75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a

Analysis

max time kernel
126s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe
Size

708KB
MD5

53aa77528dcccbdcda93a9df77fab463
SHA1

ec3d0863d693f32c3637e2490564cf7c434ef59a
SHA256

75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a
SHA512

f8483b9ec12742ca2b045cf60688e03c3d6be914433bdf488d17da46302feeb992eb760202ac2a81d010b5deff0294492c786ccfb42f1b479b5d38bb0dd39841
SSDEEP

12288:g72bnI+w8GNA72bnI+w8GN472bnI+w8GNA72bnI+w8GNe:g72zd72zJ72zd72zr

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ORXGKKZC = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ORXGKKZC = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ORXGKKZC = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1116	avscan.exe
1204	avscan.exe
2016	hosts.exe
1712	hosts.exe
1288	avscan.exe
1964	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1184	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe
1184	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe
1116	avscan.exe
2016	hosts.exe
2016	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe
File created	\??\c:\windows\W_X_C.bat	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1800	REG.exe
840	REG.exe
1408	REG.exe
1580	REG.exe
920	REG.exe
2040	REG.exe
280	REG.exe
1800	REG.exe
1600	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1116	avscan.exe
2016	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1184	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe
1116	avscan.exe
1204	avscan.exe
1712	hosts.exe
2016	hosts.exe
1288	avscan.exe
1964	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1800	1184	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe	26
PID 1184 wrote to memory of 1800	1184	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe	26
PID 1184 wrote to memory of 1800	1184	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe	26
PID 1184 wrote to memory of 1800	1184	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe	26
PID 1184 wrote to memory of 1116	1184	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe	28
PID 1184 wrote to memory of 1116	1184	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe	28
PID 1184 wrote to memory of 1116	1184	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe	28
PID 1184 wrote to memory of 1116	1184	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe	28
PID 1116 wrote to memory of 1204	1116	avscan.exe	29
PID 1116 wrote to memory of 1204	1116	avscan.exe	29
PID 1116 wrote to memory of 1204	1116	avscan.exe	29
PID 1116 wrote to memory of 1204	1116	avscan.exe	29
PID 1116 wrote to memory of 2032	1116	avscan.exe	33
PID 1116 wrote to memory of 2032	1116	avscan.exe	33
PID 1116 wrote to memory of 2032	1116	avscan.exe	33
PID 1116 wrote to memory of 2032	1116	avscan.exe	33
PID 1184 wrote to memory of 648	1184	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe	30
PID 1184 wrote to memory of 648	1184	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe	30
PID 1184 wrote to memory of 648	1184	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe	30
PID 1184 wrote to memory of 648	1184	75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe	30
PID 2032 wrote to memory of 2016	2032	cmd.exe	34
PID 2032 wrote to memory of 2016	2032	cmd.exe	34
PID 2032 wrote to memory of 2016	2032	cmd.exe	34
PID 2032 wrote to memory of 2016	2032	cmd.exe	34
PID 648 wrote to memory of 1712	648	cmd.exe	35
PID 648 wrote to memory of 1712	648	cmd.exe	35
PID 648 wrote to memory of 1712	648	cmd.exe	35
PID 648 wrote to memory of 1712	648	cmd.exe	35
PID 2016 wrote to memory of 1288	2016	hosts.exe	36
PID 2016 wrote to memory of 1288	2016	hosts.exe	36
PID 2016 wrote to memory of 1288	2016	hosts.exe	36
PID 2016 wrote to memory of 1288	2016	hosts.exe	36
PID 2016 wrote to memory of 468	2016	hosts.exe	38
PID 2016 wrote to memory of 468	2016	hosts.exe	38
PID 2016 wrote to memory of 468	2016	hosts.exe	38
PID 2016 wrote to memory of 468	2016	hosts.exe	38
PID 648 wrote to memory of 1972	648	cmd.exe	37
PID 648 wrote to memory of 1972	648	cmd.exe	37
PID 648 wrote to memory of 1972	648	cmd.exe	37
PID 648 wrote to memory of 1972	648	cmd.exe	37
PID 468 wrote to memory of 1964	468	cmd.exe	40
PID 468 wrote to memory of 1964	468	cmd.exe	40
PID 468 wrote to memory of 1964	468	cmd.exe	40
PID 468 wrote to memory of 1964	468	cmd.exe	40
PID 468 wrote to memory of 1996	468	cmd.exe	41
PID 468 wrote to memory of 1996	468	cmd.exe	41
PID 468 wrote to memory of 1996	468	cmd.exe	41
PID 468 wrote to memory of 1996	468	cmd.exe	41
PID 2032 wrote to memory of 1528	2032	cmd.exe	42
PID 2032 wrote to memory of 1528	2032	cmd.exe	42
PID 2032 wrote to memory of 1528	2032	cmd.exe	42
PID 2032 wrote to memory of 1528	2032	cmd.exe	42
PID 1116 wrote to memory of 1580	1116	avscan.exe	43
PID 1116 wrote to memory of 1580	1116	avscan.exe	43
PID 1116 wrote to memory of 1580	1116	avscan.exe	43
PID 1116 wrote to memory of 1580	1116	avscan.exe	43
PID 2016 wrote to memory of 920	2016	hosts.exe	45
PID 2016 wrote to memory of 920	2016	hosts.exe	45
PID 2016 wrote to memory of 920	2016	hosts.exe	45
PID 2016 wrote to memory of 920	2016	hosts.exe	45
PID 1116 wrote to memory of 1600	1116	avscan.exe	47
PID 1116 wrote to memory of 1600	1116	avscan.exe	47
PID 1116 wrote to memory of 1600	1116	avscan.exe	47
PID 1116 wrote to memory of 1600	1116	avscan.exe	47

C:\Users\Admin\AppData\Local\Temp\75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe
"C:\Users\Admin\AppData\Local\Temp\75c8d3ddc165be49625de0675f8e67dbab3ccef72c4332e4e2ef61a960ff050a.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1800
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1288
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:468
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1996
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:920
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1800
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2040
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1408
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1528
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1580
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1600
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:840
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1712
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.4MB

MD5
51b335c6bc8f440f112851c86cc1c3e8

SHA1
70cbe87720b9bc7144b9bfd432e7aa7286e10b66

SHA256
5accc291e2ce1c965b7c9fc464dce120e66d60e00bbb34171df9e8cd66db8c5c

SHA512
6f371d7da0d59bea2ed643f7e44d7710082fac1a6d3b58fb71902dbb57b98f99831e7ac19020f0671f9302206055edf2f4701fd361ba1daddebc44f2ce2a7256

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.1MB

MD5
9d11b4f503cf70f798f78de555207551

SHA1
2792f38f454088776d851fae2b125ebbe8cd3c48

SHA256
f38e338a115230eb9198bb172a8283a402aa1547cfe94c0a2f6875c80a2a8238

SHA512
e6e238321782b5b126fa96529cdae7cd50d8467e45523936c5f8c73808b64ba07dd6833d33011b11a489a795fd660708aba81917e9ed87f869b6cc72db87793c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.8MB

MD5
a6a0f78651325b4312bf979cbdd13bb9

SHA1
334361a4c2aa108ab4abc752f04c8b8b0e25ec3d

SHA256
52c858066c93e49019b90cead6545dc32255564c4e2172f5c17e271f28612cca

SHA512
bb40b31594081603d560aa7ae6f1ebc8c78beaecb713e623319e79c50c9e51fa6c45f254d11f90984b183ac0898ed95587dcc55460fc326b2a2a636b3967984b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
4.2MB

MD5
68a6dca32908a6cc6d786577afaee13d

SHA1
4ace63cd9a8acaa2dbc2fa2f6cad119710df9340

SHA256
9ad66a3c9d2c6ad3d2373714d2624a22710e472a47e3cdc0f94066a74abe8d8c

SHA512
a4d78dbbaa89bee5d078a434d91401498be485376c4342770f2720a3cf4c1126248d2b410ce8e8903642e48e272012788814b78d9db6102aedd2a060d274fe3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
4.2MB

MD5
ef7393274223be30db399c69669e3218

SHA1
b7a007a05ffe384b0f00a1820e49869b2fd18d4e

SHA256
96c88573467c7a50706f685ee6cccab6f1ff4323d8e270008baf75f47d46c942

SHA512
afd9ce73da1a5dfa6cd459a72d5157b9a35cb41baa35560973152f235af599030990e42717576c8bb159b0d987aa2c56e34e624180fa7dcde4048f0763edd19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
5.6MB

MD5
636f7de10542ed32902e4be3192ff8a1

SHA1
803aa7536165bf7acc24d116efba86438c8ca9ee

SHA256
099067f7fa5b7caff10e62da7e758d29be719b18724f71fc5c4d810de54fc66c

SHA512
b26bbb21b7be790d96a3c8937d6d538005fb9d6483bc9c29114145aea413ebc9d2a123781ccb0db0b7ef73e5fa636f546d0bddf501b0e233b5b31aa2352026bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
708KB

MD5
99fa29a13389039725d3ccb8c755b6ff

SHA1
ae9e442448d7b15055c06aff0addef3a7568c785

SHA256
e180e09c08ab84913cb0ff21b9109bd7178fb5997151c0be59b1bd9bad563036

SHA512
ae20383498e4707518d37e7b2776e9de09af28c4ca6311482af190eff6554f8c624bfda1925480b5752bc271a16e4806f14502f3079ea00a04f9e6cf3c3ab9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
708KB

MD5
99fa29a13389039725d3ccb8c755b6ff

SHA1
ae9e442448d7b15055c06aff0addef3a7568c785

SHA256
e180e09c08ab84913cb0ff21b9109bd7178fb5997151c0be59b1bd9bad563036

SHA512
ae20383498e4707518d37e7b2776e9de09af28c4ca6311482af190eff6554f8c624bfda1925480b5752bc271a16e4806f14502f3079ea00a04f9e6cf3c3ab9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
708KB

MD5
99fa29a13389039725d3ccb8c755b6ff

SHA1
ae9e442448d7b15055c06aff0addef3a7568c785

SHA256
e180e09c08ab84913cb0ff21b9109bd7178fb5997151c0be59b1bd9bad563036

SHA512
ae20383498e4707518d37e7b2776e9de09af28c4ca6311482af190eff6554f8c624bfda1925480b5752bc271a16e4806f14502f3079ea00a04f9e6cf3c3ab9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
708KB

MD5
99fa29a13389039725d3ccb8c755b6ff

SHA1
ae9e442448d7b15055c06aff0addef3a7568c785

SHA256
e180e09c08ab84913cb0ff21b9109bd7178fb5997151c0be59b1bd9bad563036

SHA512
ae20383498e4707518d37e7b2776e9de09af28c4ca6311482af190eff6554f8c624bfda1925480b5752bc271a16e4806f14502f3079ea00a04f9e6cf3c3ab9a4

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
6cb1a862c5d3015502be64b07c6b5ec7

SHA1
055b4b97bd55f4f0f47fd8c981fc216709e91936

SHA256
6ae3ae6c1d057e9376efd0711d9912dfddebd9f8a8b257cee104cba98195c48e

SHA512
5f8f0cdbbd70f06bc8783c0e762208a3c54daf0f2b064abd450116cb31963d0802bc59648e868d647031e0e321d151a20f1b71ccba613f6e1c0c7fbb7ee974ab

Download Submit
C:\Windows\hosts.exe

Filesize
708KB

MD5
5495a8331ac34af35165346b2c4c999b

SHA1
6bfe704112842d5daf817d00e98e80cb75ad9e73

SHA256
b45e3b75a53bd0a5a0d354bc0a8b9934236ee5fbea73aabaefe691ad1cefe146

SHA512
dda393329fabaa7bf67a14e413b7c05877effa89a856809c247a72f9d0316eef7fa862a576d9e43a8d52e56183505604029e6f91f679d4d9aff31a78c89fb0ce

Download Submit
C:\Windows\hosts.exe

Filesize
708KB

MD5
5495a8331ac34af35165346b2c4c999b

SHA1
6bfe704112842d5daf817d00e98e80cb75ad9e73

SHA256
b45e3b75a53bd0a5a0d354bc0a8b9934236ee5fbea73aabaefe691ad1cefe146

SHA512
dda393329fabaa7bf67a14e413b7c05877effa89a856809c247a72f9d0316eef7fa862a576d9e43a8d52e56183505604029e6f91f679d4d9aff31a78c89fb0ce

Download Submit
C:\Windows\hosts.exe

Filesize
708KB

MD5
5495a8331ac34af35165346b2c4c999b

SHA1
6bfe704112842d5daf817d00e98e80cb75ad9e73

SHA256
b45e3b75a53bd0a5a0d354bc0a8b9934236ee5fbea73aabaefe691ad1cefe146

SHA512
dda393329fabaa7bf67a14e413b7c05877effa89a856809c247a72f9d0316eef7fa862a576d9e43a8d52e56183505604029e6f91f679d4d9aff31a78c89fb0ce

Download Submit
C:\Windows\hosts.exe

Filesize
708KB

MD5
5495a8331ac34af35165346b2c4c999b

SHA1
6bfe704112842d5daf817d00e98e80cb75ad9e73

SHA256
b45e3b75a53bd0a5a0d354bc0a8b9934236ee5fbea73aabaefe691ad1cefe146

SHA512
dda393329fabaa7bf67a14e413b7c05877effa89a856809c247a72f9d0316eef7fa862a576d9e43a8d52e56183505604029e6f91f679d4d9aff31a78c89fb0ce

Download Submit
C:\windows\hosts.exe

Filesize
708KB

MD5
5495a8331ac34af35165346b2c4c999b

SHA1
6bfe704112842d5daf817d00e98e80cb75ad9e73

SHA256
b45e3b75a53bd0a5a0d354bc0a8b9934236ee5fbea73aabaefe691ad1cefe146

SHA512
dda393329fabaa7bf67a14e413b7c05877effa89a856809c247a72f9d0316eef7fa862a576d9e43a8d52e56183505604029e6f91f679d4d9aff31a78c89fb0ce

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
708KB

MD5
99fa29a13389039725d3ccb8c755b6ff

SHA1
ae9e442448d7b15055c06aff0addef3a7568c785

SHA256
e180e09c08ab84913cb0ff21b9109bd7178fb5997151c0be59b1bd9bad563036

SHA512
ae20383498e4707518d37e7b2776e9de09af28c4ca6311482af190eff6554f8c624bfda1925480b5752bc271a16e4806f14502f3079ea00a04f9e6cf3c3ab9a4

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
708KB

MD5
99fa29a13389039725d3ccb8c755b6ff

SHA1
ae9e442448d7b15055c06aff0addef3a7568c785

SHA256
e180e09c08ab84913cb0ff21b9109bd7178fb5997151c0be59b1bd9bad563036

SHA512
ae20383498e4707518d37e7b2776e9de09af28c4ca6311482af190eff6554f8c624bfda1925480b5752bc271a16e4806f14502f3079ea00a04f9e6cf3c3ab9a4

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
708KB

MD5
99fa29a13389039725d3ccb8c755b6ff

SHA1
ae9e442448d7b15055c06aff0addef3a7568c785

SHA256
e180e09c08ab84913cb0ff21b9109bd7178fb5997151c0be59b1bd9bad563036

SHA512
ae20383498e4707518d37e7b2776e9de09af28c4ca6311482af190eff6554f8c624bfda1925480b5752bc271a16e4806f14502f3079ea00a04f9e6cf3c3ab9a4

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
708KB

MD5
99fa29a13389039725d3ccb8c755b6ff

SHA1
ae9e442448d7b15055c06aff0addef3a7568c785

SHA256
e180e09c08ab84913cb0ff21b9109bd7178fb5997151c0be59b1bd9bad563036

SHA512
ae20383498e4707518d37e7b2776e9de09af28c4ca6311482af190eff6554f8c624bfda1925480b5752bc271a16e4806f14502f3079ea00a04f9e6cf3c3ab9a4

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
708KB

MD5
99fa29a13389039725d3ccb8c755b6ff

SHA1
ae9e442448d7b15055c06aff0addef3a7568c785

SHA256
e180e09c08ab84913cb0ff21b9109bd7178fb5997151c0be59b1bd9bad563036

SHA512
ae20383498e4707518d37e7b2776e9de09af28c4ca6311482af190eff6554f8c624bfda1925480b5752bc271a16e4806f14502f3079ea00a04f9e6cf3c3ab9a4

Download Submit
memory/1184-56-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1184-58-0x0000000074361000-0x0000000074363000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads