b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314

Analysis

max time kernel
134s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe
Size

368KB
MD5

c766a6bb8dc3988bbaf92dd98be8aa6c
SHA1

f44ae2f9e62f00f0488c52cf913656a1db621457
SHA256

b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314
SHA512

cc4626fb40a4b41af57ae7c1ba32c2228066015eea7fb37b2e2860689756888296129ff0bc64ccdd4783d7923e41254638567f6c10a0331f1aefdb7583444996
SSDEEP

6144:gDCwfG1bnxLERR9sa/6XDCwfG1bnxLERR9sa/6f2:g72bntEL9//6X72bntEL9//6e

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VUIIVLGQ = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VUIIVLGQ = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VUIIVLGQ = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1364	avscan.exe
652	avscan.exe
1668	hosts.exe
1004	hosts.exe
1512	avscan.exe
1008	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
532	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe
532	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe
1364	avscan.exe
1668	hosts.exe
1668	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe
File created	\??\c:\windows\W_X_C.bat	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
484	REG.exe
472	REG.exe
1696	REG.exe
1792	REG.exe
1748	REG.exe
1588	REG.exe
676	REG.exe
876	REG.exe
1800	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1364	avscan.exe
1668	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
532	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe
1364	avscan.exe
652	avscan.exe
1668	hosts.exe
1004	hosts.exe
1512	avscan.exe
1008	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 1748	532	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	28
PID 532 wrote to memory of 1748	532	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	28
PID 532 wrote to memory of 1748	532	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	28
PID 532 wrote to memory of 1748	532	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	28
PID 532 wrote to memory of 1364	532	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	30
PID 532 wrote to memory of 1364	532	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	30
PID 532 wrote to memory of 1364	532	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	30
PID 532 wrote to memory of 1364	532	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	30
PID 1364 wrote to memory of 652	1364	avscan.exe	31
PID 1364 wrote to memory of 652	1364	avscan.exe	31
PID 1364 wrote to memory of 652	1364	avscan.exe	31
PID 1364 wrote to memory of 652	1364	avscan.exe	31
PID 1364 wrote to memory of 580	1364	avscan.exe	32
PID 1364 wrote to memory of 580	1364	avscan.exe	32
PID 1364 wrote to memory of 580	1364	avscan.exe	32
PID 1364 wrote to memory of 580	1364	avscan.exe	32
PID 532 wrote to memory of 1852	532	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	33
PID 532 wrote to memory of 1852	532	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	33
PID 532 wrote to memory of 1852	532	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	33
PID 532 wrote to memory of 1852	532	b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe	33
PID 1852 wrote to memory of 1004	1852	cmd.exe	36
PID 1852 wrote to memory of 1004	1852	cmd.exe	36
PID 1852 wrote to memory of 1004	1852	cmd.exe	36
PID 1852 wrote to memory of 1004	1852	cmd.exe	36
PID 580 wrote to memory of 1668	580	cmd.exe	37
PID 580 wrote to memory of 1668	580	cmd.exe	37
PID 580 wrote to memory of 1668	580	cmd.exe	37
PID 580 wrote to memory of 1668	580	cmd.exe	37
PID 1852 wrote to memory of 856	1852	cmd.exe	38
PID 1852 wrote to memory of 856	1852	cmd.exe	38
PID 1852 wrote to memory of 856	1852	cmd.exe	38
PID 1852 wrote to memory of 856	1852	cmd.exe	38
PID 580 wrote to memory of 1076	580	cmd.exe	39
PID 580 wrote to memory of 1076	580	cmd.exe	39
PID 580 wrote to memory of 1076	580	cmd.exe	39
PID 580 wrote to memory of 1076	580	cmd.exe	39
PID 1668 wrote to memory of 1512	1668	hosts.exe	40
PID 1668 wrote to memory of 1512	1668	hosts.exe	40
PID 1668 wrote to memory of 1512	1668	hosts.exe	40
PID 1668 wrote to memory of 1512	1668	hosts.exe	40
PID 1668 wrote to memory of 1100	1668	hosts.exe	41
PID 1668 wrote to memory of 1100	1668	hosts.exe	41
PID 1668 wrote to memory of 1100	1668	hosts.exe	41
PID 1668 wrote to memory of 1100	1668	hosts.exe	41
PID 1100 wrote to memory of 1008	1100	cmd.exe	43
PID 1100 wrote to memory of 1008	1100	cmd.exe	43
PID 1100 wrote to memory of 1008	1100	cmd.exe	43
PID 1100 wrote to memory of 1008	1100	cmd.exe	43
PID 1100 wrote to memory of 1360	1100	cmd.exe	44
PID 1100 wrote to memory of 1360	1100	cmd.exe	44
PID 1100 wrote to memory of 1360	1100	cmd.exe	44
PID 1100 wrote to memory of 1360	1100	cmd.exe	44
PID 1364 wrote to memory of 484	1364	avscan.exe	45
PID 1364 wrote to memory of 484	1364	avscan.exe	45
PID 1364 wrote to memory of 484	1364	avscan.exe	45
PID 1364 wrote to memory of 484	1364	avscan.exe	45
PID 1668 wrote to memory of 472	1668	hosts.exe	47
PID 1668 wrote to memory of 472	1668	hosts.exe	47
PID 1668 wrote to memory of 472	1668	hosts.exe	47
PID 1668 wrote to memory of 472	1668	hosts.exe	47
PID 1364 wrote to memory of 1588	1364	avscan.exe	50
PID 1364 wrote to memory of 1588	1364	avscan.exe	50
PID 1364 wrote to memory of 1588	1364	avscan.exe	50
PID 1364 wrote to memory of 1588	1364	avscan.exe	50

C:\Users\Admin\AppData\Local\Temp\b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe
"C:\Users\Admin\AppData\Local\Temp\b5525bad02ab16abbcf833fc1950b733e445422ef4496499ae8c30eec53c5314.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1748
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1512
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1100
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1008
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1360
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:472
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1696
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:676
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:876
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1076
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:484
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1588
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1792
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1004
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
784KB

MD5
f53333eae5c4b771832d0c3122eaffdb

SHA1
665ae2cef2c162c3d39caad2b828dbcc766747f8

SHA256
b8ad95293c27dc3363908facc3c03dce0bf717896279bfe3ad7e522aa91e7be4

SHA512
92745d98c151c3029e17280ce79f37e46baf5b80687c8efda6daef45cf7921e67626c592aa0211954eba9210d23b4e49c6094460cf0c03ae7e2a7fdaae7608da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.5MB

MD5
53d59030ad44049307c364f29493d176

SHA1
6ee81506f9673b912f98a895cf8e553936d72532

SHA256
f584ff3db11c1a3d014854ca273f03cebc548392c2bd00aeb6311062e004902d

SHA512
4a127fbad2289268b0780ffdf085e1b5c4f21fca8d048d8dfa342d857893204108d727c1d20a918b804763542b07224cf00ab0a80bbcb6c059efe8f9a693b139

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.8MB

MD5
a47f6ff2207a726ed0b428c26e312130

SHA1
a1d817841f662b30c446975dfc4a72803c5f3721

SHA256
87f0c7fd607ad246df8b8caeb236f1fce5bc20aa0ea12c55cd19c3fc73320d47

SHA512
1f1011812bff0d77e9824658f6f3f4f1f364339e364eac51277474f2d560518b17733f1e544f8eb06187e53de73696922fa8ce5e14bb4bbb17f2be2326065943

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.2MB

MD5
a71472fedec8bfb3f20045f032c2cab1

SHA1
419145884e98fb19325ecda900ef53f73a9ab3bb

SHA256
d39b19f7b9346c23bca13226a55a27c86b45dd6f08cc7d72adaede90b742ff4a

SHA512
278a4d3e706938d0c1fae55a45520748b7872c8a9c1669912f54774ffd6fe7a034896ab638424669758bd9b498e9323370c3b0948feb7a44ea3fab8c081977b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.9MB

MD5
085cb50f582156edafd55565fff69b07

SHA1
e973d49dcc2f1991f7f7d1b04dc42634e8d6a2ad

SHA256
9187a783ef335e82ee4ace058577fe810909016999e98f39c7335e9c85a9c9b5

SHA512
21f60491e842276a347dcb06c00add952d7031e5fa3b4ade90c9b25df5b2ca38dc4d631ac66578bff1b1774d7e9a0c46327f5f2dadd0c29bc0d083ff8f1011a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.9MB

MD5
bfa934087ecf2397e6d19848a778875a

SHA1
c0d2741e787be5c716eb9ba0cb25bd4eda3575b0

SHA256
758c106a9d7c5114b667dc6b3db406e9bff77a7307b0303a5963b8eb6ca5af7a

SHA512
467a9c8ac73e24379b7463397f9cf190c2b7fd8aaaf1a151316893bf0c31c001cae0cd39f0dcd74c4cfd7b52da3c225e31c98ba4c73025e67dbebff85e5d5014

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
368KB

MD5
12f9668262bc85c3ca39707e7d457486

SHA1
44d3af6487f043980627273a0ccb77c52c95d8ed

SHA256
3f30f4a43d50265fa6acb21e6bd9d01dba85bfacaec2e34f166d4bf094eb3f69

SHA512
3331d1960d689e88388a90f71873cb02a0d6b0b84dbcff3e123932943ef8cb76b45f99ab22a1f2bb3792d93501b4a1845b1c3ebc6c414e1381354187f0d660e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
368KB

MD5
12f9668262bc85c3ca39707e7d457486

SHA1
44d3af6487f043980627273a0ccb77c52c95d8ed

SHA256
3f30f4a43d50265fa6acb21e6bd9d01dba85bfacaec2e34f166d4bf094eb3f69

SHA512
3331d1960d689e88388a90f71873cb02a0d6b0b84dbcff3e123932943ef8cb76b45f99ab22a1f2bb3792d93501b4a1845b1c3ebc6c414e1381354187f0d660e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
368KB

MD5
12f9668262bc85c3ca39707e7d457486

SHA1
44d3af6487f043980627273a0ccb77c52c95d8ed

SHA256
3f30f4a43d50265fa6acb21e6bd9d01dba85bfacaec2e34f166d4bf094eb3f69

SHA512
3331d1960d689e88388a90f71873cb02a0d6b0b84dbcff3e123932943ef8cb76b45f99ab22a1f2bb3792d93501b4a1845b1c3ebc6c414e1381354187f0d660e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
368KB

MD5
12f9668262bc85c3ca39707e7d457486

SHA1
44d3af6487f043980627273a0ccb77c52c95d8ed

SHA256
3f30f4a43d50265fa6acb21e6bd9d01dba85bfacaec2e34f166d4bf094eb3f69

SHA512
3331d1960d689e88388a90f71873cb02a0d6b0b84dbcff3e123932943ef8cb76b45f99ab22a1f2bb3792d93501b4a1845b1c3ebc6c414e1381354187f0d660e2

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
bb5f0d81909924d647dc29f49c1ab135

SHA1
3f69821597fc6e1bf95639ed73729d5b28d30571

SHA256
71a89829e758fce2196f5ae1fce0af4110c85b65f1cacbd9d34394843a0e9563

SHA512
e4459b6d398a439a6c086e1fbec0ce713c530f8c6ff9237fa080eb3fed35fcb938d88eb70bef32fe5d7853435c3cca5a25c207473239c460633ac30e302765ab

Download Submit
C:\Windows\hosts.exe

Filesize
368KB

MD5
12f9668262bc85c3ca39707e7d457486

SHA1
44d3af6487f043980627273a0ccb77c52c95d8ed

SHA256
3f30f4a43d50265fa6acb21e6bd9d01dba85bfacaec2e34f166d4bf094eb3f69

SHA512
3331d1960d689e88388a90f71873cb02a0d6b0b84dbcff3e123932943ef8cb76b45f99ab22a1f2bb3792d93501b4a1845b1c3ebc6c414e1381354187f0d660e2

Download Submit
C:\Windows\hosts.exe

Filesize
368KB

MD5
6fb95c0ec4d47b03fd3be7fd47a786f1

SHA1
a3993a4938b9571c82656f3838b1c05b9dcc10a5

SHA256
1c28b21f1ee847ea4ebb0032aaed2d8b8782b1b18e43160498bbc85d95a3760e

SHA512
26fe6f3bb50b4b12f85f027032bfd83efe5fb7a1b5389fe2e0d75a9d13dd24b5cd2bb6190a8433d8ac92f142cc97ed0d03b358999a8e85b3f29fb7ec843b873b

Download Submit
C:\Windows\hosts.exe

Filesize
368KB

MD5
6fb95c0ec4d47b03fd3be7fd47a786f1

SHA1
a3993a4938b9571c82656f3838b1c05b9dcc10a5

SHA256
1c28b21f1ee847ea4ebb0032aaed2d8b8782b1b18e43160498bbc85d95a3760e

SHA512
26fe6f3bb50b4b12f85f027032bfd83efe5fb7a1b5389fe2e0d75a9d13dd24b5cd2bb6190a8433d8ac92f142cc97ed0d03b358999a8e85b3f29fb7ec843b873b

Download Submit
C:\Windows\hosts.exe

Filesize
368KB

MD5
6fb95c0ec4d47b03fd3be7fd47a786f1

SHA1
a3993a4938b9571c82656f3838b1c05b9dcc10a5

SHA256
1c28b21f1ee847ea4ebb0032aaed2d8b8782b1b18e43160498bbc85d95a3760e

SHA512
26fe6f3bb50b4b12f85f027032bfd83efe5fb7a1b5389fe2e0d75a9d13dd24b5cd2bb6190a8433d8ac92f142cc97ed0d03b358999a8e85b3f29fb7ec843b873b

Download Submit
C:\windows\hosts.exe

Filesize
368KB

MD5
6fb95c0ec4d47b03fd3be7fd47a786f1

SHA1
a3993a4938b9571c82656f3838b1c05b9dcc10a5

SHA256
1c28b21f1ee847ea4ebb0032aaed2d8b8782b1b18e43160498bbc85d95a3760e

SHA512
26fe6f3bb50b4b12f85f027032bfd83efe5fb7a1b5389fe2e0d75a9d13dd24b5cd2bb6190a8433d8ac92f142cc97ed0d03b358999a8e85b3f29fb7ec843b873b

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
368KB

MD5
12f9668262bc85c3ca39707e7d457486

SHA1
44d3af6487f043980627273a0ccb77c52c95d8ed

SHA256
3f30f4a43d50265fa6acb21e6bd9d01dba85bfacaec2e34f166d4bf094eb3f69

SHA512
3331d1960d689e88388a90f71873cb02a0d6b0b84dbcff3e123932943ef8cb76b45f99ab22a1f2bb3792d93501b4a1845b1c3ebc6c414e1381354187f0d660e2

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
368KB

MD5
12f9668262bc85c3ca39707e7d457486

SHA1
44d3af6487f043980627273a0ccb77c52c95d8ed

SHA256
3f30f4a43d50265fa6acb21e6bd9d01dba85bfacaec2e34f166d4bf094eb3f69

SHA512
3331d1960d689e88388a90f71873cb02a0d6b0b84dbcff3e123932943ef8cb76b45f99ab22a1f2bb3792d93501b4a1845b1c3ebc6c414e1381354187f0d660e2

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
368KB

MD5
12f9668262bc85c3ca39707e7d457486

SHA1
44d3af6487f043980627273a0ccb77c52c95d8ed

SHA256
3f30f4a43d50265fa6acb21e6bd9d01dba85bfacaec2e34f166d4bf094eb3f69

SHA512
3331d1960d689e88388a90f71873cb02a0d6b0b84dbcff3e123932943ef8cb76b45f99ab22a1f2bb3792d93501b4a1845b1c3ebc6c414e1381354187f0d660e2

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
368KB

MD5
12f9668262bc85c3ca39707e7d457486

SHA1
44d3af6487f043980627273a0ccb77c52c95d8ed

SHA256
3f30f4a43d50265fa6acb21e6bd9d01dba85bfacaec2e34f166d4bf094eb3f69

SHA512
3331d1960d689e88388a90f71873cb02a0d6b0b84dbcff3e123932943ef8cb76b45f99ab22a1f2bb3792d93501b4a1845b1c3ebc6c414e1381354187f0d660e2

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
368KB

MD5
12f9668262bc85c3ca39707e7d457486

SHA1
44d3af6487f043980627273a0ccb77c52c95d8ed

SHA256
3f30f4a43d50265fa6acb21e6bd9d01dba85bfacaec2e34f166d4bf094eb3f69

SHA512
3331d1960d689e88388a90f71873cb02a0d6b0b84dbcff3e123932943ef8cb76b45f99ab22a1f2bb3792d93501b4a1845b1c3ebc6c414e1381354187f0d660e2

Download Submit
memory/532-58-0x0000000074CF1000-0x0000000074CF3000-memory.dmp

Filesize
8KB

Download
memory/532-56-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads