ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17

Analysis

max time kernel
152s
max time network
68s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 20:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe
Size

245KB
MD5

8ef2dc2548e75c93ea9e75e3fae33655
SHA1

a85ae6daae48f647213c016c08ac31f8549ccd3b
SHA256

ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17
SHA512

172d9b62cca0e95fac1a33b8ba2ebd932933f24751c61aef080452885f026bfcc4d53f5745d0306ce3be2b7a06825c8dceb94fd37118a2f95ddcc18e07018c5d
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DELU31fIcX/54p1YYhD/6KgXe:gDCwfG1bnxLEDL3YYhLrgXe

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VUIIVLGQ = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VUIIVLGQ = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VUIIVLGQ = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1776	avscan.exe
1072	avscan.exe
692	hosts.exe
860	hosts.exe
1908	avscan.exe
1264	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
768	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe
768	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe
1776	avscan.exe
692	hosts.exe
692	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	\??\c:\windows\W_X_C.bat	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe
File opened for modification	C:\Windows\hosts.exe	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1924	REG.exe
1156	REG.exe
924	REG.exe
1340	REG.exe
524	REG.exe
1076	REG.exe
1520	REG.exe
548	REG.exe
844	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1776	avscan.exe
692	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
768	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe
1776	avscan.exe
1072	avscan.exe
692	hosts.exe
860	hosts.exe
1908	avscan.exe
1264	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 844	768	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe	28
PID 768 wrote to memory of 844	768	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe	28
PID 768 wrote to memory of 844	768	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe	28
PID 768 wrote to memory of 844	768	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe	28
PID 768 wrote to memory of 1776	768	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe	30
PID 768 wrote to memory of 1776	768	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe	30
PID 768 wrote to memory of 1776	768	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe	30
PID 768 wrote to memory of 1776	768	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe	30
PID 1776 wrote to memory of 1072	1776	avscan.exe	31
PID 1776 wrote to memory of 1072	1776	avscan.exe	31
PID 1776 wrote to memory of 1072	1776	avscan.exe	31
PID 1776 wrote to memory of 1072	1776	avscan.exe	31
PID 1776 wrote to memory of 1824	1776	avscan.exe	32
PID 1776 wrote to memory of 1824	1776	avscan.exe	32
PID 1776 wrote to memory of 1824	1776	avscan.exe	32
PID 1776 wrote to memory of 1824	1776	avscan.exe	32
PID 768 wrote to memory of 1488	768	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe	33
PID 768 wrote to memory of 1488	768	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe	33
PID 768 wrote to memory of 1488	768	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe	33
PID 768 wrote to memory of 1488	768	ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe	33
PID 1824 wrote to memory of 692	1824	cmd.exe	37
PID 1824 wrote to memory of 692	1824	cmd.exe	37
PID 1824 wrote to memory of 692	1824	cmd.exe	37
PID 1824 wrote to memory of 692	1824	cmd.exe	37
PID 1488 wrote to memory of 860	1488	cmd.exe	36
PID 1488 wrote to memory of 860	1488	cmd.exe	36
PID 1488 wrote to memory of 860	1488	cmd.exe	36
PID 1488 wrote to memory of 860	1488	cmd.exe	36
PID 692 wrote to memory of 1908	692	hosts.exe	38
PID 692 wrote to memory of 1908	692	hosts.exe	38
PID 692 wrote to memory of 1908	692	hosts.exe	38
PID 692 wrote to memory of 1908	692	hosts.exe	38
PID 692 wrote to memory of 1864	692	hosts.exe	40
PID 692 wrote to memory of 1864	692	hosts.exe	40
PID 692 wrote to memory of 1864	692	hosts.exe	40
PID 692 wrote to memory of 1864	692	hosts.exe	40
PID 1824 wrote to memory of 1620	1824	cmd.exe	39
PID 1824 wrote to memory of 1620	1824	cmd.exe	39
PID 1824 wrote to memory of 1620	1824	cmd.exe	39
PID 1824 wrote to memory of 1620	1824	cmd.exe	39
PID 1488 wrote to memory of 1136	1488	cmd.exe	42
PID 1488 wrote to memory of 1136	1488	cmd.exe	42
PID 1488 wrote to memory of 1136	1488	cmd.exe	42
PID 1488 wrote to memory of 1136	1488	cmd.exe	42
PID 1864 wrote to memory of 1264	1864	cmd.exe	43
PID 1864 wrote to memory of 1264	1864	cmd.exe	43
PID 1864 wrote to memory of 1264	1864	cmd.exe	43
PID 1864 wrote to memory of 1264	1864	cmd.exe	43
PID 1864 wrote to memory of 2024	1864	cmd.exe	44
PID 1864 wrote to memory of 2024	1864	cmd.exe	44
PID 1864 wrote to memory of 2024	1864	cmd.exe	44
PID 1864 wrote to memory of 2024	1864	cmd.exe	44
PID 1776 wrote to memory of 1520	1776	avscan.exe	45
PID 1776 wrote to memory of 1520	1776	avscan.exe	45
PID 1776 wrote to memory of 1520	1776	avscan.exe	45
PID 1776 wrote to memory of 1520	1776	avscan.exe	45
PID 692 wrote to memory of 1076	692	hosts.exe	47
PID 692 wrote to memory of 1076	692	hosts.exe	47
PID 692 wrote to memory of 1076	692	hosts.exe	47
PID 692 wrote to memory of 1076	692	hosts.exe	47
PID 1776 wrote to memory of 1924	1776	avscan.exe	49
PID 1776 wrote to memory of 1924	1776	avscan.exe	49
PID 1776 wrote to memory of 1924	1776	avscan.exe	49
PID 1776 wrote to memory of 1924	1776	avscan.exe	49

C:\Users\Admin\AppData\Local\Temp\ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe
"C:\Users\Admin\AppData\Local\Temp\ae965e133822f6fa6f5d5f27e5004ccd8dddcbef51d157289fbd4b6267362d17.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:844
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:692
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1908
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1864
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1264
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:2024
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1076
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:548
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1156
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:524
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1620
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1520
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1924
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:924
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:860
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
539KB

MD5
856f2afa9bd97982dfdea579d1f53570

SHA1
c907c57459ba6fbfa98c3a89987de2f2bb9d5aaa

SHA256
634b7c8db18f563549292f3fd28f08199ee64f5b7136c28337754e58685ecac6

SHA512
fbaaf22e4d11cbf8c0d338436999b0181bfa36dd2ccdc024962fb93176c567a0ae8f5718bd64b5d82014004567951804eb3a0306264a4dde341b126d6bf501fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.0MB

MD5
c0baa71ab7cdbe0afcf4410a57918f72

SHA1
6dfcd688cc5e7cac954d008614e24748fb189a84

SHA256
d9cc69278e32c7f47b3a5f80bde16549c6fa4a6cd760f9945051d7af6c4cff34

SHA512
fd7bf2bf5cdc8df4df949313a121e44da20ef782ad230262baaaad206b218bc1abf8ccee653cebbd6955b7f2f5a912350d8dddb8666518fa939c4b9583008f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.2MB

MD5
e0c21d0d285ae9acb644a1176e7b0657

SHA1
458b4d37bf099f395926ced43bf31d590c11a223

SHA256
03d2bd9822494951e170376011ddada32512e04b821311f922d923473699e82a

SHA512
fdc6a96b55214b55bb6c5f6bef6d1139390ad36ab73a173798531651923ee8435007942cecbe051dc8788e23036e6dfff57d771f0a877b20ec5104598a644626

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.5MB

MD5
aa2316285c9c3dd465ee15f06b8d87f4

SHA1
a3f07139fa361b593e7ee4c9766e42110f49bab9

SHA256
0197f146f449cc59cb3e0527369defe7b69b4563ece64e6751c2642eebfe04ff

SHA512
918ced05bbfe937cce4df4b1417a43672a3190a93d19d64d85d8b5e0ce53d981cdf6c6960857eb3b998d76bca92c21d18fb15ac01d3b3edb01d8cc6c048590e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.7MB

MD5
837474e2c5e71aa4e073b9bf8213b4eb

SHA1
d97ef2a080a826ee4101c315d55a7966bea1ec8e

SHA256
9f856464c241f6a6df8a48459562d3ac7013385636db784261665fc33377b61a

SHA512
9ed41cb7309fcdae12984c95542ef79c47000dd495e86dfdbe481b2cae104069f861ee2e0c3f7930e42b04e8c46d79582b017e5157084d16055b7ce5c7d9d667

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.7MB

MD5
837474e2c5e71aa4e073b9bf8213b4eb

SHA1
d97ef2a080a826ee4101c315d55a7966bea1ec8e

SHA256
9f856464c241f6a6df8a48459562d3ac7013385636db784261665fc33377b61a

SHA512
9ed41cb7309fcdae12984c95542ef79c47000dd495e86dfdbe481b2cae104069f861ee2e0c3f7930e42b04e8c46d79582b017e5157084d16055b7ce5c7d9d667

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
245KB

MD5
669547554d550c1ef61d5c50c56530b2

SHA1
c6fbde0837150acf6359f842f01c5c01f92c7f78

SHA256
7f941679dd709bc26e59c2e3dd960505170a52cc2458589dab8581233d884a27

SHA512
a9e33ea808b8f3fd68d4b01d11129c5209d92b8af1294e055374bcd594bbd9e366f357b38cd08e77673ec029592abff20d5000bfabba439a279f0ac9b12158b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
245KB

MD5
669547554d550c1ef61d5c50c56530b2

SHA1
c6fbde0837150acf6359f842f01c5c01f92c7f78

SHA256
7f941679dd709bc26e59c2e3dd960505170a52cc2458589dab8581233d884a27

SHA512
a9e33ea808b8f3fd68d4b01d11129c5209d92b8af1294e055374bcd594bbd9e366f357b38cd08e77673ec029592abff20d5000bfabba439a279f0ac9b12158b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
245KB

MD5
669547554d550c1ef61d5c50c56530b2

SHA1
c6fbde0837150acf6359f842f01c5c01f92c7f78

SHA256
7f941679dd709bc26e59c2e3dd960505170a52cc2458589dab8581233d884a27

SHA512
a9e33ea808b8f3fd68d4b01d11129c5209d92b8af1294e055374bcd594bbd9e366f357b38cd08e77673ec029592abff20d5000bfabba439a279f0ac9b12158b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
245KB

MD5
669547554d550c1ef61d5c50c56530b2

SHA1
c6fbde0837150acf6359f842f01c5c01f92c7f78

SHA256
7f941679dd709bc26e59c2e3dd960505170a52cc2458589dab8581233d884a27

SHA512
a9e33ea808b8f3fd68d4b01d11129c5209d92b8af1294e055374bcd594bbd9e366f357b38cd08e77673ec029592abff20d5000bfabba439a279f0ac9b12158b8

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
bb5f0d81909924d647dc29f49c1ab135

SHA1
3f69821597fc6e1bf95639ed73729d5b28d30571

SHA256
71a89829e758fce2196f5ae1fce0af4110c85b65f1cacbd9d34394843a0e9563

SHA512
e4459b6d398a439a6c086e1fbec0ce713c530f8c6ff9237fa080eb3fed35fcb938d88eb70bef32fe5d7853435c3cca5a25c207473239c460633ac30e302765ab

Download Submit
C:\Windows\hosts.exe

Filesize
245KB

MD5
baf854a19d0e7211ee89ee95231d378a

SHA1
3ec224abb74e5d6b325fbd0f081d49311a6d11c5

SHA256
5a5797cf85ca916bee1fa53fe08a7c2cf532860faad47d321388012dce8dcda0

SHA512
3d008b5af8d8dfabe81f6f9ec82f6350c79e414b3ece31d2f650231e2c611d985103679457eb98aa3f5f85aeb73d7d0870d2fe593a980b69b9f3e73076742ce2

Download Submit
C:\Windows\hosts.exe

Filesize
245KB

MD5
baf854a19d0e7211ee89ee95231d378a

SHA1
3ec224abb74e5d6b325fbd0f081d49311a6d11c5

SHA256
5a5797cf85ca916bee1fa53fe08a7c2cf532860faad47d321388012dce8dcda0

SHA512
3d008b5af8d8dfabe81f6f9ec82f6350c79e414b3ece31d2f650231e2c611d985103679457eb98aa3f5f85aeb73d7d0870d2fe593a980b69b9f3e73076742ce2

Download Submit
C:\Windows\hosts.exe

Filesize
245KB

MD5
baf854a19d0e7211ee89ee95231d378a

SHA1
3ec224abb74e5d6b325fbd0f081d49311a6d11c5

SHA256
5a5797cf85ca916bee1fa53fe08a7c2cf532860faad47d321388012dce8dcda0

SHA512
3d008b5af8d8dfabe81f6f9ec82f6350c79e414b3ece31d2f650231e2c611d985103679457eb98aa3f5f85aeb73d7d0870d2fe593a980b69b9f3e73076742ce2

Download Submit
C:\Windows\hosts.exe

Filesize
245KB

MD5
baf854a19d0e7211ee89ee95231d378a

SHA1
3ec224abb74e5d6b325fbd0f081d49311a6d11c5

SHA256
5a5797cf85ca916bee1fa53fe08a7c2cf532860faad47d321388012dce8dcda0

SHA512
3d008b5af8d8dfabe81f6f9ec82f6350c79e414b3ece31d2f650231e2c611d985103679457eb98aa3f5f85aeb73d7d0870d2fe593a980b69b9f3e73076742ce2

Download Submit
C:\windows\hosts.exe

Filesize
245KB

MD5
baf854a19d0e7211ee89ee95231d378a

SHA1
3ec224abb74e5d6b325fbd0f081d49311a6d11c5

SHA256
5a5797cf85ca916bee1fa53fe08a7c2cf532860faad47d321388012dce8dcda0

SHA512
3d008b5af8d8dfabe81f6f9ec82f6350c79e414b3ece31d2f650231e2c611d985103679457eb98aa3f5f85aeb73d7d0870d2fe593a980b69b9f3e73076742ce2

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
245KB

MD5
669547554d550c1ef61d5c50c56530b2

SHA1
c6fbde0837150acf6359f842f01c5c01f92c7f78

SHA256
7f941679dd709bc26e59c2e3dd960505170a52cc2458589dab8581233d884a27

SHA512
a9e33ea808b8f3fd68d4b01d11129c5209d92b8af1294e055374bcd594bbd9e366f357b38cd08e77673ec029592abff20d5000bfabba439a279f0ac9b12158b8

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
245KB

MD5
669547554d550c1ef61d5c50c56530b2

SHA1
c6fbde0837150acf6359f842f01c5c01f92c7f78

SHA256
7f941679dd709bc26e59c2e3dd960505170a52cc2458589dab8581233d884a27

SHA512
a9e33ea808b8f3fd68d4b01d11129c5209d92b8af1294e055374bcd594bbd9e366f357b38cd08e77673ec029592abff20d5000bfabba439a279f0ac9b12158b8

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
245KB

MD5
669547554d550c1ef61d5c50c56530b2

SHA1
c6fbde0837150acf6359f842f01c5c01f92c7f78

SHA256
7f941679dd709bc26e59c2e3dd960505170a52cc2458589dab8581233d884a27

SHA512
a9e33ea808b8f3fd68d4b01d11129c5209d92b8af1294e055374bcd594bbd9e366f357b38cd08e77673ec029592abff20d5000bfabba439a279f0ac9b12158b8

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
245KB

MD5
669547554d550c1ef61d5c50c56530b2

SHA1
c6fbde0837150acf6359f842f01c5c01f92c7f78

SHA256
7f941679dd709bc26e59c2e3dd960505170a52cc2458589dab8581233d884a27

SHA512
a9e33ea808b8f3fd68d4b01d11129c5209d92b8af1294e055374bcd594bbd9e366f357b38cd08e77673ec029592abff20d5000bfabba439a279f0ac9b12158b8

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
245KB

MD5
669547554d550c1ef61d5c50c56530b2

SHA1
c6fbde0837150acf6359f842f01c5c01f92c7f78

SHA256
7f941679dd709bc26e59c2e3dd960505170a52cc2458589dab8581233d884a27

SHA512
a9e33ea808b8f3fd68d4b01d11129c5209d92b8af1294e055374bcd594bbd9e366f357b38cd08e77673ec029592abff20d5000bfabba439a279f0ac9b12158b8

Download Submit
memory/768-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/768-58-0x0000000074361000-0x0000000074363000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads