9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022

Analysis

max time kernel
126s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 23:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe
Size

197KB
MD5

9e5da9499a71d48f75265d95b709a4e3
SHA1

104541f48ab291e73c7e7d1472553d0d7141ad6e
SHA256

9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022
SHA512

539b0e7473c2bd964d9ce74024f2a6634000facf02f4ae9d94c37772ce06cff58e7069838788ce9fdc7a9d5bec367d3a0101ecd2ea69f73d387b54f141b5458b
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DERAFthx+xT:gDCwfG1bnxLERWtCR

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ORXGKKZC = "W_X_C.bat"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ORXGKKZC = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ORXGKKZC = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
944	avscan.exe
964	avscan.exe
1616	hosts.exe
1800	hosts.exe
1032	avscan.exe
1408	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1348	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe
1348	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe
944	avscan.exe
1616	hosts.exe
1616	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe
File created	\??\c:\windows\W_X_C.bat	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe
File opened for modification	C:\Windows\hosts.exe	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
672	REG.exe
824	REG.exe
952	REG.exe
752	REG.exe
1048	REG.exe
1088	REG.exe
844	REG.exe
1928	REG.exe
1256	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
944	avscan.exe
1616	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1348	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe
944	avscan.exe
964	avscan.exe
1616	hosts.exe
1800	hosts.exe
1032	avscan.exe
1408	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 672	1348	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe	26
PID 1348 wrote to memory of 672	1348	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe	26
PID 1348 wrote to memory of 672	1348	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe	26
PID 1348 wrote to memory of 672	1348	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe	26
PID 1348 wrote to memory of 944	1348	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe	28
PID 1348 wrote to memory of 944	1348	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe	28
PID 1348 wrote to memory of 944	1348	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe	28
PID 1348 wrote to memory of 944	1348	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe	28
PID 944 wrote to memory of 964	944	avscan.exe	29
PID 944 wrote to memory of 964	944	avscan.exe	29
PID 944 wrote to memory of 964	944	avscan.exe	29
PID 944 wrote to memory of 964	944	avscan.exe	29
PID 944 wrote to memory of 972	944	avscan.exe	30
PID 944 wrote to memory of 972	944	avscan.exe	30
PID 944 wrote to memory of 972	944	avscan.exe	30
PID 944 wrote to memory of 972	944	avscan.exe	30
PID 1348 wrote to memory of 904	1348	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe	31
PID 1348 wrote to memory of 904	1348	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe	31
PID 1348 wrote to memory of 904	1348	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe	31
PID 1348 wrote to memory of 904	1348	9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe	31
PID 904 wrote to memory of 1616	904	cmd.exe	35
PID 904 wrote to memory of 1616	904	cmd.exe	35
PID 904 wrote to memory of 1616	904	cmd.exe	35
PID 904 wrote to memory of 1616	904	cmd.exe	35
PID 972 wrote to memory of 1800	972	cmd.exe	34
PID 972 wrote to memory of 1800	972	cmd.exe	34
PID 972 wrote to memory of 1800	972	cmd.exe	34
PID 972 wrote to memory of 1800	972	cmd.exe	34
PID 1616 wrote to memory of 1032	1616	hosts.exe	36
PID 1616 wrote to memory of 1032	1616	hosts.exe	36
PID 1616 wrote to memory of 1032	1616	hosts.exe	36
PID 1616 wrote to memory of 1032	1616	hosts.exe	36
PID 1616 wrote to memory of 1852	1616	hosts.exe	37
PID 1616 wrote to memory of 1852	1616	hosts.exe	37
PID 1616 wrote to memory of 1852	1616	hosts.exe	37
PID 1616 wrote to memory of 1852	1616	hosts.exe	37
PID 1852 wrote to memory of 1408	1852	cmd.exe	39
PID 1852 wrote to memory of 1408	1852	cmd.exe	39
PID 1852 wrote to memory of 1408	1852	cmd.exe	39
PID 1852 wrote to memory of 1408	1852	cmd.exe	39
PID 972 wrote to memory of 1644	972	cmd.exe	40
PID 972 wrote to memory of 1644	972	cmd.exe	40
PID 972 wrote to memory of 1644	972	cmd.exe	40
PID 972 wrote to memory of 1644	972	cmd.exe	40
PID 904 wrote to memory of 564	904	cmd.exe	41
PID 904 wrote to memory of 564	904	cmd.exe	41
PID 904 wrote to memory of 564	904	cmd.exe	41
PID 904 wrote to memory of 564	904	cmd.exe	41
PID 1852 wrote to memory of 1096	1852	cmd.exe	42
PID 1852 wrote to memory of 1096	1852	cmd.exe	42
PID 1852 wrote to memory of 1096	1852	cmd.exe	42
PID 1852 wrote to memory of 1096	1852	cmd.exe	42
PID 944 wrote to memory of 1048	944	avscan.exe	43
PID 944 wrote to memory of 1048	944	avscan.exe	43
PID 944 wrote to memory of 1048	944	avscan.exe	43
PID 944 wrote to memory of 1048	944	avscan.exe	43
PID 1616 wrote to memory of 1088	1616	hosts.exe	44
PID 1616 wrote to memory of 1088	1616	hosts.exe	44
PID 1616 wrote to memory of 1088	1616	hosts.exe	44
PID 1616 wrote to memory of 1088	1616	hosts.exe	44
PID 1616 wrote to memory of 844	1616	hosts.exe	47
PID 1616 wrote to memory of 844	1616	hosts.exe	47
PID 1616 wrote to memory of 844	1616	hosts.exe	47
PID 1616 wrote to memory of 844	1616	hosts.exe	47

C:\Users\Admin\AppData\Local\Temp\9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe
"C:\Users\Admin\AppData\Local\Temp\9567050b56c09f30495cd348753d5855154c523ea8fdc33669d1aa683f8d2022.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:672
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1800
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1644
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1048
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:824
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1928
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1408
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:1096
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1088
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:844
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:952
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:752
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
443KB

MD5
7f53afee91e5ab96dba6e8f8ab716b00

SHA1
6f7387ea900e9e552768f8249e0d108cae909240

SHA256
6d92042aa2812a510b61d04dcd97e28873aba51434a5be776c07ab4274f65f87

SHA512
e37d2bdc5cfdc096647d0a20c71ae5d8c388142f945fb0eb10c1762672d46420d4e27bf71c19cd4a67dafb6c9403e455c41a7c0df05683aa295031bb857e9962

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
641KB

MD5
8563545a3ab3fdf01d01ee1d3d61817a

SHA1
88be37674bc64ebe165e783fd97171627df75cae

SHA256
48841f9fb55c2f160ff501a7f80171deef7dcb34764e2a7bfbc7485b11cc01f6

SHA512
8a9b3294d4c4c24fc8ed6185fa00f5e81753df2ec95a2847e3068a5396f5e55a52081b16b454a57930988ea162309da89d0d9e08b7f97ee0b213d164ce96af85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
838KB

MD5
91d43d7817c9d2f49b9b47252eb8a897

SHA1
ed7fef9d3128777c5b3955613b41b7d98c7e696f

SHA256
208b8cf7609829226cb5d49318a1630298f86536e32a8c015f132f7eaad5c1c4

SHA512
41f5723fe4cff41fdb0020820526acb8f78bd095b224b4bc4a8480891e1d3fc3c01b1d2ef2a757cbdaacb8f2ed9222cb420be01d7eb4af390921b8247c00e6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.2MB

MD5
c1ce852fcf3bba0e9a9ab1ffa0114bd2

SHA1
20b19fe27b2b5e2bd7098db735cf0dcb60b16b6a

SHA256
5cd500a62fd0808e3512aef8dfe34b90888f862d25d3385c82c6f866a0fd5af7

SHA512
3473a734680739c3f47e34b6dffa359cb55468f2533ec1c41cd959075a2276e570e19376bc19fadc5dcd6a393d0e4bb7acad66c8ecea64b4ceb54aa1a1194183

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.6MB

MD5
4cf5e07fed9a440e722b43ff07259199

SHA1
9425c572bb393f83ca3915a82573b7e1d248c599

SHA256
389d8e57c782f6246d647af985472539d8f30ad914fd933f45cfa2b292e32b14

SHA512
9cce2f05646e98e12dfdf3085d85aa6ecd8c9ee5aceaf924e1d2aa411ba610ed0ba25d5e8f08a080e644ea4c44173579c83ad48118ea950dc807845381d22e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.6MB

MD5
6122d796fb167e348aa870bc60c5c639

SHA1
7eaf7734705ab846623d8f9fdbf335f8aecccd33

SHA256
0c23e951027a9a6d9d4fcb946a995f8bd6633165d13ca3919f2b6518462ff50f

SHA512
6d2e92c7113c17971f0be430137b4a00f3b802aee3c56b5f39cdc9a53a612164be22bc4e702c947fd39bb2c61fee04b5061e8821368cfe296d75d123508e6e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
197KB

MD5
487d57651baaef373509db6bcd01647e

SHA1
90905d8d8eac10983ceb165eb0a8bdfb3b001399

SHA256
73515a1cb72d330ca5de392a26803ed8d215448cd653bf7f8db32f2f08273726

SHA512
f84840b82e7b843d0310370da6e55649d03a2cf64b2ab5550a2364ae07f59a9dbd82bd4258981dc7f1fd8460dde4b530fc5caf4e45dbd070867631eb8d539543

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
197KB

MD5
487d57651baaef373509db6bcd01647e

SHA1
90905d8d8eac10983ceb165eb0a8bdfb3b001399

SHA256
73515a1cb72d330ca5de392a26803ed8d215448cd653bf7f8db32f2f08273726

SHA512
f84840b82e7b843d0310370da6e55649d03a2cf64b2ab5550a2364ae07f59a9dbd82bd4258981dc7f1fd8460dde4b530fc5caf4e45dbd070867631eb8d539543

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
197KB

MD5
487d57651baaef373509db6bcd01647e

SHA1
90905d8d8eac10983ceb165eb0a8bdfb3b001399

SHA256
73515a1cb72d330ca5de392a26803ed8d215448cd653bf7f8db32f2f08273726

SHA512
f84840b82e7b843d0310370da6e55649d03a2cf64b2ab5550a2364ae07f59a9dbd82bd4258981dc7f1fd8460dde4b530fc5caf4e45dbd070867631eb8d539543

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
197KB

MD5
487d57651baaef373509db6bcd01647e

SHA1
90905d8d8eac10983ceb165eb0a8bdfb3b001399

SHA256
73515a1cb72d330ca5de392a26803ed8d215448cd653bf7f8db32f2f08273726

SHA512
f84840b82e7b843d0310370da6e55649d03a2cf64b2ab5550a2364ae07f59a9dbd82bd4258981dc7f1fd8460dde4b530fc5caf4e45dbd070867631eb8d539543

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
6cb1a862c5d3015502be64b07c6b5ec7

SHA1
055b4b97bd55f4f0f47fd8c981fc216709e91936

SHA256
6ae3ae6c1d057e9376efd0711d9912dfddebd9f8a8b257cee104cba98195c48e

SHA512
5f8f0cdbbd70f06bc8783c0e762208a3c54daf0f2b064abd450116cb31963d0802bc59648e868d647031e0e321d151a20f1b71ccba613f6e1c0c7fbb7ee974ab

Download Submit
C:\Windows\hosts.exe

Filesize
197KB

MD5
487d57651baaef373509db6bcd01647e

SHA1
90905d8d8eac10983ceb165eb0a8bdfb3b001399

SHA256
73515a1cb72d330ca5de392a26803ed8d215448cd653bf7f8db32f2f08273726

SHA512
f84840b82e7b843d0310370da6e55649d03a2cf64b2ab5550a2364ae07f59a9dbd82bd4258981dc7f1fd8460dde4b530fc5caf4e45dbd070867631eb8d539543

Download Submit
C:\Windows\hosts.exe

Filesize
197KB

MD5
60d32cdd62a7ba08c22044265d5a6768

SHA1
c22f24e32ee02ec30731ec729d54182a4ab6ab96

SHA256
c58b040624ed837aee2b4cdd7a47f6ffac692045c65a2ffebacd4576b250e9bb

SHA512
80e9a6bcc8612b407770e2c1719daa1ddd9abbcd4439e7ee369c3b060b1a17d91de14ee71f2679b13e9b47136a18f33c5c9766f9497f53d36075a5e5083700b9

Download Submit
C:\Windows\hosts.exe

Filesize
197KB

MD5
60d32cdd62a7ba08c22044265d5a6768

SHA1
c22f24e32ee02ec30731ec729d54182a4ab6ab96

SHA256
c58b040624ed837aee2b4cdd7a47f6ffac692045c65a2ffebacd4576b250e9bb

SHA512
80e9a6bcc8612b407770e2c1719daa1ddd9abbcd4439e7ee369c3b060b1a17d91de14ee71f2679b13e9b47136a18f33c5c9766f9497f53d36075a5e5083700b9

Download Submit
C:\Windows\hosts.exe

Filesize
197KB

MD5
60d32cdd62a7ba08c22044265d5a6768

SHA1
c22f24e32ee02ec30731ec729d54182a4ab6ab96

SHA256
c58b040624ed837aee2b4cdd7a47f6ffac692045c65a2ffebacd4576b250e9bb

SHA512
80e9a6bcc8612b407770e2c1719daa1ddd9abbcd4439e7ee369c3b060b1a17d91de14ee71f2679b13e9b47136a18f33c5c9766f9497f53d36075a5e5083700b9

Download Submit
C:\windows\hosts.exe

Filesize
197KB

MD5
60d32cdd62a7ba08c22044265d5a6768

SHA1
c22f24e32ee02ec30731ec729d54182a4ab6ab96

SHA256
c58b040624ed837aee2b4cdd7a47f6ffac692045c65a2ffebacd4576b250e9bb

SHA512
80e9a6bcc8612b407770e2c1719daa1ddd9abbcd4439e7ee369c3b060b1a17d91de14ee71f2679b13e9b47136a18f33c5c9766f9497f53d36075a5e5083700b9

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
197KB

MD5
487d57651baaef373509db6bcd01647e

SHA1
90905d8d8eac10983ceb165eb0a8bdfb3b001399

SHA256
73515a1cb72d330ca5de392a26803ed8d215448cd653bf7f8db32f2f08273726

SHA512
f84840b82e7b843d0310370da6e55649d03a2cf64b2ab5550a2364ae07f59a9dbd82bd4258981dc7f1fd8460dde4b530fc5caf4e45dbd070867631eb8d539543

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
197KB

MD5
487d57651baaef373509db6bcd01647e

SHA1
90905d8d8eac10983ceb165eb0a8bdfb3b001399

SHA256
73515a1cb72d330ca5de392a26803ed8d215448cd653bf7f8db32f2f08273726

SHA512
f84840b82e7b843d0310370da6e55649d03a2cf64b2ab5550a2364ae07f59a9dbd82bd4258981dc7f1fd8460dde4b530fc5caf4e45dbd070867631eb8d539543

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
197KB

MD5
487d57651baaef373509db6bcd01647e

SHA1
90905d8d8eac10983ceb165eb0a8bdfb3b001399

SHA256
73515a1cb72d330ca5de392a26803ed8d215448cd653bf7f8db32f2f08273726

SHA512
f84840b82e7b843d0310370da6e55649d03a2cf64b2ab5550a2364ae07f59a9dbd82bd4258981dc7f1fd8460dde4b530fc5caf4e45dbd070867631eb8d539543

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
197KB

MD5
487d57651baaef373509db6bcd01647e

SHA1
90905d8d8eac10983ceb165eb0a8bdfb3b001399

SHA256
73515a1cb72d330ca5de392a26803ed8d215448cd653bf7f8db32f2f08273726

SHA512
f84840b82e7b843d0310370da6e55649d03a2cf64b2ab5550a2364ae07f59a9dbd82bd4258981dc7f1fd8460dde4b530fc5caf4e45dbd070867631eb8d539543

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
197KB

MD5
487d57651baaef373509db6bcd01647e

SHA1
90905d8d8eac10983ceb165eb0a8bdfb3b001399

SHA256
73515a1cb72d330ca5de392a26803ed8d215448cd653bf7f8db32f2f08273726

SHA512
f84840b82e7b843d0310370da6e55649d03a2cf64b2ab5550a2364ae07f59a9dbd82bd4258981dc7f1fd8460dde4b530fc5caf4e45dbd070867631eb8d539543

Download Submit
memory/1348-56-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1348-58-0x0000000074501000-0x0000000074503000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads