9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4

Analysis

max time kernel
148s
max time network
62s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe
Size

648KB
MD5

b50b149c417fe4388b275f6a8b211d10
SHA1

c51e00745da2a128dfe54e1791fbae2cd7b0d16b
SHA256

9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4
SHA512

1bb88798e8675eb3c188a1b7533aeb03c1a693a91c55f3dc74b2ac9c24e716b5151335bc5a3c39b99b2ae51ae350198f719040b66dd449eea3f01ced11603e81
SSDEEP

6144:gDCwfG1bnxMwslM0Yk55Qcpp5n+mXDCwfG1bnxMwslM0Yk55Qcpp5n+mTc:g72bnuwsO0YkTQyR72bnuwsO0YkTQyhc

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1504	avscan.exe
1784	avscan.exe
864	hosts.exe
852	hosts.exe
972	avscan.exe
1824	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
992	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe
992	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe
1504	avscan.exe
852	hosts.exe
852	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe
File created	\??\c:\windows\W_X_C.bat	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe
File opened for modification	C:\Windows\hosts.exe	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1448	REG.exe
1620	REG.exe
484	REG.exe
1320	REG.exe
1204	REG.exe
1668	REG.exe
560	REG.exe
1584	REG.exe
544	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1504	avscan.exe
852	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
992	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe
1504	avscan.exe
852	hosts.exe
864	hosts.exe
972	avscan.exe
1784	avscan.exe
1824	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 1668	992	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe	28
PID 992 wrote to memory of 1668	992	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe	28
PID 992 wrote to memory of 1668	992	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe	28
PID 992 wrote to memory of 1668	992	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe	28
PID 992 wrote to memory of 1504	992	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe	30
PID 992 wrote to memory of 1504	992	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe	30
PID 992 wrote to memory of 1504	992	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe	30
PID 992 wrote to memory of 1504	992	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe	30
PID 1504 wrote to memory of 1784	1504	avscan.exe	31
PID 1504 wrote to memory of 1784	1504	avscan.exe	31
PID 1504 wrote to memory of 1784	1504	avscan.exe	31
PID 1504 wrote to memory of 1784	1504	avscan.exe	31
PID 1504 wrote to memory of 980	1504	avscan.exe	35
PID 1504 wrote to memory of 980	1504	avscan.exe	35
PID 1504 wrote to memory of 980	1504	avscan.exe	35
PID 1504 wrote to memory of 980	1504	avscan.exe	35
PID 992 wrote to memory of 640	992	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe	32
PID 992 wrote to memory of 640	992	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe	32
PID 992 wrote to memory of 640	992	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe	32
PID 992 wrote to memory of 640	992	9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe	32
PID 980 wrote to memory of 852	980	cmd.exe	37
PID 980 wrote to memory of 852	980	cmd.exe	37
PID 980 wrote to memory of 852	980	cmd.exe	37
PID 980 wrote to memory of 852	980	cmd.exe	37
PID 640 wrote to memory of 864	640	cmd.exe	36
PID 640 wrote to memory of 864	640	cmd.exe	36
PID 640 wrote to memory of 864	640	cmd.exe	36
PID 640 wrote to memory of 864	640	cmd.exe	36
PID 640 wrote to memory of 1560	640	cmd.exe	39
PID 640 wrote to memory of 1560	640	cmd.exe	39
PID 640 wrote to memory of 1560	640	cmd.exe	39
PID 640 wrote to memory of 1560	640	cmd.exe	39
PID 852 wrote to memory of 972	852	hosts.exe	38
PID 852 wrote to memory of 972	852	hosts.exe	38
PID 852 wrote to memory of 972	852	hosts.exe	38
PID 852 wrote to memory of 972	852	hosts.exe	38
PID 980 wrote to memory of 1352	980	cmd.exe	40
PID 980 wrote to memory of 1352	980	cmd.exe	40
PID 980 wrote to memory of 1352	980	cmd.exe	40
PID 980 wrote to memory of 1352	980	cmd.exe	40
PID 852 wrote to memory of 1076	852	hosts.exe	41
PID 852 wrote to memory of 1076	852	hosts.exe	41
PID 852 wrote to memory of 1076	852	hosts.exe	41
PID 852 wrote to memory of 1076	852	hosts.exe	41
PID 1076 wrote to memory of 1824	1076	cmd.exe	43
PID 1076 wrote to memory of 1824	1076	cmd.exe	43
PID 1076 wrote to memory of 1824	1076	cmd.exe	43
PID 1076 wrote to memory of 1824	1076	cmd.exe	43
PID 1076 wrote to memory of 1892	1076	cmd.exe	44
PID 1076 wrote to memory of 1892	1076	cmd.exe	44
PID 1076 wrote to memory of 1892	1076	cmd.exe	44
PID 1076 wrote to memory of 1892	1076	cmd.exe	44
PID 1504 wrote to memory of 560	1504	avscan.exe	45
PID 1504 wrote to memory of 560	1504	avscan.exe	45
PID 1504 wrote to memory of 560	1504	avscan.exe	45
PID 1504 wrote to memory of 560	1504	avscan.exe	45
PID 852 wrote to memory of 1584	852	hosts.exe	47
PID 852 wrote to memory of 1584	852	hosts.exe	47
PID 852 wrote to memory of 1584	852	hosts.exe	47
PID 852 wrote to memory of 1584	852	hosts.exe	47
PID 1504 wrote to memory of 1448	1504	avscan.exe	49
PID 1504 wrote to memory of 1448	1504	avscan.exe	49
PID 1504 wrote to memory of 1448	1504	avscan.exe	49
PID 1504 wrote to memory of 1448	1504	avscan.exe	49

C:\Users\Admin\AppData\Local\Temp\9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe
"C:\Users\Admin\AppData\Local\Temp\9536ae9edd6a241dbf8ddd0d431f1cc213a7ffa1a66692203af6d73d785fc9a4.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1668
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:852
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:972
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1076
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1824
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1892
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1584
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:544
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1620
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1204
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1352
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:560
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1448
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:484
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:864
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.3MB

MD5
22110df26c31c0f40eede804be73f734

SHA1
ec254e5dcc3e9d3192810c8cd9844ff37334aa6c

SHA256
5ffff3e3c96610c46950d4868aeb1dd3160acfdbfad8e2047810370d14763cbf

SHA512
32b960b9a135fa79608cb0c1834a32e3f159b85a363a5c580f0d7801905df3465867f80daba026e06a6af83772fd35c30db5326d4386233ee4f71db14f8123a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.9MB

MD5
7623d26faffac5daeda13c2e280cc4b4

SHA1
91ed15aa8fafcf9dafd1e5f0f6b4d5c1c44acd88

SHA256
9b6fa34a3303a6d3fb49e21b9fbcb38c169bcb1da2a217d4c2b2ef2e59dd9652

SHA512
be5b1646b94ffd4b23b880be6b2ea1c656812ca25861f74db4d7cccfc667f19a4b1cca36ed1d8a32fccf2c501dfcb943d9680b65929892cc5a87590e262df5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.6MB

MD5
783aa943ba6c4d15bc106edf48882719

SHA1
2871a192e0617c3b6eed09213d20f955792a9076

SHA256
56ea218a9b297b7e7d46e122862fee101b039d7752728f6d0213d299a48779da

SHA512
013741cce803d7a3435cbbefd466316ac7616522e1e76060445a02d49d09702a9d011d184560bdeb0dc4b8829d467a47073634be0ab082f22677028fc734067f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
3.2MB

MD5
7ab79da6c56a93b400d89d0b0e290261

SHA1
c1d7983ba2b92c425be19e22fd2793cc2ddda8c2

SHA256
96ab6702333b488adb352b627a12b787d1ecf60ffb2f18aa3bb5b3fbc4526919

SHA512
96358e99b60ccb24faebda2cba12c55798c5296b01c0854c90a86ad00d27f62d6c88e73c77ed29a72dbd2b491c12af03bce242497279da2b3e6b5333557ec18a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
3.8MB

MD5
2e1a1be9e20bbd5be81af36868ae71b5

SHA1
45a02112d0669468a010904d9e971d44a42ddc41

SHA256
d12b563b0e305b77c793ac3dfeef3a3f59bf478a4b147e50b738183dd84f58d0

SHA512
6dd1f5479353ca046e13bc1fc141d47514b5c845cb6261a709e2e4f19d524d9ba6ac4ab5f54ee15cd98f516b1ef18f595695ff5a37f7b48e5e8914811c2a2e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
4.5MB

MD5
89d56e1ab55a93bdd3adb641a3af4dd1

SHA1
6d4c90abd07487d1f97fe28c270b985019e463c6

SHA256
01988e651784d8bbf64ab977ee91e57e0f72601d433ebb26eea4f8921fa6a1c9

SHA512
263a3f69d930514d35b821f23bfe9b450e14eb2de8b47073e42764922838894e9ddcec8ca15465310568c010ad156d08904a386731ab9cd4bf7ebb3011ec63a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
5.1MB

MD5
225a3a3ac205b812c5e79169d7cda06b

SHA1
73315f10f156242ad221d64542c649edb231ebcd

SHA256
94538ae9a03a42a92920d37e8ad1f6b9c92a1db2f3bc0689c8e74afb4bb28088

SHA512
9a85462e16bf2ff05a72830f0304d84c90eceffd4563e48114a868161473cd97a5887b581109f0c600f79410515899092aee5282f36075a14e3f4020d19c1847

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
648KB

MD5
983755603f550514bbc15ea944273022

SHA1
afad0fa6feabd5dbc53767df9045b5d1b543555c

SHA256
5f7623ad5f27266c4079bc714e669230007e1d979680a18c6d622ffa301f4b83

SHA512
f0bf1ca955daa6cbdbfa08ed8ade32b53f61ccb871e779d6ad73c0d33bef7d749419835bbaa8e2c1e0469c0dc51ea26193144219a6f2c0d72be512114e944b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
648KB

MD5
983755603f550514bbc15ea944273022

SHA1
afad0fa6feabd5dbc53767df9045b5d1b543555c

SHA256
5f7623ad5f27266c4079bc714e669230007e1d979680a18c6d622ffa301f4b83

SHA512
f0bf1ca955daa6cbdbfa08ed8ade32b53f61ccb871e779d6ad73c0d33bef7d749419835bbaa8e2c1e0469c0dc51ea26193144219a6f2c0d72be512114e944b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
648KB

MD5
983755603f550514bbc15ea944273022

SHA1
afad0fa6feabd5dbc53767df9045b5d1b543555c

SHA256
5f7623ad5f27266c4079bc714e669230007e1d979680a18c6d622ffa301f4b83

SHA512
f0bf1ca955daa6cbdbfa08ed8ade32b53f61ccb871e779d6ad73c0d33bef7d749419835bbaa8e2c1e0469c0dc51ea26193144219a6f2c0d72be512114e944b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
648KB

MD5
983755603f550514bbc15ea944273022

SHA1
afad0fa6feabd5dbc53767df9045b5d1b543555c

SHA256
5f7623ad5f27266c4079bc714e669230007e1d979680a18c6d622ffa301f4b83

SHA512
f0bf1ca955daa6cbdbfa08ed8ade32b53f61ccb871e779d6ad73c0d33bef7d749419835bbaa8e2c1e0469c0dc51ea26193144219a6f2c0d72be512114e944b29

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
b147c267b47c4a6cfa3a72c41407541b

SHA1
062231bf7639b26f92e6d5ef78d515f8eaa9639d

SHA256
c9b7b5b912ab24c729de962727ac33835dd58f17754f9368ac702b9987f3baf6

SHA512
4f646fee7eaa29f33604b3f349b3d90a65bec39fdbe80bac6dcd2cd67b17475e51f833a66a5207d3008fede867792605bab132d6672e206bfefaa83aa344ac64

Download Submit
C:\Windows\hosts.exe

Filesize
648KB

MD5
f919f9ee1d2f1ae7357981991ded762e

SHA1
9a38fbf03ef9e69d9bf5d423e6162970e8e12481

SHA256
4b7aae6fb84a85c276357fff47cd16ed23749b8b348e8db28ec9113a875300fb

SHA512
7568db856735c106d53a5184fb88228b22f23a715b8c16396526bc44e8d06e91f5e01940ae460ef51ca5b869b0ba978337e45595f16c9cfb2a57bf355d9b00be

Download Submit
C:\Windows\hosts.exe

Filesize
648KB

MD5
f919f9ee1d2f1ae7357981991ded762e

SHA1
9a38fbf03ef9e69d9bf5d423e6162970e8e12481

SHA256
4b7aae6fb84a85c276357fff47cd16ed23749b8b348e8db28ec9113a875300fb

SHA512
7568db856735c106d53a5184fb88228b22f23a715b8c16396526bc44e8d06e91f5e01940ae460ef51ca5b869b0ba978337e45595f16c9cfb2a57bf355d9b00be

Download Submit
C:\Windows\hosts.exe

Filesize
648KB

MD5
f919f9ee1d2f1ae7357981991ded762e

SHA1
9a38fbf03ef9e69d9bf5d423e6162970e8e12481

SHA256
4b7aae6fb84a85c276357fff47cd16ed23749b8b348e8db28ec9113a875300fb

SHA512
7568db856735c106d53a5184fb88228b22f23a715b8c16396526bc44e8d06e91f5e01940ae460ef51ca5b869b0ba978337e45595f16c9cfb2a57bf355d9b00be

Download Submit
C:\Windows\hosts.exe

Filesize
648KB

MD5
f919f9ee1d2f1ae7357981991ded762e

SHA1
9a38fbf03ef9e69d9bf5d423e6162970e8e12481

SHA256
4b7aae6fb84a85c276357fff47cd16ed23749b8b348e8db28ec9113a875300fb

SHA512
7568db856735c106d53a5184fb88228b22f23a715b8c16396526bc44e8d06e91f5e01940ae460ef51ca5b869b0ba978337e45595f16c9cfb2a57bf355d9b00be

Download Submit
C:\windows\hosts.exe

Filesize
648KB

MD5
f919f9ee1d2f1ae7357981991ded762e

SHA1
9a38fbf03ef9e69d9bf5d423e6162970e8e12481

SHA256
4b7aae6fb84a85c276357fff47cd16ed23749b8b348e8db28ec9113a875300fb

SHA512
7568db856735c106d53a5184fb88228b22f23a715b8c16396526bc44e8d06e91f5e01940ae460ef51ca5b869b0ba978337e45595f16c9cfb2a57bf355d9b00be

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
648KB

MD5
983755603f550514bbc15ea944273022

SHA1
afad0fa6feabd5dbc53767df9045b5d1b543555c

SHA256
5f7623ad5f27266c4079bc714e669230007e1d979680a18c6d622ffa301f4b83

SHA512
f0bf1ca955daa6cbdbfa08ed8ade32b53f61ccb871e779d6ad73c0d33bef7d749419835bbaa8e2c1e0469c0dc51ea26193144219a6f2c0d72be512114e944b29

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
648KB

MD5
983755603f550514bbc15ea944273022

SHA1
afad0fa6feabd5dbc53767df9045b5d1b543555c

SHA256
5f7623ad5f27266c4079bc714e669230007e1d979680a18c6d622ffa301f4b83

SHA512
f0bf1ca955daa6cbdbfa08ed8ade32b53f61ccb871e779d6ad73c0d33bef7d749419835bbaa8e2c1e0469c0dc51ea26193144219a6f2c0d72be512114e944b29

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
648KB

MD5
983755603f550514bbc15ea944273022

SHA1
afad0fa6feabd5dbc53767df9045b5d1b543555c

SHA256
5f7623ad5f27266c4079bc714e669230007e1d979680a18c6d622ffa301f4b83

SHA512
f0bf1ca955daa6cbdbfa08ed8ade32b53f61ccb871e779d6ad73c0d33bef7d749419835bbaa8e2c1e0469c0dc51ea26193144219a6f2c0d72be512114e944b29

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
648KB

MD5
983755603f550514bbc15ea944273022

SHA1
afad0fa6feabd5dbc53767df9045b5d1b543555c

SHA256
5f7623ad5f27266c4079bc714e669230007e1d979680a18c6d622ffa301f4b83

SHA512
f0bf1ca955daa6cbdbfa08ed8ade32b53f61ccb871e779d6ad73c0d33bef7d749419835bbaa8e2c1e0469c0dc51ea26193144219a6f2c0d72be512114e944b29

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
648KB

MD5
983755603f550514bbc15ea944273022

SHA1
afad0fa6feabd5dbc53767df9045b5d1b543555c

SHA256
5f7623ad5f27266c4079bc714e669230007e1d979680a18c6d622ffa301f4b83

SHA512
f0bf1ca955daa6cbdbfa08ed8ade32b53f61ccb871e779d6ad73c0d33bef7d749419835bbaa8e2c1e0469c0dc51ea26193144219a6f2c0d72be512114e944b29

Download Submit
memory/992-58-0x00000000743C1000-0x00000000743C3000-memory.dmp

Filesize
8KB

Download
memory/992-56-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads