5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0

Analysis

max time kernel
149s
max time network
62s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
Size

351KB
MD5

682d1377fe7007fced29346b2365ec56
SHA1

15b80c307ad86e2a1a275902bb64baa822c67155
SHA256

5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0
SHA512

2ec0a68e75854b6432923a061f53a847faaf620b40f537115d79496ca2f7f8f56d0efc2129c7d2c5ea9ed3270f8ba79b3ed35b4247d1e48eaa16ae23517dc11c
SSDEEP

6144:gDCwfG1bnxMwslM0Yk55Qcpp5n+m9SDxqe:g72bnuwsO0YkTQyCDAe

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SABDUHNY = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SABDUHNY = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SABDUHNY = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
916	avscan.exe
768	avscan.exe
1692	hosts.exe
736	hosts.exe
1752	avscan.exe
1184	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1352	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
1352	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
916	avscan.exe
1692	hosts.exe
1692	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
File created	\??\c:\windows\W_X_C.bat	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
File opened for modification	C:\Windows\hosts.exe	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
392	REG.exe
1756	REG.exe
520	REG.exe
336	REG.exe
1696	REG.exe
1540	REG.exe
1624	REG.exe
828	REG.exe
440	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
916	avscan.exe
1692	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1352	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
916	avscan.exe
768	avscan.exe
736	hosts.exe
1692	hosts.exe
1752	avscan.exe
1184	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1756	1352	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	28
PID 1352 wrote to memory of 1756	1352	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	28
PID 1352 wrote to memory of 1756	1352	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	28
PID 1352 wrote to memory of 1756	1352	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	28
PID 1352 wrote to memory of 916	1352	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	30
PID 1352 wrote to memory of 916	1352	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	30
PID 1352 wrote to memory of 916	1352	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	30
PID 1352 wrote to memory of 916	1352	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	30
PID 916 wrote to memory of 768	916	avscan.exe	31
PID 916 wrote to memory of 768	916	avscan.exe	31
PID 916 wrote to memory of 768	916	avscan.exe	31
PID 916 wrote to memory of 768	916	avscan.exe	31
PID 916 wrote to memory of 560	916	avscan.exe	32
PID 916 wrote to memory of 560	916	avscan.exe	32
PID 916 wrote to memory of 560	916	avscan.exe	32
PID 916 wrote to memory of 560	916	avscan.exe	32
PID 1352 wrote to memory of 1552	1352	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	35
PID 1352 wrote to memory of 1552	1352	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	35
PID 1352 wrote to memory of 1552	1352	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	35
PID 1352 wrote to memory of 1552	1352	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	35
PID 1552 wrote to memory of 736	1552	cmd.exe	37
PID 1552 wrote to memory of 736	1552	cmd.exe	37
PID 1552 wrote to memory of 736	1552	cmd.exe	37
PID 1552 wrote to memory of 736	1552	cmd.exe	37
PID 560 wrote to memory of 1692	560	cmd.exe	36
PID 560 wrote to memory of 1692	560	cmd.exe	36
PID 560 wrote to memory of 1692	560	cmd.exe	36
PID 560 wrote to memory of 1692	560	cmd.exe	36
PID 1692 wrote to memory of 1752	1692	hosts.exe	38
PID 1692 wrote to memory of 1752	1692	hosts.exe	38
PID 1692 wrote to memory of 1752	1692	hosts.exe	38
PID 1692 wrote to memory of 1752	1692	hosts.exe	38
PID 1692 wrote to memory of 1144	1692	hosts.exe	39
PID 1692 wrote to memory of 1144	1692	hosts.exe	39
PID 1692 wrote to memory of 1144	1692	hosts.exe	39
PID 1692 wrote to memory of 1144	1692	hosts.exe	39
PID 1144 wrote to memory of 1184	1144	cmd.exe	41
PID 1144 wrote to memory of 1184	1144	cmd.exe	41
PID 1144 wrote to memory of 1184	1144	cmd.exe	41
PID 1144 wrote to memory of 1184	1144	cmd.exe	41
PID 1552 wrote to memory of 1932	1552	cmd.exe	44
PID 1552 wrote to memory of 1932	1552	cmd.exe	44
PID 1552 wrote to memory of 1932	1552	cmd.exe	44
PID 1552 wrote to memory of 1932	1552	cmd.exe	44
PID 560 wrote to memory of 1032	560	cmd.exe	42
PID 560 wrote to memory of 1032	560	cmd.exe	42
PID 560 wrote to memory of 1032	560	cmd.exe	42
PID 560 wrote to memory of 1032	560	cmd.exe	42
PID 1144 wrote to memory of 892	1144	cmd.exe	43
PID 1144 wrote to memory of 892	1144	cmd.exe	43
PID 1144 wrote to memory of 892	1144	cmd.exe	43
PID 1144 wrote to memory of 892	1144	cmd.exe	43
PID 916 wrote to memory of 1540	916	avscan.exe	45
PID 916 wrote to memory of 1540	916	avscan.exe	45
PID 916 wrote to memory of 1540	916	avscan.exe	45
PID 916 wrote to memory of 1540	916	avscan.exe	45
PID 1692 wrote to memory of 1624	1692	hosts.exe	47
PID 1692 wrote to memory of 1624	1692	hosts.exe	47
PID 1692 wrote to memory of 1624	1692	hosts.exe	47
PID 1692 wrote to memory of 1624	1692	hosts.exe	47
PID 1692 wrote to memory of 520	1692	hosts.exe	49
PID 1692 wrote to memory of 520	1692	hosts.exe	49
PID 1692 wrote to memory of 520	1692	hosts.exe	49
PID 1692 wrote to memory of 520	1692	hosts.exe	49

C:\Users\Admin\AppData\Local\Temp\5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
"C:\Users\Admin\AppData\Local\Temp\5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1752
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1144
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1184
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:892
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1624
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:520
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1696
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:828
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1032
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1540
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:336
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:392
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:736
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
751KB

MD5
72592ffc6fd6bbb6151b486f8d222ffe

SHA1
aff51b32163c3caf40bfacaa76b7200d54851b8a

SHA256
97f13dc4ab9ac4ac5c28605595bcdc115a91dce64f80117c7a02e04dfb5227bd

SHA512
399704c26fb6b55bc4baf3c02e5e03c39e68757ede374d83a88c409a524560358a2a4af11b4c7bede1ad6d164b474036e444998c96eaefb6104249fa63bd5545

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.4MB

MD5
c1ad426614f7b3829a3e96237800b6f9

SHA1
1db3b38f43461a9bc7a8b262bcbf4c8bccbeea09

SHA256
89af117662d9cfb55e52d7fe8f8a4da3281148b7d89f4ffe126d6a3752896482

SHA512
732bd1a9f46bf71a73bfb9bb5b4a9a42e7ba55da4ce8954df7b468acabc2f91e75fa56ea130fc8fd0037a9cc5686d99f8b2ee557a2a363a6109968d490b5f8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.4MB

MD5
c1ad426614f7b3829a3e96237800b6f9

SHA1
1db3b38f43461a9bc7a8b262bcbf4c8bccbeea09

SHA256
89af117662d9cfb55e52d7fe8f8a4da3281148b7d89f4ffe126d6a3752896482

SHA512
732bd1a9f46bf71a73bfb9bb5b4a9a42e7ba55da4ce8954df7b468acabc2f91e75fa56ea130fc8fd0037a9cc5686d99f8b2ee557a2a363a6109968d490b5f8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.1MB

MD5
d6d2c6a0c3bf1bca2234895294b3ff49

SHA1
bc4a5dcef256b2759c83e3fa72f396dcaa3acd3e

SHA256
820f33413576a1a2320951b5f6a8385b9a65a44b8e49ee47e37a7e4956895cda

SHA512
1f4d7bb7d748794399651a8cdc23e1077ad56f6608fa7eea8af0be3f4d198ea5c642bb2c76abf380fd192227204b3a69eb826ab280105d994bbe399ba80d51d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.8MB

MD5
1122c88771eb9d86bc63f071c8d7dc13

SHA1
c7166e7c7e3cf86c84c8339e3e164e5fa12b5429

SHA256
43d1d18189e49a9f4499075de157a151f0dfd792f111a654eee416afaeef60b2

SHA512
53d3d60a170424dcf57a49903c7fbdb3bfc5e131f3587779a0ed1eec05984ee69df48626dc9b6f6aab5e2444a393604f62b5817ae8b46bc78afc9db6285de137

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.8MB

MD5
24bd71a824a4af0ee7e1dd7b9722f234

SHA1
6fbda670b531880a72c3e152974e05ac287f2b72

SHA256
7e4cd7bafc7b474016b93d9715ac15612b789290f347988b1fa7dad83322e6ec

SHA512
edfacf2b646ea01dd2469d7e8eb875b3269edaf76fa675513a8bae45ee054e4f369da4f616090069a279ffe32640b1a01ad550b14079c73eff5d19968ebb12e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
5371713b955de09ff540eb311e83d2a4

SHA1
5c7dd46f46747512b3e8a04f15c11b5be1c2c203

SHA256
06483c12745f7c7677943135706a46881e1716c96a2fc018ace5a616da4cd566

SHA512
1ffa48c8076acc5f8b1d33be60cbbf3d81970ce76d908c42e6a4f0a3b493008c7bf46f3d7409620b74116c5e69d1cdf755ce108bab309a344070ab8db8296e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
5371713b955de09ff540eb311e83d2a4

SHA1
5c7dd46f46747512b3e8a04f15c11b5be1c2c203

SHA256
06483c12745f7c7677943135706a46881e1716c96a2fc018ace5a616da4cd566

SHA512
1ffa48c8076acc5f8b1d33be60cbbf3d81970ce76d908c42e6a4f0a3b493008c7bf46f3d7409620b74116c5e69d1cdf755ce108bab309a344070ab8db8296e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
5371713b955de09ff540eb311e83d2a4

SHA1
5c7dd46f46747512b3e8a04f15c11b5be1c2c203

SHA256
06483c12745f7c7677943135706a46881e1716c96a2fc018ace5a616da4cd566

SHA512
1ffa48c8076acc5f8b1d33be60cbbf3d81970ce76d908c42e6a4f0a3b493008c7bf46f3d7409620b74116c5e69d1cdf755ce108bab309a344070ab8db8296e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
5371713b955de09ff540eb311e83d2a4

SHA1
5c7dd46f46747512b3e8a04f15c11b5be1c2c203

SHA256
06483c12745f7c7677943135706a46881e1716c96a2fc018ace5a616da4cd566

SHA512
1ffa48c8076acc5f8b1d33be60cbbf3d81970ce76d908c42e6a4f0a3b493008c7bf46f3d7409620b74116c5e69d1cdf755ce108bab309a344070ab8db8296e43

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
6d7a78ec09068987a6bec39d91fa2997

SHA1
e74ad929b10ad126cab230e0ea5ec239cbeaf12b

SHA256
d87abc4daf79735e1afda9ba17e27ca3e8c8775af50c18e67579da6384da53c6

SHA512
e912df74b128cb69c204fe6395f2237f7b2f240642312a66ff4e89004ac7736125155078e47591b26e686ec4f09d25bc4cf1575cc590bffe587962c02fa8e395

Download Submit
C:\Windows\hosts.exe

Filesize
351KB

MD5
32ea23f7a460d13d623655007d34da56

SHA1
52c761666690b13f5265dc90aff499abe73cb8b3

SHA256
4f4945709dddccfe41ca5eb3b3c4db316415823c5cb637bd193597190f079d38

SHA512
4cc934f910d2667cc15938d327b19bf7172d8b49775c4ded8e49d0721efe6e2d822a2769b86b962f6fe8a04b3a2da19676a6a26854d08ce65358d5ea4a85e161

Download Submit
C:\Windows\hosts.exe

Filesize
351KB

MD5
32ea23f7a460d13d623655007d34da56

SHA1
52c761666690b13f5265dc90aff499abe73cb8b3

SHA256
4f4945709dddccfe41ca5eb3b3c4db316415823c5cb637bd193597190f079d38

SHA512
4cc934f910d2667cc15938d327b19bf7172d8b49775c4ded8e49d0721efe6e2d822a2769b86b962f6fe8a04b3a2da19676a6a26854d08ce65358d5ea4a85e161

Download Submit
C:\Windows\hosts.exe

Filesize
351KB

MD5
32ea23f7a460d13d623655007d34da56

SHA1
52c761666690b13f5265dc90aff499abe73cb8b3

SHA256
4f4945709dddccfe41ca5eb3b3c4db316415823c5cb637bd193597190f079d38

SHA512
4cc934f910d2667cc15938d327b19bf7172d8b49775c4ded8e49d0721efe6e2d822a2769b86b962f6fe8a04b3a2da19676a6a26854d08ce65358d5ea4a85e161

Download Submit
C:\Windows\hosts.exe

Filesize
351KB

MD5
32ea23f7a460d13d623655007d34da56

SHA1
52c761666690b13f5265dc90aff499abe73cb8b3

SHA256
4f4945709dddccfe41ca5eb3b3c4db316415823c5cb637bd193597190f079d38

SHA512
4cc934f910d2667cc15938d327b19bf7172d8b49775c4ded8e49d0721efe6e2d822a2769b86b962f6fe8a04b3a2da19676a6a26854d08ce65358d5ea4a85e161

Download Submit
C:\windows\hosts.exe

Filesize
351KB

MD5
32ea23f7a460d13d623655007d34da56

SHA1
52c761666690b13f5265dc90aff499abe73cb8b3

SHA256
4f4945709dddccfe41ca5eb3b3c4db316415823c5cb637bd193597190f079d38

SHA512
4cc934f910d2667cc15938d327b19bf7172d8b49775c4ded8e49d0721efe6e2d822a2769b86b962f6fe8a04b3a2da19676a6a26854d08ce65358d5ea4a85e161

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
5371713b955de09ff540eb311e83d2a4

SHA1
5c7dd46f46747512b3e8a04f15c11b5be1c2c203

SHA256
06483c12745f7c7677943135706a46881e1716c96a2fc018ace5a616da4cd566

SHA512
1ffa48c8076acc5f8b1d33be60cbbf3d81970ce76d908c42e6a4f0a3b493008c7bf46f3d7409620b74116c5e69d1cdf755ce108bab309a344070ab8db8296e43

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
5371713b955de09ff540eb311e83d2a4

SHA1
5c7dd46f46747512b3e8a04f15c11b5be1c2c203

SHA256
06483c12745f7c7677943135706a46881e1716c96a2fc018ace5a616da4cd566

SHA512
1ffa48c8076acc5f8b1d33be60cbbf3d81970ce76d908c42e6a4f0a3b493008c7bf46f3d7409620b74116c5e69d1cdf755ce108bab309a344070ab8db8296e43

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
5371713b955de09ff540eb311e83d2a4

SHA1
5c7dd46f46747512b3e8a04f15c11b5be1c2c203

SHA256
06483c12745f7c7677943135706a46881e1716c96a2fc018ace5a616da4cd566

SHA512
1ffa48c8076acc5f8b1d33be60cbbf3d81970ce76d908c42e6a4f0a3b493008c7bf46f3d7409620b74116c5e69d1cdf755ce108bab309a344070ab8db8296e43

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
5371713b955de09ff540eb311e83d2a4

SHA1
5c7dd46f46747512b3e8a04f15c11b5be1c2c203

SHA256
06483c12745f7c7677943135706a46881e1716c96a2fc018ace5a616da4cd566

SHA512
1ffa48c8076acc5f8b1d33be60cbbf3d81970ce76d908c42e6a4f0a3b493008c7bf46f3d7409620b74116c5e69d1cdf755ce108bab309a344070ab8db8296e43

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
5371713b955de09ff540eb311e83d2a4

SHA1
5c7dd46f46747512b3e8a04f15c11b5be1c2c203

SHA256
06483c12745f7c7677943135706a46881e1716c96a2fc018ace5a616da4cd566

SHA512
1ffa48c8076acc5f8b1d33be60cbbf3d81970ce76d908c42e6a4f0a3b493008c7bf46f3d7409620b74116c5e69d1cdf755ce108bab309a344070ab8db8296e43

Download Submit
memory/1352-56-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1352-58-0x0000000074A81000-0x0000000074A83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads