bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88

Analysis

max time kernel
124s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe
Size

749KB
MD5

829698894b4a13b4a683f97301b0f682
SHA1

353513afd1d98071ebe6090cb4b793e30422a2c3
SHA256

bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88
SHA512

8500418d814d1cc145492c73a82b3a247f83fb6a89a3c6506fe925107795c1060038636e58b55e47f196ae1e07b851e4f99cb5a733bfdbe4d574b31a323aea5b
SSDEEP

12288:g72bntEL772bntELDRFj47+572bntEL772bntELDRFj47+HDn0:g72ze72z2Ky72ze72z2K80

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RYNKSFQE = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
584	avscan.exe
1740	avscan.exe
1568	hosts.exe
2044	hosts.exe
1388	avscan.exe
1644	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1140	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe
1140	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe
584	avscan.exe
2044	hosts.exe
2044	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe
File created	\??\c:\windows\W_X_C.bat	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe
File opened for modification	C:\Windows\hosts.exe	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 8 IoCs

Modify Registry

T1112

pid	Process
1620	REG.exe
1724	REG.exe
1364	REG.exe
1356	REG.exe
572	REG.exe
1956	REG.exe
840	REG.exe
660	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
584	avscan.exe
2044	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1140	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe
584	avscan.exe
1740	avscan.exe
1568	hosts.exe
2044	hosts.exe
1388	avscan.exe
1644	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 1356	1140	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe	26
PID 1140 wrote to memory of 1356	1140	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe	26
PID 1140 wrote to memory of 1356	1140	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe	26
PID 1140 wrote to memory of 1356	1140	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe	26
PID 1140 wrote to memory of 584	1140	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe	28
PID 1140 wrote to memory of 584	1140	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe	28
PID 1140 wrote to memory of 584	1140	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe	28
PID 1140 wrote to memory of 584	1140	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe	28
PID 584 wrote to memory of 1740	584	avscan.exe	29
PID 584 wrote to memory of 1740	584	avscan.exe	29
PID 584 wrote to memory of 1740	584	avscan.exe	29
PID 584 wrote to memory of 1740	584	avscan.exe	29
PID 584 wrote to memory of 1736	584	avscan.exe	30
PID 584 wrote to memory of 1736	584	avscan.exe	30
PID 584 wrote to memory of 1736	584	avscan.exe	30
PID 584 wrote to memory of 1736	584	avscan.exe	30
PID 1140 wrote to memory of 1764	1140	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe	31
PID 1140 wrote to memory of 1764	1140	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe	31
PID 1140 wrote to memory of 1764	1140	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe	31
PID 1140 wrote to memory of 1764	1140	bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe	31
PID 1764 wrote to memory of 2044	1764	cmd.exe	35
PID 1764 wrote to memory of 2044	1764	cmd.exe	35
PID 1764 wrote to memory of 2044	1764	cmd.exe	35
PID 1764 wrote to memory of 2044	1764	cmd.exe	35
PID 1736 wrote to memory of 1568	1736	cmd.exe	34
PID 1736 wrote to memory of 1568	1736	cmd.exe	34
PID 1736 wrote to memory of 1568	1736	cmd.exe	34
PID 1736 wrote to memory of 1568	1736	cmd.exe	34
PID 1736 wrote to memory of 1520	1736	cmd.exe	36
PID 1736 wrote to memory of 1520	1736	cmd.exe	36
PID 1764 wrote to memory of 1900	1764	cmd.exe	37
PID 1736 wrote to memory of 1520	1736	cmd.exe	36
PID 1736 wrote to memory of 1520	1736	cmd.exe	36
PID 1764 wrote to memory of 1900	1764	cmd.exe	37
PID 1764 wrote to memory of 1900	1764	cmd.exe	37
PID 1764 wrote to memory of 1900	1764	cmd.exe	37
PID 584 wrote to memory of 572	584	avscan.exe	38
PID 584 wrote to memory of 572	584	avscan.exe	38
PID 584 wrote to memory of 572	584	avscan.exe	38
PID 584 wrote to memory of 572	584	avscan.exe	38
PID 2044 wrote to memory of 1388	2044	hosts.exe	40
PID 2044 wrote to memory of 1388	2044	hosts.exe	40
PID 2044 wrote to memory of 1388	2044	hosts.exe	40
PID 2044 wrote to memory of 1388	2044	hosts.exe	40
PID 2044 wrote to memory of 360	2044	hosts.exe	41
PID 2044 wrote to memory of 360	2044	hosts.exe	41
PID 2044 wrote to memory of 360	2044	hosts.exe	41
PID 2044 wrote to memory of 360	2044	hosts.exe	41
PID 360 wrote to memory of 1644	360	cmd.exe	43
PID 360 wrote to memory of 1644	360	cmd.exe	43
PID 360 wrote to memory of 1644	360	cmd.exe	43
PID 360 wrote to memory of 1644	360	cmd.exe	43
PID 360 wrote to memory of 892	360	cmd.exe	44
PID 360 wrote to memory of 892	360	cmd.exe	44
PID 360 wrote to memory of 892	360	cmd.exe	44
PID 360 wrote to memory of 892	360	cmd.exe	44
PID 2044 wrote to memory of 1956	2044	hosts.exe	45
PID 2044 wrote to memory of 1956	2044	hosts.exe	45
PID 2044 wrote to memory of 1956	2044	hosts.exe	45
PID 2044 wrote to memory of 1956	2044	hosts.exe	45
PID 584 wrote to memory of 840	584	avscan.exe	47
PID 584 wrote to memory of 840	584	avscan.exe	47
PID 584 wrote to memory of 840	584	avscan.exe	47
PID 584 wrote to memory of 840	584	avscan.exe	47

C:\Users\Admin\AppData\Local\Temp\bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe
"C:\Users\Admin\AppData\Local\Temp\bdcedbdf02b51d0b53e116edda0d39155d7c5d4374bfc5a8b9d7bbf1a6664b88.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1356
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1568
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1520
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:572
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:840
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1620
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1388
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:360
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1644
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:892
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1956
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:660
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1724
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.2MB

MD5
d29e4d3ce2942bd23c31b3789d00367f

SHA1
cb4b137aececba283328c49997e30d98c1a2f6f8

SHA256
710aef09d68731125abbc4b070de67816226168b4244b11be0a4d15d925952f1

SHA512
9d1d2bac16a2b273702c42db007a58448b95e43dd5f3a12108b157e6ad7e00703fbb8f5242676a4aac0f1e06a7c824e8e1112f9bbc9ea5c1819da4fbecc0797a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.2MB

MD5
99402351444ea979537b07f919d6ba30

SHA1
a07a4d154a553fc8875d7aba914cf1498750f665

SHA256
a200cbc68086a36e332ba98c7808617fdc895f21215dd09bef8f2df1938da90a

SHA512
eb8299e842594268e4fbd222183eb7fdf4ba1f6b2667530de008933d2f308fbddd2bab156d4fbd2ccd013fa83aef1405c08871d65bc1478936c26b6b7cf1db30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
3.7MB

MD5
fc46e0114bb04c02fdbed82ca0649fe2

SHA1
89fa143b916318e3a9ea81155ec045fbd8fcdf0b

SHA256
249fe69ad4c7ce632b3ad4f151610e879b269753c5488c3fa52638af4ff2d210

SHA512
0bdd45fd14bd3f1a9a2ed0e6e7b41154b2903284dbcb6483129a617c9237fbfd0489f7d3b59f6a4d0f0a35595b7ecb860fcd68e5dd4554ddb098fbad1f52bccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
3.7MB

MD5
20ba081282aa2edf0d294e8b758f40a3

SHA1
9f6d7c1e1b53825456d83d0d4f34d88639fc516c

SHA256
2d53cd4a7b0861112902d9a4fe41c1f0c97f4379b0fa7e738c27f2f4d3103b90

SHA512
855ddb1efb4868e6ffc6e0f63f6793548946e26762d3f3e6b358a5e9ec9ed5b2d7697383c8dd204f3345ae22dea81ad721043002f61e8e9e2759cd2d99e9e02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
5.2MB

MD5
c7bad70cbfcf8cc2ad7ab16abe62356c

SHA1
a5969acb0b664d5155f269be8ef2fdb574fe0e4d

SHA256
849b828d89b67a1fc574873b8e141e9eecb8710934b9fed87ea70e16dacfc271

SHA512
c524c1334a64f1de9ed47786d863be396cf14c05693f769dc42bbbdb2f4b3a14cb7b6df714758c9114edd928af3801aa7e5479d655ee314fcbbe953d71301069

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
5.2MB

MD5
c7bad70cbfcf8cc2ad7ab16abe62356c

SHA1
a5969acb0b664d5155f269be8ef2fdb574fe0e4d

SHA256
849b828d89b67a1fc574873b8e141e9eecb8710934b9fed87ea70e16dacfc271

SHA512
c524c1334a64f1de9ed47786d863be396cf14c05693f769dc42bbbdb2f4b3a14cb7b6df714758c9114edd928af3801aa7e5479d655ee314fcbbe953d71301069

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
749KB

MD5
e387d5b54de31ab73f36367fdc019b04

SHA1
5d815bca8cbe1319f1b0ccbc86b7721c07eda5c7

SHA256
cc4ebca3790e14b3f00c4afce10f30987ed5ef625a9000422c9abd1a098f783e

SHA512
5d504933bb4015c2293f7c6b1ca9f3b5c6b7faae5175ce1dc79144b45e3f09def17235cfae3cf657f1303e1752d81235de6eabcffd62f324f09f4fea97399da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
749KB

MD5
e387d5b54de31ab73f36367fdc019b04

SHA1
5d815bca8cbe1319f1b0ccbc86b7721c07eda5c7

SHA256
cc4ebca3790e14b3f00c4afce10f30987ed5ef625a9000422c9abd1a098f783e

SHA512
5d504933bb4015c2293f7c6b1ca9f3b5c6b7faae5175ce1dc79144b45e3f09def17235cfae3cf657f1303e1752d81235de6eabcffd62f324f09f4fea97399da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
749KB

MD5
e387d5b54de31ab73f36367fdc019b04

SHA1
5d815bca8cbe1319f1b0ccbc86b7721c07eda5c7

SHA256
cc4ebca3790e14b3f00c4afce10f30987ed5ef625a9000422c9abd1a098f783e

SHA512
5d504933bb4015c2293f7c6b1ca9f3b5c6b7faae5175ce1dc79144b45e3f09def17235cfae3cf657f1303e1752d81235de6eabcffd62f324f09f4fea97399da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
749KB

MD5
e387d5b54de31ab73f36367fdc019b04

SHA1
5d815bca8cbe1319f1b0ccbc86b7721c07eda5c7

SHA256
cc4ebca3790e14b3f00c4afce10f30987ed5ef625a9000422c9abd1a098f783e

SHA512
5d504933bb4015c2293f7c6b1ca9f3b5c6b7faae5175ce1dc79144b45e3f09def17235cfae3cf657f1303e1752d81235de6eabcffd62f324f09f4fea97399da3

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
8efab902a61f6cddc318bb5818c2f2e0

SHA1
9608751279ae04ba710d84c61e3937c12950b393

SHA256
a81d0e86c651ead3e4d9c7f64e637006e787c81c8ba3e784648c2786306bfb87

SHA512
aabd0e45609a39584c68c35e16124b399e9a4932bf6c98c22aa8c6ff71b2fbfc80333102960fcfca1abb38b344245f9cdf4cdc0c827c48235f618011a5fbfe18

Download Submit
C:\Windows\hosts.exe

Filesize
749KB

MD5
2d6edf5a2bf6cf484be473df1150c794

SHA1
1ea6a3e649169bccde28391271a1b3d9efcd70a4

SHA256
3955d120bf96abb1066fa754967dd9e8028b8b44c3c9d96b694dff7b6482d8ae

SHA512
52e66853b6f10f1e440e0f7ecfe0316fab3fd05ffae6483c7af51cfc11bf002f04df6103c5ba4b2045b0028ec541ff0b90306b5287dc6e01dd591973d16c1b02

Download Submit
C:\Windows\hosts.exe

Filesize
749KB

MD5
2d6edf5a2bf6cf484be473df1150c794

SHA1
1ea6a3e649169bccde28391271a1b3d9efcd70a4

SHA256
3955d120bf96abb1066fa754967dd9e8028b8b44c3c9d96b694dff7b6482d8ae

SHA512
52e66853b6f10f1e440e0f7ecfe0316fab3fd05ffae6483c7af51cfc11bf002f04df6103c5ba4b2045b0028ec541ff0b90306b5287dc6e01dd591973d16c1b02

Download Submit
C:\Windows\hosts.exe

Filesize
749KB

MD5
2d6edf5a2bf6cf484be473df1150c794

SHA1
1ea6a3e649169bccde28391271a1b3d9efcd70a4

SHA256
3955d120bf96abb1066fa754967dd9e8028b8b44c3c9d96b694dff7b6482d8ae

SHA512
52e66853b6f10f1e440e0f7ecfe0316fab3fd05ffae6483c7af51cfc11bf002f04df6103c5ba4b2045b0028ec541ff0b90306b5287dc6e01dd591973d16c1b02

Download Submit
C:\Windows\hosts.exe

Filesize
749KB

MD5
2d6edf5a2bf6cf484be473df1150c794

SHA1
1ea6a3e649169bccde28391271a1b3d9efcd70a4

SHA256
3955d120bf96abb1066fa754967dd9e8028b8b44c3c9d96b694dff7b6482d8ae

SHA512
52e66853b6f10f1e440e0f7ecfe0316fab3fd05ffae6483c7af51cfc11bf002f04df6103c5ba4b2045b0028ec541ff0b90306b5287dc6e01dd591973d16c1b02

Download Submit
C:\windows\hosts.exe

Filesize
749KB

MD5
2d6edf5a2bf6cf484be473df1150c794

SHA1
1ea6a3e649169bccde28391271a1b3d9efcd70a4

SHA256
3955d120bf96abb1066fa754967dd9e8028b8b44c3c9d96b694dff7b6482d8ae

SHA512
52e66853b6f10f1e440e0f7ecfe0316fab3fd05ffae6483c7af51cfc11bf002f04df6103c5ba4b2045b0028ec541ff0b90306b5287dc6e01dd591973d16c1b02

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
749KB

MD5
e387d5b54de31ab73f36367fdc019b04

SHA1
5d815bca8cbe1319f1b0ccbc86b7721c07eda5c7

SHA256
cc4ebca3790e14b3f00c4afce10f30987ed5ef625a9000422c9abd1a098f783e

SHA512
5d504933bb4015c2293f7c6b1ca9f3b5c6b7faae5175ce1dc79144b45e3f09def17235cfae3cf657f1303e1752d81235de6eabcffd62f324f09f4fea97399da3

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
749KB

MD5
e387d5b54de31ab73f36367fdc019b04

SHA1
5d815bca8cbe1319f1b0ccbc86b7721c07eda5c7

SHA256
cc4ebca3790e14b3f00c4afce10f30987ed5ef625a9000422c9abd1a098f783e

SHA512
5d504933bb4015c2293f7c6b1ca9f3b5c6b7faae5175ce1dc79144b45e3f09def17235cfae3cf657f1303e1752d81235de6eabcffd62f324f09f4fea97399da3

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
749KB

MD5
e387d5b54de31ab73f36367fdc019b04

SHA1
5d815bca8cbe1319f1b0ccbc86b7721c07eda5c7

SHA256
cc4ebca3790e14b3f00c4afce10f30987ed5ef625a9000422c9abd1a098f783e

SHA512
5d504933bb4015c2293f7c6b1ca9f3b5c6b7faae5175ce1dc79144b45e3f09def17235cfae3cf657f1303e1752d81235de6eabcffd62f324f09f4fea97399da3

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
749KB

MD5
e387d5b54de31ab73f36367fdc019b04

SHA1
5d815bca8cbe1319f1b0ccbc86b7721c07eda5c7

SHA256
cc4ebca3790e14b3f00c4afce10f30987ed5ef625a9000422c9abd1a098f783e

SHA512
5d504933bb4015c2293f7c6b1ca9f3b5c6b7faae5175ce1dc79144b45e3f09def17235cfae3cf657f1303e1752d81235de6eabcffd62f324f09f4fea97399da3

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
749KB

MD5
e387d5b54de31ab73f36367fdc019b04

SHA1
5d815bca8cbe1319f1b0ccbc86b7721c07eda5c7

SHA256
cc4ebca3790e14b3f00c4afce10f30987ed5ef625a9000422c9abd1a098f783e

SHA512
5d504933bb4015c2293f7c6b1ca9f3b5c6b7faae5175ce1dc79144b45e3f09def17235cfae3cf657f1303e1752d81235de6eabcffd62f324f09f4fea97399da3

Download Submit
memory/1140-58-0x00000000745E1000-0x00000000745E3000-memory.dmp

Filesize
8KB

Download
memory/1140-56-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads