ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7

Analysis

max time kernel
127s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe
Size

396KB
MD5

ec33e4311c03637d2a1259874d9005ed
SHA1

27641285e02f073c4c1e19c081435179e8cbc0a9
SHA256

ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7
SHA512

8c3cd27e04832f4d20794d59a1ed7db1b2113b3a9c954346e77466fa33540fb9f0563066c8d3ca2c6ec883a551267ea2151c90adf9b359a6d0ab5b9d2507ba83
SSDEEP

6144:gDCwfG1bnxLEDuG14dDCwfG1bnxLEDuG143XK:g72bntEDuG1A72bntEDuG1r

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
456	avscan.exe
676	avscan.exe
928	hosts.exe
1368	hosts.exe
1504	avscan.exe
856	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1292	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe
1292	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe
456	avscan.exe
928	hosts.exe
928	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe
File created	\??\c:\windows\W_X_C.bat	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe
File opened for modification	C:\Windows\hosts.exe	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1080	REG.exe
2036	REG.exe
1624	REG.exe
1292	REG.exe
112	REG.exe
1160	REG.exe
764	REG.exe
1772	REG.exe
820	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
456	avscan.exe
928	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1292	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe
456	avscan.exe
676	avscan.exe
928	hosts.exe
1368	hosts.exe
1504	avscan.exe
856	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1080	1292	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe	27
PID 1292 wrote to memory of 1080	1292	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe	27
PID 1292 wrote to memory of 1080	1292	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe	27
PID 1292 wrote to memory of 1080	1292	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe	27
PID 1292 wrote to memory of 456	1292	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe	29
PID 1292 wrote to memory of 456	1292	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe	29
PID 1292 wrote to memory of 456	1292	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe	29
PID 1292 wrote to memory of 456	1292	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe	29
PID 456 wrote to memory of 676	456	avscan.exe	30
PID 456 wrote to memory of 676	456	avscan.exe	30
PID 456 wrote to memory of 676	456	avscan.exe	30
PID 456 wrote to memory of 676	456	avscan.exe	30
PID 456 wrote to memory of 1512	456	avscan.exe	32
PID 456 wrote to memory of 1512	456	avscan.exe	32
PID 456 wrote to memory of 1512	456	avscan.exe	32
PID 456 wrote to memory of 1512	456	avscan.exe	32
PID 1292 wrote to memory of 1564	1292	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe	31
PID 1292 wrote to memory of 1564	1292	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe	31
PID 1292 wrote to memory of 1564	1292	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe	31
PID 1292 wrote to memory of 1564	1292	ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe	31
PID 1564 wrote to memory of 928	1564	cmd.exe	36
PID 1564 wrote to memory of 928	1564	cmd.exe	36
PID 1564 wrote to memory of 928	1564	cmd.exe	36
PID 1564 wrote to memory of 928	1564	cmd.exe	36
PID 1512 wrote to memory of 1368	1512	cmd.exe	35
PID 1512 wrote to memory of 1368	1512	cmd.exe	35
PID 1512 wrote to memory of 1368	1512	cmd.exe	35
PID 1512 wrote to memory of 1368	1512	cmd.exe	35
PID 928 wrote to memory of 1504	928	hosts.exe	39
PID 928 wrote to memory of 1504	928	hosts.exe	39
PID 928 wrote to memory of 1504	928	hosts.exe	39
PID 928 wrote to memory of 1504	928	hosts.exe	39
PID 1512 wrote to memory of 1356	1512	cmd.exe	37
PID 1512 wrote to memory of 1356	1512	cmd.exe	37
PID 1512 wrote to memory of 1356	1512	cmd.exe	37
PID 1512 wrote to memory of 1356	1512	cmd.exe	37
PID 1564 wrote to memory of 836	1564	cmd.exe	38
PID 1564 wrote to memory of 836	1564	cmd.exe	38
PID 1564 wrote to memory of 836	1564	cmd.exe	38
PID 1564 wrote to memory of 836	1564	cmd.exe	38
PID 928 wrote to memory of 1084	928	hosts.exe	40
PID 928 wrote to memory of 1084	928	hosts.exe	40
PID 928 wrote to memory of 1084	928	hosts.exe	40
PID 928 wrote to memory of 1084	928	hosts.exe	40
PID 1084 wrote to memory of 856	1084	cmd.exe	42
PID 1084 wrote to memory of 856	1084	cmd.exe	42
PID 1084 wrote to memory of 856	1084	cmd.exe	42
PID 1084 wrote to memory of 856	1084	cmd.exe	42
PID 1084 wrote to memory of 1788	1084	cmd.exe	43
PID 1084 wrote to memory of 1788	1084	cmd.exe	43
PID 1084 wrote to memory of 1788	1084	cmd.exe	43
PID 1084 wrote to memory of 1788	1084	cmd.exe	43
PID 456 wrote to memory of 112	456	avscan.exe	44
PID 456 wrote to memory of 112	456	avscan.exe	44
PID 456 wrote to memory of 112	456	avscan.exe	44
PID 456 wrote to memory of 112	456	avscan.exe	44
PID 928 wrote to memory of 1160	928	hosts.exe	46
PID 928 wrote to memory of 1160	928	hosts.exe	46
PID 928 wrote to memory of 1160	928	hosts.exe	46
PID 928 wrote to memory of 1160	928	hosts.exe	46
PID 456 wrote to memory of 2036	456	avscan.exe	48
PID 456 wrote to memory of 2036	456	avscan.exe	48
PID 456 wrote to memory of 2036	456	avscan.exe	48
PID 456 wrote to memory of 2036	456	avscan.exe	48

C:\Users\Admin\AppData\Local\Temp\ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe
"C:\Users\Admin\AppData\Local\Temp\ff2313e885a32218c9dd0130d425e6cc1fe6b97dd8a310fc9254587ab7c1cab7.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1080
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1368
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1356
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:112
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2036
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:764
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1504
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1084
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:856
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:1788
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1160
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1624
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1772
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:820
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
840KB

MD5
2a646ac9df2c52de384c913ef146c2fc

SHA1
7b3a994588b8e3ffb15f0aa4a95f23924a1712eb

SHA256
abce1124e9f9c5443a8f570a1ca126dc85f9c7f4cc693e717630ddd5b36ca251

SHA512
77fc49ac8e21b304ddf8bb8ea269afd6c8bf797f1f1fc13302297584c40be8d4b49b709727c549b2d2fad57f7a374b2eddb374771c01d6dc78850348e90a084d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.2MB

MD5
873207290bcdedf2af969bef24752678

SHA1
29ed7c514952fea1907604e4d1375f2b9d537d83

SHA256
22f293e8e626b082fbc863255c5e3deadc214492e91bb67c282ff0249374f542

SHA512
cdbb277ef977ac71ba08c12ebb99cbac4b60e9c0201f64441180aade498857d58b570683b3932a2f59bb4c110c9d173a9b285badfff20b682a36fd1fddaec468

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.6MB

MD5
21b9802e13e7c9f7fda8b16270eaa0d1

SHA1
fc2aba236022a0bcc42fc4e2c6adb63603565b2d

SHA256
0cdcf026043fbaf52cce14ac2ab953df8772f372e9a617b182d37846f13cd6d5

SHA512
506c026e532f4604afc511ddb2d91bb30a0bcd20150e252aed07f03bb661c9dcc8b8704eefb9c142421480eaa5cfb117acd21a1f2909c235c560b60388994d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.0MB

MD5
cfbde429da3bffee87f76d8b81375de0

SHA1
5c98a4dd456694690e03d11fcca8ae1564eb770f

SHA256
f0d14e96933c6106ac4c5adc8fa5f398e5d684ec7838d686fecd69087337f6f1

SHA512
8c61496eb76565bb1ad48c20dccf080f325bd218d03ad2023471b4adfc53f4b1505c2944fbfdb30727c8c34653caba8b7b7c479d86b1f45ef608fda6832cbd99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.4MB

MD5
b4ac70b7a4163927804d4635cedaaa96

SHA1
2e37c9b0b03ca3f8bd21c581d9523750f326d390

SHA256
84066a64ec9491be0d14d7fd293ef417b7ebafc20207ef1cc53d65c7df1e7eef

SHA512
1b0129643bc90a3a8b21a622592d0dbc3b2896a0f31dfe781749e0126d2c09aed310811566716a5eca0a9337b07e08d8fc58d8aba6eb3e335caf63d0a9d121f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.8MB

MD5
92b4c7bce55db43ed9727e2f65819d77

SHA1
f4fe7e753fcdec1f186c672f24915171e20b6474

SHA256
593a82b2f015b16c8ea2dc4932685c09b80705ec9e2e43394f8d12f37a31996e

SHA512
43df7f5667cd02dc23989bd0dc1cab6eb8812c58c76ff9c41578eeb3df4a5ca9ac3aafdc94637b49616556a976d5233ea7902d1d10b8943ec366a82f35cda44c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
3.1MB

MD5
a13242f488d46880bae408fafae4d9df

SHA1
173f9ecbea50d7d6b8eb37fd6f59a651880df12d

SHA256
64d5bf18ce3831683522afff58949f6358dda1d18326776377a04ee73f9a94e6

SHA512
46dcd964859b8caa854b6ea27c97c6fd29a35bbc17ef2da9f2fb9b11b56496204f6e4208b6b3ae93f3c8113209c0a711e3a0d880b15d181452cdabf821a8fe7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
396KB

MD5
c2b10f37c13cb37391a0dfb9709777bc

SHA1
5b7dd2304ab42d8d894b716bc640a10673dc292e

SHA256
6e7c7841796d48252a455e9e9b718c4901f5aa327955d42b8fad7b835101e8cf

SHA512
49329b33e29420a00148161295eb3eb4a7c48ed4d95cdbaaf2c38406117fd718b7b2aa431a9f657a6a9fdf026298420c51090c281e459ed40b531d9db94b0c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
396KB

MD5
c2b10f37c13cb37391a0dfb9709777bc

SHA1
5b7dd2304ab42d8d894b716bc640a10673dc292e

SHA256
6e7c7841796d48252a455e9e9b718c4901f5aa327955d42b8fad7b835101e8cf

SHA512
49329b33e29420a00148161295eb3eb4a7c48ed4d95cdbaaf2c38406117fd718b7b2aa431a9f657a6a9fdf026298420c51090c281e459ed40b531d9db94b0c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
396KB

MD5
c2b10f37c13cb37391a0dfb9709777bc

SHA1
5b7dd2304ab42d8d894b716bc640a10673dc292e

SHA256
6e7c7841796d48252a455e9e9b718c4901f5aa327955d42b8fad7b835101e8cf

SHA512
49329b33e29420a00148161295eb3eb4a7c48ed4d95cdbaaf2c38406117fd718b7b2aa431a9f657a6a9fdf026298420c51090c281e459ed40b531d9db94b0c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
396KB

MD5
c2b10f37c13cb37391a0dfb9709777bc

SHA1
5b7dd2304ab42d8d894b716bc640a10673dc292e

SHA256
6e7c7841796d48252a455e9e9b718c4901f5aa327955d42b8fad7b835101e8cf

SHA512
49329b33e29420a00148161295eb3eb4a7c48ed4d95cdbaaf2c38406117fd718b7b2aa431a9f657a6a9fdf026298420c51090c281e459ed40b531d9db94b0c53

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
8efab902a61f6cddc318bb5818c2f2e0

SHA1
9608751279ae04ba710d84c61e3937c12950b393

SHA256
a81d0e86c651ead3e4d9c7f64e637006e787c81c8ba3e784648c2786306bfb87

SHA512
aabd0e45609a39584c68c35e16124b399e9a4932bf6c98c22aa8c6ff71b2fbfc80333102960fcfca1abb38b344245f9cdf4cdc0c827c48235f618011a5fbfe18

Download Submit
C:\Windows\hosts.exe

Filesize
396KB

MD5
dca7c4344646e8ad68c3e0a283847e83

SHA1
c39b91d87776751b3f63819d70a9800a3cb2bc92

SHA256
356738025b3b0439b63d7b51c126a64bc6365313546729314a109558eb5ded14

SHA512
ef6f01d7686cb6c2aa8b60fac85236441c13332f3c185aa2d8c8144fa9e1d19b24bd865f2cb8df25433f695a6bb2c534783a543852f492c4d602a867d89e4ed9

Download Submit
C:\Windows\hosts.exe

Filesize
396KB

MD5
dca7c4344646e8ad68c3e0a283847e83

SHA1
c39b91d87776751b3f63819d70a9800a3cb2bc92

SHA256
356738025b3b0439b63d7b51c126a64bc6365313546729314a109558eb5ded14

SHA512
ef6f01d7686cb6c2aa8b60fac85236441c13332f3c185aa2d8c8144fa9e1d19b24bd865f2cb8df25433f695a6bb2c534783a543852f492c4d602a867d89e4ed9

Download Submit
C:\Windows\hosts.exe

Filesize
396KB

MD5
dca7c4344646e8ad68c3e0a283847e83

SHA1
c39b91d87776751b3f63819d70a9800a3cb2bc92

SHA256
356738025b3b0439b63d7b51c126a64bc6365313546729314a109558eb5ded14

SHA512
ef6f01d7686cb6c2aa8b60fac85236441c13332f3c185aa2d8c8144fa9e1d19b24bd865f2cb8df25433f695a6bb2c534783a543852f492c4d602a867d89e4ed9

Download Submit
C:\Windows\hosts.exe

Filesize
396KB

MD5
dca7c4344646e8ad68c3e0a283847e83

SHA1
c39b91d87776751b3f63819d70a9800a3cb2bc92

SHA256
356738025b3b0439b63d7b51c126a64bc6365313546729314a109558eb5ded14

SHA512
ef6f01d7686cb6c2aa8b60fac85236441c13332f3c185aa2d8c8144fa9e1d19b24bd865f2cb8df25433f695a6bb2c534783a543852f492c4d602a867d89e4ed9

Download Submit
C:\windows\hosts.exe

Filesize
396KB

MD5
dca7c4344646e8ad68c3e0a283847e83

SHA1
c39b91d87776751b3f63819d70a9800a3cb2bc92

SHA256
356738025b3b0439b63d7b51c126a64bc6365313546729314a109558eb5ded14

SHA512
ef6f01d7686cb6c2aa8b60fac85236441c13332f3c185aa2d8c8144fa9e1d19b24bd865f2cb8df25433f695a6bb2c534783a543852f492c4d602a867d89e4ed9

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
396KB

MD5
c2b10f37c13cb37391a0dfb9709777bc

SHA1
5b7dd2304ab42d8d894b716bc640a10673dc292e

SHA256
6e7c7841796d48252a455e9e9b718c4901f5aa327955d42b8fad7b835101e8cf

SHA512
49329b33e29420a00148161295eb3eb4a7c48ed4d95cdbaaf2c38406117fd718b7b2aa431a9f657a6a9fdf026298420c51090c281e459ed40b531d9db94b0c53

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
396KB

MD5
c2b10f37c13cb37391a0dfb9709777bc

SHA1
5b7dd2304ab42d8d894b716bc640a10673dc292e

SHA256
6e7c7841796d48252a455e9e9b718c4901f5aa327955d42b8fad7b835101e8cf

SHA512
49329b33e29420a00148161295eb3eb4a7c48ed4d95cdbaaf2c38406117fd718b7b2aa431a9f657a6a9fdf026298420c51090c281e459ed40b531d9db94b0c53

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
396KB

MD5
c2b10f37c13cb37391a0dfb9709777bc

SHA1
5b7dd2304ab42d8d894b716bc640a10673dc292e

SHA256
6e7c7841796d48252a455e9e9b718c4901f5aa327955d42b8fad7b835101e8cf

SHA512
49329b33e29420a00148161295eb3eb4a7c48ed4d95cdbaaf2c38406117fd718b7b2aa431a9f657a6a9fdf026298420c51090c281e459ed40b531d9db94b0c53

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
396KB

MD5
c2b10f37c13cb37391a0dfb9709777bc

SHA1
5b7dd2304ab42d8d894b716bc640a10673dc292e

SHA256
6e7c7841796d48252a455e9e9b718c4901f5aa327955d42b8fad7b835101e8cf

SHA512
49329b33e29420a00148161295eb3eb4a7c48ed4d95cdbaaf2c38406117fd718b7b2aa431a9f657a6a9fdf026298420c51090c281e459ed40b531d9db94b0c53

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
396KB

MD5
c2b10f37c13cb37391a0dfb9709777bc

SHA1
5b7dd2304ab42d8d894b716bc640a10673dc292e

SHA256
6e7c7841796d48252a455e9e9b718c4901f5aa327955d42b8fad7b835101e8cf

SHA512
49329b33e29420a00148161295eb3eb4a7c48ed4d95cdbaaf2c38406117fd718b7b2aa431a9f657a6a9fdf026298420c51090c281e459ed40b531d9db94b0c53

Download Submit
memory/1292-56-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1292-58-0x0000000074D71000-0x0000000074D73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads