8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0

Analysis

max time kernel
194s
max time network
66s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
Size

657KB
MD5

71f5cd3dd572d5147962eea9d22e2b9e
SHA1

b81eaf651d7aa70bf700a444e66c3ce47343a89c
SHA256

8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0
SHA512

f44d81eb083f0f4600876c77ca80019a820fd8cbcb36ee7fab7e09db893d1bc5c73213d3d5d3e37dac683b8adb6b231954729162a0737e49d561e60b464696cb
SSDEEP

12288:g72bnueKBLWoD1+OteKIjX9aTQT5Hk45QRbaxlwfCGWPI/D+WC:g72zDKFD1e9UDq

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VUIIVLGQ = "W_X_C.bat"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VUIIVLGQ = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VUIIVLGQ = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
584	avscan.exe
1136	avscan.exe
1584	hosts.exe
756	hosts.exe
828	avscan.exe
1688	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
624	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
624	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
584	avscan.exe
1584	hosts.exe
1584	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
File created	\??\c:\windows\W_X_C.bat	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
File opened for modification	C:\Windows\hosts.exe	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1236	REG.exe
1772	REG.exe
1580	REG.exe
808	REG.exe
580	REG.exe
1828	REG.exe
1912	REG.exe
1228	REG.exe
1064	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
584	avscan.exe
1584	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
624	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
584	avscan.exe
1136	avscan.exe
756	hosts.exe
1584	hosts.exe
828	avscan.exe
1688	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 1236	624	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	28
PID 624 wrote to memory of 1236	624	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	28
PID 624 wrote to memory of 1236	624	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	28
PID 624 wrote to memory of 1236	624	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	28
PID 624 wrote to memory of 584	624	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	30
PID 624 wrote to memory of 584	624	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	30
PID 624 wrote to memory of 584	624	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	30
PID 624 wrote to memory of 584	624	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	30
PID 584 wrote to memory of 1136	584	avscan.exe	31
PID 584 wrote to memory of 1136	584	avscan.exe	31
PID 584 wrote to memory of 1136	584	avscan.exe	31
PID 584 wrote to memory of 1136	584	avscan.exe	31
PID 584 wrote to memory of 704	584	avscan.exe	32
PID 584 wrote to memory of 704	584	avscan.exe	32
PID 584 wrote to memory of 704	584	avscan.exe	32
PID 584 wrote to memory of 704	584	avscan.exe	32
PID 624 wrote to memory of 1500	624	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	34
PID 624 wrote to memory of 1500	624	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	34
PID 624 wrote to memory of 1500	624	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	34
PID 624 wrote to memory of 1500	624	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	34
PID 1500 wrote to memory of 1584	1500	cmd.exe	37
PID 1500 wrote to memory of 1584	1500	cmd.exe	37
PID 1500 wrote to memory of 1584	1500	cmd.exe	37
PID 1500 wrote to memory of 1584	1500	cmd.exe	37
PID 704 wrote to memory of 756	704	cmd.exe	36
PID 704 wrote to memory of 756	704	cmd.exe	36
PID 704 wrote to memory of 756	704	cmd.exe	36
PID 704 wrote to memory of 756	704	cmd.exe	36
PID 1584 wrote to memory of 828	1584	hosts.exe	38
PID 1584 wrote to memory of 828	1584	hosts.exe	38
PID 1584 wrote to memory of 828	1584	hosts.exe	38
PID 1584 wrote to memory of 828	1584	hosts.exe	38
PID 1584 wrote to memory of 1120	1584	hosts.exe	40
PID 1584 wrote to memory of 1120	1584	hosts.exe	40
PID 1584 wrote to memory of 1120	1584	hosts.exe	40
PID 1584 wrote to memory of 1120	1584	hosts.exe	40
PID 1500 wrote to memory of 2044	1500	cmd.exe	39
PID 1500 wrote to memory of 2044	1500	cmd.exe	39
PID 1500 wrote to memory of 2044	1500	cmd.exe	39
PID 1500 wrote to memory of 2044	1500	cmd.exe	39
PID 704 wrote to memory of 696	704	cmd.exe	42
PID 704 wrote to memory of 696	704	cmd.exe	42
PID 704 wrote to memory of 696	704	cmd.exe	42
PID 704 wrote to memory of 696	704	cmd.exe	42
PID 1120 wrote to memory of 1688	1120	cmd.exe	43
PID 1120 wrote to memory of 1688	1120	cmd.exe	43
PID 1120 wrote to memory of 1688	1120	cmd.exe	43
PID 1120 wrote to memory of 1688	1120	cmd.exe	43
PID 1120 wrote to memory of 552	1120	cmd.exe	44
PID 1120 wrote to memory of 552	1120	cmd.exe	44
PID 1120 wrote to memory of 552	1120	cmd.exe	44
PID 1120 wrote to memory of 552	1120	cmd.exe	44
PID 584 wrote to memory of 1580	584	avscan.exe	46
PID 584 wrote to memory of 1580	584	avscan.exe	46
PID 584 wrote to memory of 1580	584	avscan.exe	46
PID 584 wrote to memory of 1580	584	avscan.exe	46
PID 1584 wrote to memory of 1772	1584	hosts.exe	45
PID 1584 wrote to memory of 1772	1584	hosts.exe	45
PID 1584 wrote to memory of 1772	1584	hosts.exe	45
PID 1584 wrote to memory of 1772	1584	hosts.exe	45
PID 1584 wrote to memory of 808	1584	hosts.exe	50
PID 1584 wrote to memory of 808	1584	hosts.exe	50
PID 1584 wrote to memory of 808	1584	hosts.exe	50
PID 1584 wrote to memory of 808	1584	hosts.exe	50

C:\Users\Admin\AppData\Local\Temp\8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
"C:\Users\Admin\AppData\Local\Temp\8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1236
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:704
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:756
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:696
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1580
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1228
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:580
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:828
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1120
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1688
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:552
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1772
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:808
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1064
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1912
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
705KB

MD5
9125db6ccab1c82008c86cf1935e7d6d

SHA1
7068d905d546725b441ab2c9db0f4dbe43b704c7

SHA256
56a549b46e3a64fcda847c20b673b8dce820b1e39f0c37d88da1f1fdf2e31ab6

SHA512
cca33461e1e50b3fb8836f152e5f238e5f972978ca65876edb09443fc76b2d20991f5e4c8f5364b2c4446611338bba2756e114bbd055beee69e31ea574724945

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.6MB

MD5
9c29fd864a204c5c327f3d1760fe4fff

SHA1
185fabeeeebd259d885153420b35ce1cd84e31ee

SHA256
8528048e45c39a6543cf96b555985320b636e88403ff8b236df1bf814a824e67

SHA512
c492641271ec89da0f7b6f6f229f7919331563c3f62e1f143d02d343c7f545f65f68189a5808fa3db4d6a577d0ab06f6a52fe85af60f532f87af23aae2c390f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.6MB

MD5
b433715c1e4bddcaa92b49ae5489d0e2

SHA1
b8c99816f17f474d38a8a9530f40f4a95e4ef108

SHA256
fb74f3e106cd528f1f6ef03a002a93c739a38a662d71c12ee80f88d165eb3d53

SHA512
e23407aff01c4786e0510f3805f029a45ddb381b789b8ad21f2b20df9835385c3e0f19277159f285b402a4791e0d213af717116c1ff94442c3e15080aace7b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
3.3MB

MD5
ae11c76d87d9950635766b2cb31f9392

SHA1
43dc06c788a53eab434800f7af5509f8d589aced

SHA256
b8ad2375a552977db8ba4352588cd2bfb35eb1fd1e19e0fbb37f0468d6f29316

SHA512
a428745fa9b4444494302917798dc7de5a8b5eca3baea70c329b6d828e2a7fc1dfe1426ea0cddb08909a16222f5a4d4ee7859849638477aee0a7cee87bb28a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
3.9MB

MD5
ef1988c72571cbbaac4dd640057edc65

SHA1
8c4acb67f17f0eabf43367d1b017793276136297

SHA256
77aa429894dee96f56587d2687c06706e97ead5c440bdb4222a16d367241367e

SHA512
e3d3ed2378c3e798cd6aa24c4911cb8b17c5509e3d3b8cff111e20a8b66b72df5af92b6f8c83778fd650a1c9ca9be594697a22f9b36b1a1e86440a273183dfe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
3.9MB

MD5
ef1988c72571cbbaac4dd640057edc65

SHA1
8c4acb67f17f0eabf43367d1b017793276136297

SHA256
77aa429894dee96f56587d2687c06706e97ead5c440bdb4222a16d367241367e

SHA512
e3d3ed2378c3e798cd6aa24c4911cb8b17c5509e3d3b8cff111e20a8b66b72df5af92b6f8c83778fd650a1c9ca9be594697a22f9b36b1a1e86440a273183dfe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
657KB

MD5
fdc7acdbf63b0dd2d7b044b1bf89382f

SHA1
5b51438d6b90acf59c1d35e8016c1ef2be86fc37

SHA256
fa76cee770562aa38da97bc0c47b64cb4071f4799e46f316775998bd72f823da

SHA512
3bc18fdda8b62acf203e31907dc77e30b3d87fa25fbfdc8128b3857752c85b111a872e931593cb6f9e3c9bb53be66bf0810bd9d0e1d2347735b2785743ff7d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
657KB

MD5
fdc7acdbf63b0dd2d7b044b1bf89382f

SHA1
5b51438d6b90acf59c1d35e8016c1ef2be86fc37

SHA256
fa76cee770562aa38da97bc0c47b64cb4071f4799e46f316775998bd72f823da

SHA512
3bc18fdda8b62acf203e31907dc77e30b3d87fa25fbfdc8128b3857752c85b111a872e931593cb6f9e3c9bb53be66bf0810bd9d0e1d2347735b2785743ff7d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
657KB

MD5
fdc7acdbf63b0dd2d7b044b1bf89382f

SHA1
5b51438d6b90acf59c1d35e8016c1ef2be86fc37

SHA256
fa76cee770562aa38da97bc0c47b64cb4071f4799e46f316775998bd72f823da

SHA512
3bc18fdda8b62acf203e31907dc77e30b3d87fa25fbfdc8128b3857752c85b111a872e931593cb6f9e3c9bb53be66bf0810bd9d0e1d2347735b2785743ff7d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
657KB

MD5
fdc7acdbf63b0dd2d7b044b1bf89382f

SHA1
5b51438d6b90acf59c1d35e8016c1ef2be86fc37

SHA256
fa76cee770562aa38da97bc0c47b64cb4071f4799e46f316775998bd72f823da

SHA512
3bc18fdda8b62acf203e31907dc77e30b3d87fa25fbfdc8128b3857752c85b111a872e931593cb6f9e3c9bb53be66bf0810bd9d0e1d2347735b2785743ff7d4c

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
bb5f0d81909924d647dc29f49c1ab135

SHA1
3f69821597fc6e1bf95639ed73729d5b28d30571

SHA256
71a89829e758fce2196f5ae1fce0af4110c85b65f1cacbd9d34394843a0e9563

SHA512
e4459b6d398a439a6c086e1fbec0ce713c530f8c6ff9237fa080eb3fed35fcb938d88eb70bef32fe5d7853435c3cca5a25c207473239c460633ac30e302765ab

Download Submit
C:\Windows\hosts.exe

Filesize
657KB

MD5
8a0125ec21e69c26490b22d10454a684

SHA1
39dbe71b1e3cc0cd24cb5d0b0b38b6ebc23f4c1f

SHA256
92bc8bb86a197dd3d8f7df92ae20099a2c3af175505b524b7c2f35022b2ad2c6

SHA512
e145e048ee1ca3dc32c549975f0102500a380157dd6d1b4ad6e60106b0a6e426e27d5c2bb16f3256831fd877d8ea0b7e2795d3f166aa583114c86f34562feb06

Download Submit
C:\Windows\hosts.exe

Filesize
657KB

MD5
8a0125ec21e69c26490b22d10454a684

SHA1
39dbe71b1e3cc0cd24cb5d0b0b38b6ebc23f4c1f

SHA256
92bc8bb86a197dd3d8f7df92ae20099a2c3af175505b524b7c2f35022b2ad2c6

SHA512
e145e048ee1ca3dc32c549975f0102500a380157dd6d1b4ad6e60106b0a6e426e27d5c2bb16f3256831fd877d8ea0b7e2795d3f166aa583114c86f34562feb06

Download Submit
C:\Windows\hosts.exe

Filesize
657KB

MD5
8a0125ec21e69c26490b22d10454a684

SHA1
39dbe71b1e3cc0cd24cb5d0b0b38b6ebc23f4c1f

SHA256
92bc8bb86a197dd3d8f7df92ae20099a2c3af175505b524b7c2f35022b2ad2c6

SHA512
e145e048ee1ca3dc32c549975f0102500a380157dd6d1b4ad6e60106b0a6e426e27d5c2bb16f3256831fd877d8ea0b7e2795d3f166aa583114c86f34562feb06

Download Submit
C:\Windows\hosts.exe

Filesize
657KB

MD5
8a0125ec21e69c26490b22d10454a684

SHA1
39dbe71b1e3cc0cd24cb5d0b0b38b6ebc23f4c1f

SHA256
92bc8bb86a197dd3d8f7df92ae20099a2c3af175505b524b7c2f35022b2ad2c6

SHA512
e145e048ee1ca3dc32c549975f0102500a380157dd6d1b4ad6e60106b0a6e426e27d5c2bb16f3256831fd877d8ea0b7e2795d3f166aa583114c86f34562feb06

Download Submit
C:\windows\hosts.exe

Filesize
657KB

MD5
8a0125ec21e69c26490b22d10454a684

SHA1
39dbe71b1e3cc0cd24cb5d0b0b38b6ebc23f4c1f

SHA256
92bc8bb86a197dd3d8f7df92ae20099a2c3af175505b524b7c2f35022b2ad2c6

SHA512
e145e048ee1ca3dc32c549975f0102500a380157dd6d1b4ad6e60106b0a6e426e27d5c2bb16f3256831fd877d8ea0b7e2795d3f166aa583114c86f34562feb06

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
657KB

MD5
fdc7acdbf63b0dd2d7b044b1bf89382f

SHA1
5b51438d6b90acf59c1d35e8016c1ef2be86fc37

SHA256
fa76cee770562aa38da97bc0c47b64cb4071f4799e46f316775998bd72f823da

SHA512
3bc18fdda8b62acf203e31907dc77e30b3d87fa25fbfdc8128b3857752c85b111a872e931593cb6f9e3c9bb53be66bf0810bd9d0e1d2347735b2785743ff7d4c

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
657KB

MD5
fdc7acdbf63b0dd2d7b044b1bf89382f

SHA1
5b51438d6b90acf59c1d35e8016c1ef2be86fc37

SHA256
fa76cee770562aa38da97bc0c47b64cb4071f4799e46f316775998bd72f823da

SHA512
3bc18fdda8b62acf203e31907dc77e30b3d87fa25fbfdc8128b3857752c85b111a872e931593cb6f9e3c9bb53be66bf0810bd9d0e1d2347735b2785743ff7d4c

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
657KB

MD5
fdc7acdbf63b0dd2d7b044b1bf89382f

SHA1
5b51438d6b90acf59c1d35e8016c1ef2be86fc37

SHA256
fa76cee770562aa38da97bc0c47b64cb4071f4799e46f316775998bd72f823da

SHA512
3bc18fdda8b62acf203e31907dc77e30b3d87fa25fbfdc8128b3857752c85b111a872e931593cb6f9e3c9bb53be66bf0810bd9d0e1d2347735b2785743ff7d4c

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
657KB

MD5
fdc7acdbf63b0dd2d7b044b1bf89382f

SHA1
5b51438d6b90acf59c1d35e8016c1ef2be86fc37

SHA256
fa76cee770562aa38da97bc0c47b64cb4071f4799e46f316775998bd72f823da

SHA512
3bc18fdda8b62acf203e31907dc77e30b3d87fa25fbfdc8128b3857752c85b111a872e931593cb6f9e3c9bb53be66bf0810bd9d0e1d2347735b2785743ff7d4c

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
657KB

MD5
fdc7acdbf63b0dd2d7b044b1bf89382f

SHA1
5b51438d6b90acf59c1d35e8016c1ef2be86fc37

SHA256
fa76cee770562aa38da97bc0c47b64cb4071f4799e46f316775998bd72f823da

SHA512
3bc18fdda8b62acf203e31907dc77e30b3d87fa25fbfdc8128b3857752c85b111a872e931593cb6f9e3c9bb53be66bf0810bd9d0e1d2347735b2785743ff7d4c

Download Submit
memory/624-58-0x0000000074EF1000-0x0000000074EF3000-memory.dmp

Filesize
8KB

Download
memory/624-56-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads