58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6

Analysis

max time kernel
125s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe
Size

216KB
MD5

c350a855aeec92c4f36994b89920ed54
SHA1

f23b11fc3c90db506e0c9597c7bbf096ddab0357
SHA256

58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6
SHA512

fbbedf5e8ea0a658ef77d930714532a79f48d66b24ec036906dc6ed4620de588e56a1ad16d7bf3384ec396d7d1408df7cef1f57f4f1dc6f7e03574f4cfa9f5b4
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DELU31fIclJ01wLVx+xV:gDCwfG1bnxLEDuG14O3

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
816	avscan.exe
2024	avscan.exe
1340	hosts.exe
1072	hosts.exe
1068	avscan.exe
1388	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
864	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe
864	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe
816	avscan.exe
1072	hosts.exe
1072	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe
File created	\??\c:\windows\W_X_C.bat	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe
File opened for modification	C:\Windows\hosts.exe	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
960	REG.exe
1116	REG.exe
1760	REG.exe
1720	REG.exe
840	REG.exe
1808	REG.exe
2036	REG.exe
532	REG.exe
2008	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
816	avscan.exe
1072	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
864	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe
816	avscan.exe
2024	avscan.exe
1340	hosts.exe
1072	hosts.exe
1068	avscan.exe
1388	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 960	864	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe	27
PID 864 wrote to memory of 960	864	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe	27
PID 864 wrote to memory of 960	864	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe	27
PID 864 wrote to memory of 960	864	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe	27
PID 864 wrote to memory of 816	864	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe	29
PID 864 wrote to memory of 816	864	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe	29
PID 864 wrote to memory of 816	864	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe	29
PID 864 wrote to memory of 816	864	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe	29
PID 816 wrote to memory of 2024	816	avscan.exe	30
PID 816 wrote to memory of 2024	816	avscan.exe	30
PID 816 wrote to memory of 2024	816	avscan.exe	30
PID 816 wrote to memory of 2024	816	avscan.exe	30
PID 816 wrote to memory of 1984	816	avscan.exe	31
PID 816 wrote to memory of 1984	816	avscan.exe	31
PID 816 wrote to memory of 1984	816	avscan.exe	31
PID 816 wrote to memory of 1984	816	avscan.exe	31
PID 864 wrote to memory of 468	864	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe	33
PID 864 wrote to memory of 468	864	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe	33
PID 864 wrote to memory of 468	864	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe	33
PID 864 wrote to memory of 468	864	58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe	33
PID 468 wrote to memory of 1072	468	cmd.exe	35
PID 468 wrote to memory of 1072	468	cmd.exe	35
PID 468 wrote to memory of 1072	468	cmd.exe	35
PID 468 wrote to memory of 1072	468	cmd.exe	35
PID 1984 wrote to memory of 1340	1984	cmd.exe	36
PID 1984 wrote to memory of 1340	1984	cmd.exe	36
PID 1984 wrote to memory of 1340	1984	cmd.exe	36
PID 1984 wrote to memory of 1340	1984	cmd.exe	36
PID 1072 wrote to memory of 1068	1072	hosts.exe	39
PID 1072 wrote to memory of 1068	1072	hosts.exe	39
PID 1072 wrote to memory of 1068	1072	hosts.exe	39
PID 1072 wrote to memory of 1068	1072	hosts.exe	39
PID 1984 wrote to memory of 1912	1984	cmd.exe	38
PID 1984 wrote to memory of 1912	1984	cmd.exe	38
PID 1984 wrote to memory of 1912	1984	cmd.exe	38
PID 1984 wrote to memory of 1912	1984	cmd.exe	38
PID 468 wrote to memory of 1700	468	cmd.exe	37
PID 468 wrote to memory of 1700	468	cmd.exe	37
PID 468 wrote to memory of 1700	468	cmd.exe	37
PID 468 wrote to memory of 1700	468	cmd.exe	37
PID 1072 wrote to memory of 1572	1072	hosts.exe	41
PID 1072 wrote to memory of 1572	1072	hosts.exe	41
PID 1072 wrote to memory of 1572	1072	hosts.exe	41
PID 1072 wrote to memory of 1572	1072	hosts.exe	41
PID 1572 wrote to memory of 1388	1572	cmd.exe	42
PID 1572 wrote to memory of 1388	1572	cmd.exe	42
PID 1572 wrote to memory of 1388	1572	cmd.exe	42
PID 1572 wrote to memory of 1388	1572	cmd.exe	42
PID 1572 wrote to memory of 1264	1572	cmd.exe	43
PID 1572 wrote to memory of 1264	1572	cmd.exe	43
PID 1572 wrote to memory of 1264	1572	cmd.exe	43
PID 1572 wrote to memory of 1264	1572	cmd.exe	43
PID 816 wrote to memory of 840	816	avscan.exe	44
PID 816 wrote to memory of 840	816	avscan.exe	44
PID 816 wrote to memory of 840	816	avscan.exe	44
PID 816 wrote to memory of 840	816	avscan.exe	44
PID 1072 wrote to memory of 1808	1072	hosts.exe	46
PID 1072 wrote to memory of 1808	1072	hosts.exe	46
PID 1072 wrote to memory of 1808	1072	hosts.exe	46
PID 1072 wrote to memory of 1808	1072	hosts.exe	46
PID 1072 wrote to memory of 1760	1072	hosts.exe	49
PID 1072 wrote to memory of 1760	1072	hosts.exe	49
PID 1072 wrote to memory of 1760	1072	hosts.exe	49
PID 1072 wrote to memory of 1760	1072	hosts.exe	49

C:\Users\Admin\AppData\Local\Temp\58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe
"C:\Users\Admin\AppData\Local\Temp\58738343e581e807ef6563ecc48707365addeab6e0bb94bfa3ad9b87b80199e6.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:960
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1340
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1912
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:840
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1116
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2036
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1068
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1572
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1388
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:1264
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1808
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1760
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:532
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:2008
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
264KB

MD5
62d2d704f2cc3731cc08a240f407f61c

SHA1
f520670c17ab7764a0b346df445ceff418dc5e5e

SHA256
c4203b6c57a04b5d2a1098611f89c58236a64a4135d5562b7da16623bf86898c

SHA512
a880ff09340643cef40b70e6a455b402dc8e8cfff487cef7a62c44d3e7ef5ff7446680ea33d01df11a447f3c9674d29df4708fc8f64c7877f4360549bb5aa8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
697KB

MD5
b849dfa4631bb2477af41489113fb0e4

SHA1
62f24ec595ecd88a2327390e7de5b38733ceb4e9

SHA256
e7c01fc395b733f7afdd87c0e8cc012c472664f94b8565402eb87562fa845f29

SHA512
8c47025b284a5020f2f8c12fbd9916c928fed89733c16417ac9ddd6f6274d2024566e66653d342f3b5e58baa1b025e9fa77263a91431af47b3a78d1f9dfbc722

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
697KB

MD5
b849dfa4631bb2477af41489113fb0e4

SHA1
62f24ec595ecd88a2327390e7de5b38733ceb4e9

SHA256
e7c01fc395b733f7afdd87c0e8cc012c472664f94b8565402eb87562fa845f29

SHA512
8c47025b284a5020f2f8c12fbd9916c928fed89733c16417ac9ddd6f6274d2024566e66653d342f3b5e58baa1b025e9fa77263a91431af47b3a78d1f9dfbc722

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
293ca968bfab8b581484a56980f87c61

SHA1
7cf169bd9d800f3e527fa890f2e539b432f5a2d5

SHA256
8839a37459b197a32d430054fa6c89a23fd89c5d3013849e219d0141ed03f86f

SHA512
3b8a8079cb3a729f1d0119d6c04ba70b90bb176e5f07c8b38165bb3073940445048d89be6e3fc4250368d69e7055827d1bbd1ef57c6fe4ac577a8349d8daf226

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.3MB

MD5
aa9932809c93ca1eccd2f5bafadbc908

SHA1
7246baeeb80c0fc2eb671e1c2bcb2cb15069d114

SHA256
eb9cdef2ad1744bdcdd61bed11da0572ee25c01c4afce6f29d3e9716c1490840

SHA512
d2d1ec50c3a37b8d649002172aad3df9a755e9ea73cd909d210ef4351a82b1ba997036ec9cb472bbc4acc00e846766891d50c217259dd55e31b0426e54a50d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.5MB

MD5
e5abd75a2c1b69144586c36fec0f7c21

SHA1
8033eb7aae9e7c456ff8f40761753181946aeb34

SHA256
7487e69d137fc841420d915697c9c8ef595de6774e59d86e81ec3a3b3519d9d3

SHA512
83f5abad8da149a0c006606641705cc55bc204bd515b0fcf725013e37b1a8ba33ccd5567157f8a03fbef6617559cef839e9a82ba67ad5b32f772c67ad3601975

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
216KB

MD5
044619f67799b89af9ed49c6adfb5254

SHA1
55d101c0dd4add200f1b4880f9c9d9b568c3039f

SHA256
58eed42f6ae6e6da14fd49219b691fb60efdf4832759d2cae01bf41267670776

SHA512
7320a9b98c7778c82a8c0df7dc9984624c49f6c16fe239f160e6a619570a14713e93935e881fe6642645790a08ed487051ed9519792f6be1fd826a24d61d1a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
216KB

MD5
044619f67799b89af9ed49c6adfb5254

SHA1
55d101c0dd4add200f1b4880f9c9d9b568c3039f

SHA256
58eed42f6ae6e6da14fd49219b691fb60efdf4832759d2cae01bf41267670776

SHA512
7320a9b98c7778c82a8c0df7dc9984624c49f6c16fe239f160e6a619570a14713e93935e881fe6642645790a08ed487051ed9519792f6be1fd826a24d61d1a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
216KB

MD5
044619f67799b89af9ed49c6adfb5254

SHA1
55d101c0dd4add200f1b4880f9c9d9b568c3039f

SHA256
58eed42f6ae6e6da14fd49219b691fb60efdf4832759d2cae01bf41267670776

SHA512
7320a9b98c7778c82a8c0df7dc9984624c49f6c16fe239f160e6a619570a14713e93935e881fe6642645790a08ed487051ed9519792f6be1fd826a24d61d1a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
216KB

MD5
044619f67799b89af9ed49c6adfb5254

SHA1
55d101c0dd4add200f1b4880f9c9d9b568c3039f

SHA256
58eed42f6ae6e6da14fd49219b691fb60efdf4832759d2cae01bf41267670776

SHA512
7320a9b98c7778c82a8c0df7dc9984624c49f6c16fe239f160e6a619570a14713e93935e881fe6642645790a08ed487051ed9519792f6be1fd826a24d61d1a3d

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
9eb0c6074d8e54f7da6508b5f6809e78

SHA1
61f003a28c45377e9fc641a0dd1382e6931c11f0

SHA256
df6f01f8c7c5ad4b1e66d19309ad60f0189bc607d7a07c184d9d94abd29c3ee8

SHA512
f6db15038cf4312647c59574cf2352c132c36cd060293977427b719066e5519838c6fed059d3a1d4e3277b575d9132d29d150c45cebd8a3852e705f3297f6d08

Download Submit
C:\Windows\hosts.exe

Filesize
216KB

MD5
50c45e6bafb1f1658063e150de902367

SHA1
2206c38b84f6af995de265e9feaacfbfc0a82b35

SHA256
179b735a8e3226df88337d7535c20531ba5edaa97fb58a43ea84991858114e9b

SHA512
453fbf633e782d1361d33e211fcc63af1a10f4b9ff7db405a851054a7b153f06cb3b4d5ad6847b07fa2fabb1188cf614d72b9e984facfb450f5aeb45c619f158

Download Submit
C:\Windows\hosts.exe

Filesize
216KB

MD5
50c45e6bafb1f1658063e150de902367

SHA1
2206c38b84f6af995de265e9feaacfbfc0a82b35

SHA256
179b735a8e3226df88337d7535c20531ba5edaa97fb58a43ea84991858114e9b

SHA512
453fbf633e782d1361d33e211fcc63af1a10f4b9ff7db405a851054a7b153f06cb3b4d5ad6847b07fa2fabb1188cf614d72b9e984facfb450f5aeb45c619f158

Download Submit
C:\Windows\hosts.exe

Filesize
216KB

MD5
50c45e6bafb1f1658063e150de902367

SHA1
2206c38b84f6af995de265e9feaacfbfc0a82b35

SHA256
179b735a8e3226df88337d7535c20531ba5edaa97fb58a43ea84991858114e9b

SHA512
453fbf633e782d1361d33e211fcc63af1a10f4b9ff7db405a851054a7b153f06cb3b4d5ad6847b07fa2fabb1188cf614d72b9e984facfb450f5aeb45c619f158

Download Submit
C:\Windows\hosts.exe

Filesize
216KB

MD5
50c45e6bafb1f1658063e150de902367

SHA1
2206c38b84f6af995de265e9feaacfbfc0a82b35

SHA256
179b735a8e3226df88337d7535c20531ba5edaa97fb58a43ea84991858114e9b

SHA512
453fbf633e782d1361d33e211fcc63af1a10f4b9ff7db405a851054a7b153f06cb3b4d5ad6847b07fa2fabb1188cf614d72b9e984facfb450f5aeb45c619f158

Download Submit
C:\windows\hosts.exe

Filesize
216KB

MD5
50c45e6bafb1f1658063e150de902367

SHA1
2206c38b84f6af995de265e9feaacfbfc0a82b35

SHA256
179b735a8e3226df88337d7535c20531ba5edaa97fb58a43ea84991858114e9b

SHA512
453fbf633e782d1361d33e211fcc63af1a10f4b9ff7db405a851054a7b153f06cb3b4d5ad6847b07fa2fabb1188cf614d72b9e984facfb450f5aeb45c619f158

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
216KB

MD5
044619f67799b89af9ed49c6adfb5254

SHA1
55d101c0dd4add200f1b4880f9c9d9b568c3039f

SHA256
58eed42f6ae6e6da14fd49219b691fb60efdf4832759d2cae01bf41267670776

SHA512
7320a9b98c7778c82a8c0df7dc9984624c49f6c16fe239f160e6a619570a14713e93935e881fe6642645790a08ed487051ed9519792f6be1fd826a24d61d1a3d

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
216KB

MD5
044619f67799b89af9ed49c6adfb5254

SHA1
55d101c0dd4add200f1b4880f9c9d9b568c3039f

SHA256
58eed42f6ae6e6da14fd49219b691fb60efdf4832759d2cae01bf41267670776

SHA512
7320a9b98c7778c82a8c0df7dc9984624c49f6c16fe239f160e6a619570a14713e93935e881fe6642645790a08ed487051ed9519792f6be1fd826a24d61d1a3d

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
216KB

MD5
044619f67799b89af9ed49c6adfb5254

SHA1
55d101c0dd4add200f1b4880f9c9d9b568c3039f

SHA256
58eed42f6ae6e6da14fd49219b691fb60efdf4832759d2cae01bf41267670776

SHA512
7320a9b98c7778c82a8c0df7dc9984624c49f6c16fe239f160e6a619570a14713e93935e881fe6642645790a08ed487051ed9519792f6be1fd826a24d61d1a3d

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
216KB

MD5
044619f67799b89af9ed49c6adfb5254

SHA1
55d101c0dd4add200f1b4880f9c9d9b568c3039f

SHA256
58eed42f6ae6e6da14fd49219b691fb60efdf4832759d2cae01bf41267670776

SHA512
7320a9b98c7778c82a8c0df7dc9984624c49f6c16fe239f160e6a619570a14713e93935e881fe6642645790a08ed487051ed9519792f6be1fd826a24d61d1a3d

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
216KB

MD5
044619f67799b89af9ed49c6adfb5254

SHA1
55d101c0dd4add200f1b4880f9c9d9b568c3039f

SHA256
58eed42f6ae6e6da14fd49219b691fb60efdf4832759d2cae01bf41267670776

SHA512
7320a9b98c7778c82a8c0df7dc9984624c49f6c16fe239f160e6a619570a14713e93935e881fe6642645790a08ed487051ed9519792f6be1fd826a24d61d1a3d

Download Submit
memory/864-58-0x0000000074181000-0x0000000074183000-memory.dmp

Filesize
8KB

Download
memory/864-56-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads