b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5

Analysis

max time kernel
153s
max time network
68s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 21:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe
Size

702KB
MD5

710267f20a06c598f14834f26d9d16ca
SHA1

5779354fa15dd9b2aa687899dc5948a8236af085
SHA256

b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5
SHA512

55fd41562f5b245564520c48747e6bfddfe85e043f788a7d7ca494a6e33406cec4ffe47ce63a1d8f08e17d0297e9efbd0d05f06c57c744be0c2d47970d90ec06
SSDEEP

12288:g72bntEDs72bntEDI472bntEDs72bntEDISD:g72zms72zmh72zms72zmx

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SABDUHNY = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SABDUHNY = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SABDUHNY = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1504	avscan.exe
628	avscan.exe
396	hosts.exe
1008	hosts.exe
920	avscan.exe
956	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1536	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe
1536	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe
1504	avscan.exe
396	hosts.exe
396	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe
File created	\??\c:\windows\W_X_C.bat	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe
File opened for modification	C:\Windows\hosts.exe	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
2036	REG.exe
1628	REG.exe
1596	REG.exe
940	REG.exe
1308	REG.exe
1128	REG.exe
952	REG.exe
948	REG.exe
1192	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1504	avscan.exe
396	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1536	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe
1504	avscan.exe
628	avscan.exe
396	hosts.exe
1008	hosts.exe
920	avscan.exe
956	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 952	1536	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe	28
PID 1536 wrote to memory of 952	1536	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe	28
PID 1536 wrote to memory of 952	1536	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe	28
PID 1536 wrote to memory of 952	1536	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe	28
PID 1536 wrote to memory of 1504	1536	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe	30
PID 1536 wrote to memory of 1504	1536	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe	30
PID 1536 wrote to memory of 1504	1536	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe	30
PID 1536 wrote to memory of 1504	1536	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe	30
PID 1504 wrote to memory of 628	1504	avscan.exe	31
PID 1504 wrote to memory of 628	1504	avscan.exe	31
PID 1504 wrote to memory of 628	1504	avscan.exe	31
PID 1504 wrote to memory of 628	1504	avscan.exe	31
PID 1504 wrote to memory of 1500	1504	avscan.exe	32
PID 1504 wrote to memory of 1500	1504	avscan.exe	32
PID 1504 wrote to memory of 1500	1504	avscan.exe	32
PID 1504 wrote to memory of 1500	1504	avscan.exe	32
PID 1536 wrote to memory of 752	1536	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe	33
PID 1536 wrote to memory of 752	1536	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe	33
PID 1536 wrote to memory of 752	1536	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe	33
PID 1536 wrote to memory of 752	1536	b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe	33
PID 1500 wrote to memory of 1008	1500	cmd.exe	36
PID 1500 wrote to memory of 1008	1500	cmd.exe	36
PID 1500 wrote to memory of 1008	1500	cmd.exe	36
PID 1500 wrote to memory of 1008	1500	cmd.exe	36
PID 752 wrote to memory of 396	752	cmd.exe	37
PID 752 wrote to memory of 396	752	cmd.exe	37
PID 752 wrote to memory of 396	752	cmd.exe	37
PID 752 wrote to memory of 396	752	cmd.exe	37
PID 396 wrote to memory of 920	396	hosts.exe	38
PID 396 wrote to memory of 920	396	hosts.exe	38
PID 396 wrote to memory of 920	396	hosts.exe	38
PID 396 wrote to memory of 920	396	hosts.exe	38
PID 1500 wrote to memory of 1844	1500	cmd.exe	39
PID 1500 wrote to memory of 1844	1500	cmd.exe	39
PID 1500 wrote to memory of 1844	1500	cmd.exe	39
PID 1500 wrote to memory of 1844	1500	cmd.exe	39
PID 752 wrote to memory of 1636	752	cmd.exe	40
PID 752 wrote to memory of 1636	752	cmd.exe	40
PID 752 wrote to memory of 1636	752	cmd.exe	40
PID 752 wrote to memory of 1636	752	cmd.exe	40
PID 396 wrote to memory of 1156	396	hosts.exe	41
PID 396 wrote to memory of 1156	396	hosts.exe	41
PID 396 wrote to memory of 1156	396	hosts.exe	41
PID 396 wrote to memory of 1156	396	hosts.exe	41
PID 1156 wrote to memory of 956	1156	cmd.exe	43
PID 1156 wrote to memory of 956	1156	cmd.exe	43
PID 1156 wrote to memory of 956	1156	cmd.exe	43
PID 1156 wrote to memory of 956	1156	cmd.exe	43
PID 1156 wrote to memory of 1604	1156	cmd.exe	44
PID 1156 wrote to memory of 1604	1156	cmd.exe	44
PID 1156 wrote to memory of 1604	1156	cmd.exe	44
PID 1156 wrote to memory of 1604	1156	cmd.exe	44
PID 1504 wrote to memory of 2036	1504	avscan.exe	45
PID 1504 wrote to memory of 2036	1504	avscan.exe	45
PID 1504 wrote to memory of 2036	1504	avscan.exe	45
PID 1504 wrote to memory of 2036	1504	avscan.exe	45
PID 396 wrote to memory of 948	396	hosts.exe	47
PID 396 wrote to memory of 948	396	hosts.exe	47
PID 396 wrote to memory of 948	396	hosts.exe	47
PID 396 wrote to memory of 948	396	hosts.exe	47
PID 1504 wrote to memory of 1596	1504	avscan.exe	50
PID 1504 wrote to memory of 1596	1504	avscan.exe	50
PID 1504 wrote to memory of 1596	1504	avscan.exe	50
PID 1504 wrote to memory of 1596	1504	avscan.exe	50

C:\Users\Admin\AppData\Local\Temp\b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe
"C:\Users\Admin\AppData\Local\Temp\b7ea5d88eea4a87ac850b243528cccdb60d7cc2825bbfa219c669a930c9ac2d5.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:952
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:628
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1008
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1844
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2036
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1596
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:940
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:920
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:956
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:1604
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:948
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1628
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1308
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1128
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
750KB

MD5
f949f65bcf8caabe7ce3fa0ae9887a47

SHA1
7b6db6f38d247b2b3db48f72aa0de4e7fa41ebed

SHA256
bf184130ed9937b068f0845f16358f6dd20b40e86025914afdb33aaa5c527777

SHA512
e00e90baefbb0da8ce923b0ecfea663f85922a892a539cb811090977e4593e87369503a545c66560de5449ec698baf411c09993603d31c8ddc12fe66f11649d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.1MB

MD5
7b828477feef45743b09492794105f7e

SHA1
826c549bbf7333f8230a5d3c557e3a152bb2296e

SHA256
24948c4373a4c38a7537c731d4020a54072aaf2ca5643f07c71e7ada27fab014

SHA512
8b4df88f67d36a311a11f6db75c73ec473035e78cbc51341c28feab149ff6b0ae236f373a27f260cbe246dc5bb8d25e36c4cbb00369bcbb4687d55c0e02c8392

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.1MB

MD5
7b828477feef45743b09492794105f7e

SHA1
826c549bbf7333f8230a5d3c557e3a152bb2296e

SHA256
24948c4373a4c38a7537c731d4020a54072aaf2ca5643f07c71e7ada27fab014

SHA512
8b4df88f67d36a311a11f6db75c73ec473035e78cbc51341c28feab149ff6b0ae236f373a27f260cbe246dc5bb8d25e36c4cbb00369bcbb4687d55c0e02c8392

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
3.5MB

MD5
98c5eb83d6c37886a0b3380377f1a247

SHA1
cbd8e6618d3c9e552610a0526c17d69df47d122d

SHA256
c8378abc1bbb9ae6476f7fb407f4d90188f434bd46a95de5e1aed3743d6db754

SHA512
bdcaaa1eae8862cd708fa25f51bca07796025eab253d859f2af135576b749786f44366381052023cc97944f504f04e224370aa55ce3ddf7cfb420d8fb3e64918

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
4.8MB

MD5
d0e35725308f7efa96a2c4ee1473493b

SHA1
90089c3fccd8b527406daeb992ffe998e04f7ad2

SHA256
7894987035b28626fbbdaf0564c79c8e65dff52eaf6909e378bc462b25571cc4

SHA512
960ceb0ba96f03e7996642cb64f471725b89a64158383412087150b2f536fef30654e54c7a23ef542468236e1858d010781067c3d2e5e5ba013a2d6b4294e3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
4.8MB

MD5
25beffddec9d0c708654e1d680565ed8

SHA1
1fce52b7f187df5f12de490b43047cb2f29a6015

SHA256
d5fb3320604bc7ba940dc90ac8ea2dba22fcd4b73a922dee79dabec9fffc6725

SHA512
2da9b654a67e4901f54f0a1a7f684986b07cb4ddaac30866f8e23fe46156dc88d751936fd94459e4bb7b7dee86b124d3a0feec015ff26fbaf2e47baa2f85f1b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
702KB

MD5
2e6c18c2728a366a2d7025fbd8a465c5

SHA1
a3682405d68d8a530f9789274f7a446dacfea2c3

SHA256
47b1b98e05ceb32ca5d442a814ff3b47a216735120ff75d271f9c62804e192c6

SHA512
52bd80ab28a7ecd1278dc2f3be8a15953d2ea8763e0a5aa46fb45da9f021f0d6eaf14ca02dfc943ddd566317e655912710feca6a6a88d0d0238a5c34bd3fdc18

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
702KB

MD5
2e6c18c2728a366a2d7025fbd8a465c5

SHA1
a3682405d68d8a530f9789274f7a446dacfea2c3

SHA256
47b1b98e05ceb32ca5d442a814ff3b47a216735120ff75d271f9c62804e192c6

SHA512
52bd80ab28a7ecd1278dc2f3be8a15953d2ea8763e0a5aa46fb45da9f021f0d6eaf14ca02dfc943ddd566317e655912710feca6a6a88d0d0238a5c34bd3fdc18

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
702KB

MD5
2e6c18c2728a366a2d7025fbd8a465c5

SHA1
a3682405d68d8a530f9789274f7a446dacfea2c3

SHA256
47b1b98e05ceb32ca5d442a814ff3b47a216735120ff75d271f9c62804e192c6

SHA512
52bd80ab28a7ecd1278dc2f3be8a15953d2ea8763e0a5aa46fb45da9f021f0d6eaf14ca02dfc943ddd566317e655912710feca6a6a88d0d0238a5c34bd3fdc18

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
702KB

MD5
2e6c18c2728a366a2d7025fbd8a465c5

SHA1
a3682405d68d8a530f9789274f7a446dacfea2c3

SHA256
47b1b98e05ceb32ca5d442a814ff3b47a216735120ff75d271f9c62804e192c6

SHA512
52bd80ab28a7ecd1278dc2f3be8a15953d2ea8763e0a5aa46fb45da9f021f0d6eaf14ca02dfc943ddd566317e655912710feca6a6a88d0d0238a5c34bd3fdc18

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
6d7a78ec09068987a6bec39d91fa2997

SHA1
e74ad929b10ad126cab230e0ea5ec239cbeaf12b

SHA256
d87abc4daf79735e1afda9ba17e27ca3e8c8775af50c18e67579da6384da53c6

SHA512
e912df74b128cb69c204fe6395f2237f7b2f240642312a66ff4e89004ac7736125155078e47591b26e686ec4f09d25bc4cf1575cc590bffe587962c02fa8e395

Download Submit
C:\Windows\hosts.exe

Filesize
702KB

MD5
2e6c18c2728a366a2d7025fbd8a465c5

SHA1
a3682405d68d8a530f9789274f7a446dacfea2c3

SHA256
47b1b98e05ceb32ca5d442a814ff3b47a216735120ff75d271f9c62804e192c6

SHA512
52bd80ab28a7ecd1278dc2f3be8a15953d2ea8763e0a5aa46fb45da9f021f0d6eaf14ca02dfc943ddd566317e655912710feca6a6a88d0d0238a5c34bd3fdc18

Download Submit
C:\Windows\hosts.exe

Filesize
702KB

MD5
9be5359c46486a8d26ad186e50124e8c

SHA1
406b3d9a76bd9a483e2f6dc59a5e8ba5ff106520

SHA256
53a8fb7694491ab7114ecf975bc05a5204af52c0d851f8d767344e9dafd1f7b9

SHA512
c2ba76c1beddc5f656262bcf585a8a0021d1d1a1c4e867dc7f092ca4b2b780b83a12297d30f96c9563b17fa1868c511294df7af32d60e8fbb5def78dba8e4816

Download Submit
C:\Windows\hosts.exe

Filesize
702KB

MD5
9be5359c46486a8d26ad186e50124e8c

SHA1
406b3d9a76bd9a483e2f6dc59a5e8ba5ff106520

SHA256
53a8fb7694491ab7114ecf975bc05a5204af52c0d851f8d767344e9dafd1f7b9

SHA512
c2ba76c1beddc5f656262bcf585a8a0021d1d1a1c4e867dc7f092ca4b2b780b83a12297d30f96c9563b17fa1868c511294df7af32d60e8fbb5def78dba8e4816

Download Submit
C:\Windows\hosts.exe

Filesize
702KB

MD5
9be5359c46486a8d26ad186e50124e8c

SHA1
406b3d9a76bd9a483e2f6dc59a5e8ba5ff106520

SHA256
53a8fb7694491ab7114ecf975bc05a5204af52c0d851f8d767344e9dafd1f7b9

SHA512
c2ba76c1beddc5f656262bcf585a8a0021d1d1a1c4e867dc7f092ca4b2b780b83a12297d30f96c9563b17fa1868c511294df7af32d60e8fbb5def78dba8e4816

Download Submit
C:\windows\hosts.exe

Filesize
702KB

MD5
9be5359c46486a8d26ad186e50124e8c

SHA1
406b3d9a76bd9a483e2f6dc59a5e8ba5ff106520

SHA256
53a8fb7694491ab7114ecf975bc05a5204af52c0d851f8d767344e9dafd1f7b9

SHA512
c2ba76c1beddc5f656262bcf585a8a0021d1d1a1c4e867dc7f092ca4b2b780b83a12297d30f96c9563b17fa1868c511294df7af32d60e8fbb5def78dba8e4816

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
702KB

MD5
2e6c18c2728a366a2d7025fbd8a465c5

SHA1
a3682405d68d8a530f9789274f7a446dacfea2c3

SHA256
47b1b98e05ceb32ca5d442a814ff3b47a216735120ff75d271f9c62804e192c6

SHA512
52bd80ab28a7ecd1278dc2f3be8a15953d2ea8763e0a5aa46fb45da9f021f0d6eaf14ca02dfc943ddd566317e655912710feca6a6a88d0d0238a5c34bd3fdc18

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
702KB

MD5
2e6c18c2728a366a2d7025fbd8a465c5

SHA1
a3682405d68d8a530f9789274f7a446dacfea2c3

SHA256
47b1b98e05ceb32ca5d442a814ff3b47a216735120ff75d271f9c62804e192c6

SHA512
52bd80ab28a7ecd1278dc2f3be8a15953d2ea8763e0a5aa46fb45da9f021f0d6eaf14ca02dfc943ddd566317e655912710feca6a6a88d0d0238a5c34bd3fdc18

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
702KB

MD5
2e6c18c2728a366a2d7025fbd8a465c5

SHA1
a3682405d68d8a530f9789274f7a446dacfea2c3

SHA256
47b1b98e05ceb32ca5d442a814ff3b47a216735120ff75d271f9c62804e192c6

SHA512
52bd80ab28a7ecd1278dc2f3be8a15953d2ea8763e0a5aa46fb45da9f021f0d6eaf14ca02dfc943ddd566317e655912710feca6a6a88d0d0238a5c34bd3fdc18

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
702KB

MD5
2e6c18c2728a366a2d7025fbd8a465c5

SHA1
a3682405d68d8a530f9789274f7a446dacfea2c3

SHA256
47b1b98e05ceb32ca5d442a814ff3b47a216735120ff75d271f9c62804e192c6

SHA512
52bd80ab28a7ecd1278dc2f3be8a15953d2ea8763e0a5aa46fb45da9f021f0d6eaf14ca02dfc943ddd566317e655912710feca6a6a88d0d0238a5c34bd3fdc18

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
702KB

MD5
2e6c18c2728a366a2d7025fbd8a465c5

SHA1
a3682405d68d8a530f9789274f7a446dacfea2c3

SHA256
47b1b98e05ceb32ca5d442a814ff3b47a216735120ff75d271f9c62804e192c6

SHA512
52bd80ab28a7ecd1278dc2f3be8a15953d2ea8763e0a5aa46fb45da9f021f0d6eaf14ca02dfc943ddd566317e655912710feca6a6a88d0d0238a5c34bd3fdc18

Download Submit
memory/1536-56-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/1536-58-0x0000000074781000-0x0000000074783000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads