5

05d44e41a59924f8f9f49a02626a50a9
SHA1

9f1f27c5f6311edae934d9e9abda3dbc7cdbca9c
SHA256

49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12
SHA512

f2ab053aca3e1ee13b4677089f123e95833204ae9c9472e9dc53616314d374d57bc895b334f9cbf2d27b6e48109442e1c6e26b0fba3dbf887311a3fbb42bfa01
SSDEEP

6144:gDCwfG1bnxLERRh5yc8TO914s9HNeBBNlpZPIoD1rZ:g72bntELT74SPKBLWoD19

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ORXGKKZC = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ORXGKKZC = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ORXGKKZC = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1628	avscan.exe
988	avscan.exe
1448	hosts.exe
1396	hosts.exe
1512	avscan.exe
1964	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1488	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe
1488	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe
1628	avscan.exe
1448	hosts.exe
1448	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe
File created	\??\c:\windows\W_X_C.bat	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe
File opened for modification	C:\Windows\hosts.exe	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
2012	REG.exe
2004	REG.exe
1768	REG.exe
1644	REG.exe
1560	REG.exe
2044	REG.exe
1272	REG.exe
1076	REG.exe
1820	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1628	avscan.exe
1448	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1488	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe
1628	avscan.exe
988	avscan.exe
1448	hosts.exe
1396	hosts.exe
1512	avscan.exe
1964	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2044	1488	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe	26
PID 1488 wrote to memory of 2044	1488	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe	26
PID 1488 wrote to memory of 2044	1488	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe	26
PID 1488 wrote to memory of 2044	1488	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe	26
PID 1488 wrote to memory of 1628	1488	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe	28
PID 1488 wrote to memory of 1628	1488	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe	28
PID 1488 wrote to memory of 1628	1488	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe	28
PID 1488 wrote to memory of 1628	1488	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe	28
PID 1628 wrote to memory of 988	1628	avscan.exe	29
PID 1628 wrote to memory of 988	1628	avscan.exe	29
PID 1628 wrote to memory of 988	1628	avscan.exe	29
PID 1628 wrote to memory of 988	1628	avscan.exe	29
PID 1628 wrote to memory of 548	1628	avscan.exe	30
PID 1628 wrote to memory of 548	1628	avscan.exe	30
PID 1628 wrote to memory of 548	1628	avscan.exe	30
PID 1628 wrote to memory of 548	1628	avscan.exe	30
PID 1488 wrote to memory of 904	1488	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe	31
PID 1488 wrote to memory of 904	1488	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe	31
PID 1488 wrote to memory of 904	1488	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe	31
PID 1488 wrote to memory of 904	1488	49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe	31
PID 904 wrote to memory of 1448	904	cmd.exe	35
PID 904 wrote to memory of 1448	904	cmd.exe	35
PID 904 wrote to memory of 1448	904	cmd.exe	35
PID 904 wrote to memory of 1448	904	cmd.exe	35
PID 548 wrote to memory of 1396	548	cmd.exe	34
PID 548 wrote to memory of 1396	548	cmd.exe	34
PID 548 wrote to memory of 1396	548	cmd.exe	34
PID 548 wrote to memory of 1396	548	cmd.exe	34
PID 1448 wrote to memory of 1512	1448	hosts.exe	36
PID 1448 wrote to memory of 1512	1448	hosts.exe	36
PID 1448 wrote to memory of 1512	1448	hosts.exe	36
PID 1448 wrote to memory of 1512	1448	hosts.exe	36
PID 1448 wrote to memory of 1336	1448	hosts.exe	37
PID 1448 wrote to memory of 1336	1448	hosts.exe	37
PID 1448 wrote to memory of 1336	1448	hosts.exe	37
PID 1448 wrote to memory of 1336	1448	hosts.exe	37
PID 1336 wrote to memory of 1964	1336	cmd.exe	39
PID 1336 wrote to memory of 1964	1336	cmd.exe	39
PID 1336 wrote to memory of 1964	1336	cmd.exe	39
PID 1336 wrote to memory of 1964	1336	cmd.exe	39
PID 548 wrote to memory of 2008	548	cmd.exe	40
PID 548 wrote to memory of 2008	548	cmd.exe	40
PID 548 wrote to memory of 2008	548	cmd.exe	40
PID 548 wrote to memory of 2008	548	cmd.exe	40
PID 904 wrote to memory of 1572	904	cmd.exe	41
PID 904 wrote to memory of 1572	904	cmd.exe	41
PID 904 wrote to memory of 1572	904	cmd.exe	41
PID 904 wrote to memory of 1572	904	cmd.exe	41
PID 1336 wrote to memory of 1080	1336	cmd.exe	42
PID 1336 wrote to memory of 1080	1336	cmd.exe	42
PID 1336 wrote to memory of 1080	1336	cmd.exe	42
PID 1336 wrote to memory of 1080	1336	cmd.exe	42
PID 1628 wrote to memory of 1272	1628	avscan.exe	43
PID 1628 wrote to memory of 1272	1628	avscan.exe	43
PID 1628 wrote to memory of 1272	1628	avscan.exe	43
PID 1628 wrote to memory of 1272	1628	avscan.exe	43
PID 1448 wrote to memory of 2004	1448	hosts.exe	45
PID 1448 wrote to memory of 2004	1448	hosts.exe	45
PID 1448 wrote to memory of 2004	1448	hosts.exe	45
PID 1448 wrote to memory of 2004	1448	hosts.exe	45
PID 1628 wrote to memory of 1076	1628	avscan.exe	47
PID 1628 wrote to memory of 1076	1628	avscan.exe	47
PID 1628 wrote to memory of 1076	1628	avscan.exe	47
PID 1628 wrote to memory of 1076	1628	avscan.exe	47

C:\Users\Admin\AppData\Local\Temp\49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe
"C:\Users\Admin\AppData\Local\Temp\49b53d0bf3dbdcf44af4f5b1b4c4521e7e36239d4851b148071ece67407ffe12.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1396
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:2008
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1272
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1076
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1644
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1512
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:1080
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:2004
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1768
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1560
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1820
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
729KB

MD5
1e4cf4b251b0e341a497639982a9c011

SHA1
4a5841a34fc5e7f9d5352452930bbd196375a528

SHA256
81244b1f96db122bd95b9106901b39d303c1d3eff8895a7d9a4af8bb97e0c78b

SHA512
69699a58273a17b44c373b235f489ceab59cef31b34ba83a2e8cc4cf30ea7640d7154529e3c66daca1e04ffbcdb136517dc35ed8f7980ef7eb6698a907f46f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.0MB

MD5
97b1e6da3cd1561af4a928c389b29e7d

SHA1
cd3c4ff304e569bc5d3637452b2d52c4c95b65bc

SHA256
e93152f1449735fb3923a85e8a1b925a4c7e02aefae0710c7d513d73fd48b0d9

SHA512
902a8d5607716c7fe4d0741004a7727505466c1d3c26945454c16872c6ccb8bac3270edb7aff689a4e0bfd8d845b1152543452619fa037c2feaa9d6a0db8d9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.4MB

MD5
644a24501377bf251c5264bc95f8b9d1

SHA1
b8c6554cb07af4e1efe99b94f7c78256da5278a8

SHA256
d9163a619fa4a0c2371b94c1e2bb9ebcd457070a433a35ebca103b4ff2b9aea2

SHA512
dc5fcfcf3ef18b5ddf517444aac1f3aa9c775af745c0224181475104c9886b497d2c5dc4c7c95b3aafde84a30e1f4fbe188dae0c870462ff26f8544651d09026

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.7MB

MD5
04d3b65b7b921c4af25e4a947acce454

SHA1
35212ad0971f2a0af028b8824236a7529a4152b3

SHA256
43bdfdbb04273ecaf019547be1c33d8f6466ee541405ec113c411b761a33f0da

SHA512
bb13ac9a7948c1ea827560f72ae119276e8ab39a63d6f73afe0a410cb2ff2679117a9b01ee382be88aadc1ec7dbe6972522e1af7c3316a69320ed540df4be8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.0MB

MD5
6c86724992e47e8a21db821b366d8b8d

SHA1
50368cbfe3965aa771546cf32bb365d628c5cf90

SHA256
64cea54f7e9ad872487d77280da17ff2a5107edc83e2272343c4024de14a000d

SHA512
473118560a88841fbd40128a8611cd514f0fce0b00b3b4ed63cc433acb990b8618ee210bda61d7ebda87793568c95d1884f205249a852147c15c12997431e56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.4MB

MD5
db6040af808577963591548789027ade

SHA1
48dbf601ead8865a3e73703a62677669fac1eaca

SHA256
b2ed9b7ff20539aded586dffc842be1efc4019d6eef1bd41c17ca6513b74f803

SHA512
144ef1f2aa8d57d29754c60a954104b9fa9a79e8972bf12811c930d2767480cff3231d7b26f1dbddca118cddde8e947d69618186437f0aa8b1b92f5920e61ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.7MB

MD5
8b55335d1ec73f8e47e0141e9c29caf0

SHA1
c8f944e28828e3d5cc0e6225ff7217465d9ad0d8

SHA256
47cae8e8b87be83a9375047e2921a003dbad8d7f25e56c4b9ae9152a8c534067

SHA512
c552ec4bccd766b2c7f92da693353e9ea3ebfea80b4c86b203f2a7c79f4044f4dd2d3397f2b7b7fd06f91e9ca764a7b9ed61a00194963553f5ecd610fcbaf9fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
340KB

MD5
b0afa6c0583ed5550b1be49db4e0ca1d

SHA1
b45f5c09ee2a3b441c068af4341bdf0db88486b3

SHA256
e4491df7dbd7e05369252fb120e10bf64c5e5e7f26cfe62875c3905e91bd7340

SHA512
08b065257852e1c64d1c8ae4cef5f302b690f3402d75e9a4af9fc5d07c028a8152014155cfead2c846b713639194621383c31d0c21ab17987b14af1d0c9150ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
340KB

MD5
b0afa6c0583ed5550b1be49db4e0ca1d

SHA1
b45f5c09ee2a3b441c068af4341bdf0db88486b3

SHA256
e4491df7dbd7e05369252fb120e10bf64c5e5e7f26cfe62875c3905e91bd7340

SHA512
08b065257852e1c64d1c8ae4cef5f302b690f3402d75e9a4af9fc5d07c028a8152014155cfead2c846b713639194621383c31d0c21ab17987b14af1d0c9150ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
340KB

MD5
b0afa6c0583ed5550b1be49db4e0ca1d

SHA1
b45f5c09ee2a3b441c068af4341bdf0db88486b3

SHA256
e4491df7dbd7e05369252fb120e10bf64c5e5e7f26cfe62875c3905e91bd7340

SHA512
08b065257852e1c64d1c8ae4cef5f302b690f3402d75e9a4af9fc5d07c028a8152014155cfead2c846b713639194621383c31d0c21ab17987b14af1d0c9150ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
340KB

MD5
b0afa6c0583ed5550b1be49db4e0ca1d

SHA1
b45f5c09ee2a3b441c068af4341bdf0db88486b3

SHA256
e4491df7dbd7e05369252fb120e10bf64c5e5e7f26cfe62875c3905e91bd7340

SHA512
08b065257852e1c64d1c8ae4cef5f302b690f3402d75e9a4af9fc5d07c028a8152014155cfead2c846b713639194621383c31d0c21ab17987b14af1d0c9150ee

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
6cb1a862c5d3015502be64b07c6b5ec7

SHA1
055b4b97bd55f4f0f47fd8c981fc216709e91936

SHA256
6ae3ae6c1d057e9376efd0711d9912dfddebd9f8a8b257cee104cba98195c48e

SHA512
5f8f0cdbbd70f06bc8783c0e762208a3c54daf0f2b064abd450116cb31963d0802bc59648e868d647031e0e321d151a20f1b71ccba613f6e1c0c7fbb7ee974ab

Download Submit
C:\Windows\hosts.exe

Filesize
340KB

MD5
c370e111ece0bf22a54400c578aa495e

SHA1
57fcbcc73150f320798d14c9d0e11c2efea55693

SHA256
8c54ddf1d195c17a753d98c76857522556896afee59988f9dbc74bbdbcd1958b

SHA512
b04b4004c071f778173b311863f4ef260d5813feb8939d2a923f089e770596f4514d571de3a32d5c4be8893ef0881b4f318d1ea600eacbd6caa0500078c8cc1b

Download Submit
C:\Windows\hosts.exe

Filesize
340KB

MD5
c370e111ece0bf22a54400c578aa495e

SHA1
57fcbcc73150f320798d14c9d0e11c2efea55693

SHA256
8c54ddf1d195c17a753d98c76857522556896afee59988f9dbc74bbdbcd1958b

SHA512
b04b4004c071f778173b311863f4ef260d5813feb8939d2a923f089e770596f4514d571de3a32d5c4be8893ef0881b4f318d1ea600eacbd6caa0500078c8cc1b

Download Submit
C:\Windows\hosts.exe

Filesize
340KB

MD5
c370e111ece0bf22a54400c578aa495e

SHA1
57fcbcc73150f320798d14c9d0e11c2efea55693

SHA256
8c54ddf1d195c17a753d98c76857522556896afee59988f9dbc74bbdbcd1958b

SHA512
b04b4004c071f778173b311863f4ef260d5813feb8939d2a923f089e770596f4514d571de3a32d5c4be8893ef0881b4f318d1ea600eacbd6caa0500078c8cc1b

Download Submit
C:\Windows\hosts.exe

Filesize
340KB

MD5
c370e111ece0bf22a54400c578aa495e

SHA1
57fcbcc73150f320798d14c9d0e11c2efea55693

SHA256
8c54ddf1d195c17a753d98c76857522556896afee59988f9dbc74bbdbcd1958b

SHA512
b04b4004c071f778173b311863f4ef260d5813feb8939d2a923f089e770596f4514d571de3a32d5c4be8893ef0881b4f318d1ea600eacbd6caa0500078c8cc1b

Download Submit
C:\windows\hosts.exe

Filesize
340KB

MD5
c370e111ece0bf22a54400c578aa495e

SHA1
57fcbcc73150f320798d14c9d0e11c2efea55693

SHA256
8c54ddf1d195c17a753d98c76857522556896afee59988f9dbc74bbdbcd1958b

SHA512
b04b4004c071f778173b311863f4ef260d5813feb8939d2a923f089e770596f4514d571de3a32d5c4be8893ef0881b4f318d1ea600eacbd6caa0500078c8cc1b

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
340KB

MD5
b0afa6c0583ed5550b1be49db4e0ca1d

SHA1
b45f5c09ee2a3b441c068af4341bdf0db88486b3

SHA256
e4491df7dbd7e05369252fb120e10bf64c5e5e7f26cfe62875c3905e91bd7340

SHA512
08b065257852e1c64d1c8ae4cef5f302b690f3402d75e9a4af9fc5d07c028a8152014155cfead2c846b713639194621383c31d0c21ab17987b14af1d0c9150ee

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
340KB

MD5
b0afa6c0583ed5550b1be49db4e0ca1d

SHA1
b45f5c09ee2a3b441c068af4341bdf0db88486b3

SHA256
e4491df7dbd7e05369252fb120e10bf64c5e5e7f26cfe62875c3905e91bd7340

SHA512
08b065257852e1c64d1c8ae4cef5f302b690f3402d75e9a4af9fc5d07c028a8152014155cfead2c846b713639194621383c31d0c21ab17987b14af1d0c9150ee

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
340KB

MD5
b0afa6c0583ed5550b1be49db4e0ca1d

SHA1
b45f5c09ee2a3b441c068af4341bdf0db88486b3

SHA256
e4491df7dbd7e05369252fb120e10bf64c5e5e7f26cfe62875c3905e91bd7340

SHA512
08b065257852e1c64d1c8ae4cef5f302b690f3402d75e9a4af9fc5d07c028a8152014155cfead2c846b713639194621383c31d0c21ab17987b14af1d0c9150ee

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
340KB

MD5
b0afa6c0583ed5550b1be49db4e0ca1d

SHA1
b45f5c09ee2a3b441c068af4341bdf0db88486b3

SHA256
e4491df7dbd7e05369252fb120e10bf64c5e5e7f26cfe62875c3905e91bd7340

SHA512
08b065257852e1c64d1c8ae4cef5f302b690f3402d75e9a4af9fc5d07c028a8152014155cfead2c846b713639194621383c31d0c21ab17987b14af1d0c9150ee

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
340KB

MD5
b0afa6c0583ed5550b1be49db4e0ca1d

SHA1
b45f5c09ee2a3b441c068af4341bdf0db88486b3

SHA256
e4491df7dbd7e05369252fb120e10bf64c5e5e7f26cfe62875c3905e91bd7340

SHA512
08b065257852e1c64d1c8ae4cef5f302b690f3402d75e9a4af9fc5d07c028a8152014155cfead2c846b713639194621383c31d0c21ab17987b14af1d0c9150ee

Download Submit
memory/1488-58-0x0000000074E21000-0x0000000074E23000-memory.dmp

Filesize
8KB

Download
memory/1488-56-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads