3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c

Analysis

max time kernel
126s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe
Size

171KB
MD5

d9885615e02ccb31e35b40e31f06855d
SHA1

46a1105c79198b55decda69bf8b5a4d42e9f574f
SHA256

3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c
SHA512

9adb122bec02969f98dc64d76ce18161440e24506a68242a52fb4e3796bc4def1139eb4c8c66d1f8e5ed520ae72bce3f86c35b659008ccf50e392408958b620b
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCmT4k3hsanEtOX:gDCwfG1bnxM6saEtOX

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1656	avscan.exe
1720	avscan.exe
1396	hosts.exe
276	hosts.exe
1344	avscan.exe
1064	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1760	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe
1760	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe
1656	avscan.exe
1396	hosts.exe
1396	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe
File created	\??\c:\windows\W_X_C.bat	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe
File opened for modification	C:\Windows\hosts.exe	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1492	REG.exe
276	REG.exe
1824	REG.exe
1204	REG.exe
1312	REG.exe
1504	REG.exe
680	REG.exe
1964	REG.exe
1988	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1656	avscan.exe
1396	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1760	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe
1656	avscan.exe
1720	avscan.exe
1396	hosts.exe
276	hosts.exe
1344	avscan.exe
1064	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1824	1760	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	28
PID 1760 wrote to memory of 1824	1760	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	28
PID 1760 wrote to memory of 1824	1760	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	28
PID 1760 wrote to memory of 1824	1760	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	28
PID 1760 wrote to memory of 1656	1760	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	30
PID 1760 wrote to memory of 1656	1760	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	30
PID 1760 wrote to memory of 1656	1760	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	30
PID 1760 wrote to memory of 1656	1760	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	30
PID 1656 wrote to memory of 1720	1656	avscan.exe	31
PID 1656 wrote to memory of 1720	1656	avscan.exe	31
PID 1656 wrote to memory of 1720	1656	avscan.exe	31
PID 1656 wrote to memory of 1720	1656	avscan.exe	31
PID 1656 wrote to memory of 1772	1656	avscan.exe	32
PID 1656 wrote to memory of 1772	1656	avscan.exe	32
PID 1656 wrote to memory of 1772	1656	avscan.exe	32
PID 1656 wrote to memory of 1772	1656	avscan.exe	32
PID 1760 wrote to memory of 268	1760	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	34
PID 1760 wrote to memory of 268	1760	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	34
PID 1760 wrote to memory of 268	1760	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	34
PID 1760 wrote to memory of 268	1760	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	34
PID 268 wrote to memory of 276	268	cmd.exe	36
PID 268 wrote to memory of 276	268	cmd.exe	36
PID 268 wrote to memory of 276	268	cmd.exe	36
PID 268 wrote to memory of 276	268	cmd.exe	36
PID 1772 wrote to memory of 1396	1772	cmd.exe	37
PID 1772 wrote to memory of 1396	1772	cmd.exe	37
PID 1772 wrote to memory of 1396	1772	cmd.exe	37
PID 1772 wrote to memory of 1396	1772	cmd.exe	37
PID 1396 wrote to memory of 1344	1396	hosts.exe	38
PID 1396 wrote to memory of 1344	1396	hosts.exe	38
PID 1396 wrote to memory of 1344	1396	hosts.exe	38
PID 1396 wrote to memory of 1344	1396	hosts.exe	38
PID 268 wrote to memory of 908	268	cmd.exe	39
PID 268 wrote to memory of 908	268	cmd.exe	39
PID 268 wrote to memory of 908	268	cmd.exe	39
PID 268 wrote to memory of 908	268	cmd.exe	39
PID 1772 wrote to memory of 1128	1772	cmd.exe	40
PID 1772 wrote to memory of 1128	1772	cmd.exe	40
PID 1772 wrote to memory of 1128	1772	cmd.exe	40
PID 1772 wrote to memory of 1128	1772	cmd.exe	40
PID 1396 wrote to memory of 540	1396	hosts.exe	41
PID 1396 wrote to memory of 540	1396	hosts.exe	41
PID 1396 wrote to memory of 540	1396	hosts.exe	41
PID 1396 wrote to memory of 540	1396	hosts.exe	41
PID 540 wrote to memory of 1064	540	cmd.exe	43
PID 540 wrote to memory of 1064	540	cmd.exe	43
PID 540 wrote to memory of 1064	540	cmd.exe	43
PID 540 wrote to memory of 1064	540	cmd.exe	43
PID 540 wrote to memory of 1952	540	cmd.exe	44
PID 540 wrote to memory of 1952	540	cmd.exe	44
PID 540 wrote to memory of 1952	540	cmd.exe	44
PID 540 wrote to memory of 1952	540	cmd.exe	44
PID 1396 wrote to memory of 1964	1396	hosts.exe	45
PID 1396 wrote to memory of 1964	1396	hosts.exe	45
PID 1396 wrote to memory of 1964	1396	hosts.exe	45
PID 1396 wrote to memory of 1964	1396	hosts.exe	45
PID 1656 wrote to memory of 1988	1656	avscan.exe	46
PID 1656 wrote to memory of 1988	1656	avscan.exe	46
PID 1656 wrote to memory of 1988	1656	avscan.exe	46
PID 1656 wrote to memory of 1988	1656	avscan.exe	46
PID 1396 wrote to memory of 1312	1396	hosts.exe	49
PID 1396 wrote to memory of 1312	1396	hosts.exe	49
PID 1396 wrote to memory of 1312	1396	hosts.exe	49
PID 1396 wrote to memory of 1312	1396	hosts.exe	49

C:\Users\Admin\AppData\Local\Temp\3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe
"C:\Users\Admin\AppData\Local\Temp\3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1824
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1396
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1344
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:540
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1064
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1952
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1964
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1312
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1492
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:276
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1128
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1988
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1204
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1504
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:276
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
390KB

MD5
5f4a0e39c13f29a6ab81f0e4fdd48e5d

SHA1
738867a81997fcdb1063fbcf6de3d65e0fccc916

SHA256
4435bdf3b79bf3046b6dcc3dfa002651801b6a6398df48f0365641c1b4a161ed

SHA512
49330b1593a893cc13e9a057d671a125481880f2b973a1a80841d06b89b4a09fa5cfaa7e97b2da21a4cad21b1fd9f58a7eef86c2b108ed6d124a5f55818736a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
733KB

MD5
9faaa08cec1b86f15e8384e9e7a065fa

SHA1
b2c290346d8957882e905da70536d776d843676d

SHA256
83aad9b5ed4566f50bf1d727703798a851fae4d96417125697c0f1374e587f1b

SHA512
0569b9ac58341717fb01ff5967751092b74d9ccf637cdf84b755d0d2f0bb9b9daef2824ec2ea646825bc6f8ef91fe7ea2e6e77feed18cf914c2ea99f7e2baafc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
b67da540bbca3d41e82db10c808e2cbe

SHA1
f128d0443d5066456612cc122b4f2ce3bf8a7f05

SHA256
682d19cc65507217e1fbe59a6868ad89336925c2eb20efb9f91b08e27bda85f6

SHA512
fceecfbc7ec54b876426d48902bbe64140eba0b5e5cdf50c0f2f62b6ef22b647a08cfdd57440f69bdd295199f183cae100f50e595607bbf6e08ec842895485a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.2MB

MD5
aad30a09ac7d92f330d58ae3ae1212a6

SHA1
9a31ab610ebb599843b4017278a493b472fb7493

SHA256
56b59a313098446eb7a458ea272919824e4c3b4377e0555f528d0cc446374617

SHA512
14733afa8847e30ecbeba3ac3422b562e91e5d19dec24c0e5f907f7abe0424036ff2355f7a098d550c8959dbb1df3c14c8212b4ce2bd3ff4f4f6030fae659f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.2MB

MD5
70a196b5508c1dcf319e4d4d0a2b31a0

SHA1
949c8ca4b9bd1d604bb7cb59722e30d8be1d97ca

SHA256
f67a86f5b95a8d30f72546f08ed8569e20ca8b87066be7c7f5a73c46f7077687

SHA512
c7746c288095dff82e977440f0681f1e3cfc75a5ad0e0c7c50ca9fda31450f008a30c331e2bc1e3a1485ca7070081e6adfc6140f89efce768d57ce433aefa027

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
73ac9d8df7a75a87a1453457c6862a75

SHA1
e5866aa0fa81215b57391f93f8c4b26fb75b05ba

SHA256
c0c0d8d8e1239a9d97a88d7a5fdaa90ab91dcaecf7a146bc1e4dee7534dc6254

SHA512
196d4754269734346fb58503151596ae6c762277e79d11e30156393883697d20feb9debfa3a3363fd2ea225664158c9274494d49359379813e81e62313511471

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
73ac9d8df7a75a87a1453457c6862a75

SHA1
e5866aa0fa81215b57391f93f8c4b26fb75b05ba

SHA256
c0c0d8d8e1239a9d97a88d7a5fdaa90ab91dcaecf7a146bc1e4dee7534dc6254

SHA512
196d4754269734346fb58503151596ae6c762277e79d11e30156393883697d20feb9debfa3a3363fd2ea225664158c9274494d49359379813e81e62313511471

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
73ac9d8df7a75a87a1453457c6862a75

SHA1
e5866aa0fa81215b57391f93f8c4b26fb75b05ba

SHA256
c0c0d8d8e1239a9d97a88d7a5fdaa90ab91dcaecf7a146bc1e4dee7534dc6254

SHA512
196d4754269734346fb58503151596ae6c762277e79d11e30156393883697d20feb9debfa3a3363fd2ea225664158c9274494d49359379813e81e62313511471

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
73ac9d8df7a75a87a1453457c6862a75

SHA1
e5866aa0fa81215b57391f93f8c4b26fb75b05ba

SHA256
c0c0d8d8e1239a9d97a88d7a5fdaa90ab91dcaecf7a146bc1e4dee7534dc6254

SHA512
196d4754269734346fb58503151596ae6c762277e79d11e30156393883697d20feb9debfa3a3363fd2ea225664158c9274494d49359379813e81e62313511471

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
b147c267b47c4a6cfa3a72c41407541b

SHA1
062231bf7639b26f92e6d5ef78d515f8eaa9639d

SHA256
c9b7b5b912ab24c729de962727ac33835dd58f17754f9368ac702b9987f3baf6

SHA512
4f646fee7eaa29f33604b3f349b3d90a65bec39fdbe80bac6dcd2cd67b17475e51f833a66a5207d3008fede867792605bab132d6672e206bfefaa83aa344ac64

Download Submit
C:\Windows\hosts.exe

Filesize
171KB

MD5
fa0839dadcb72e104e6b2b020ddd2904

SHA1
72b5c9bb3d13bba92ef7d95fc99426a3cf2471f0

SHA256
18627b32ca31ecac47f306f26cf35ffe64ee29841c331cd22985054b1ab0229c

SHA512
467bd4e4063b67a6f50798a6ecf8b0e661d365d125eba6d136f9b959140699b05b1d928bca0f376c0d6eae13cd41d21d9db9d829d5095910d2f4ca7edff4032f

Download Submit
C:\Windows\hosts.exe

Filesize
171KB

MD5
fa0839dadcb72e104e6b2b020ddd2904

SHA1
72b5c9bb3d13bba92ef7d95fc99426a3cf2471f0

SHA256
18627b32ca31ecac47f306f26cf35ffe64ee29841c331cd22985054b1ab0229c

SHA512
467bd4e4063b67a6f50798a6ecf8b0e661d365d125eba6d136f9b959140699b05b1d928bca0f376c0d6eae13cd41d21d9db9d829d5095910d2f4ca7edff4032f

Download Submit
C:\Windows\hosts.exe

Filesize
171KB

MD5
fa0839dadcb72e104e6b2b020ddd2904

SHA1
72b5c9bb3d13bba92ef7d95fc99426a3cf2471f0

SHA256
18627b32ca31ecac47f306f26cf35ffe64ee29841c331cd22985054b1ab0229c

SHA512
467bd4e4063b67a6f50798a6ecf8b0e661d365d125eba6d136f9b959140699b05b1d928bca0f376c0d6eae13cd41d21d9db9d829d5095910d2f4ca7edff4032f

Download Submit
C:\Windows\hosts.exe

Filesize
171KB

MD5
fa0839dadcb72e104e6b2b020ddd2904

SHA1
72b5c9bb3d13bba92ef7d95fc99426a3cf2471f0

SHA256
18627b32ca31ecac47f306f26cf35ffe64ee29841c331cd22985054b1ab0229c

SHA512
467bd4e4063b67a6f50798a6ecf8b0e661d365d125eba6d136f9b959140699b05b1d928bca0f376c0d6eae13cd41d21d9db9d829d5095910d2f4ca7edff4032f

Download Submit
C:\windows\hosts.exe

Filesize
171KB

MD5
fa0839dadcb72e104e6b2b020ddd2904

SHA1
72b5c9bb3d13bba92ef7d95fc99426a3cf2471f0

SHA256
18627b32ca31ecac47f306f26cf35ffe64ee29841c331cd22985054b1ab0229c

SHA512
467bd4e4063b67a6f50798a6ecf8b0e661d365d125eba6d136f9b959140699b05b1d928bca0f376c0d6eae13cd41d21d9db9d829d5095910d2f4ca7edff4032f

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
73ac9d8df7a75a87a1453457c6862a75

SHA1
e5866aa0fa81215b57391f93f8c4b26fb75b05ba

SHA256
c0c0d8d8e1239a9d97a88d7a5fdaa90ab91dcaecf7a146bc1e4dee7534dc6254

SHA512
196d4754269734346fb58503151596ae6c762277e79d11e30156393883697d20feb9debfa3a3363fd2ea225664158c9274494d49359379813e81e62313511471

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
73ac9d8df7a75a87a1453457c6862a75

SHA1
e5866aa0fa81215b57391f93f8c4b26fb75b05ba

SHA256
c0c0d8d8e1239a9d97a88d7a5fdaa90ab91dcaecf7a146bc1e4dee7534dc6254

SHA512
196d4754269734346fb58503151596ae6c762277e79d11e30156393883697d20feb9debfa3a3363fd2ea225664158c9274494d49359379813e81e62313511471

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
73ac9d8df7a75a87a1453457c6862a75

SHA1
e5866aa0fa81215b57391f93f8c4b26fb75b05ba

SHA256
c0c0d8d8e1239a9d97a88d7a5fdaa90ab91dcaecf7a146bc1e4dee7534dc6254

SHA512
196d4754269734346fb58503151596ae6c762277e79d11e30156393883697d20feb9debfa3a3363fd2ea225664158c9274494d49359379813e81e62313511471

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
73ac9d8df7a75a87a1453457c6862a75

SHA1
e5866aa0fa81215b57391f93f8c4b26fb75b05ba

SHA256
c0c0d8d8e1239a9d97a88d7a5fdaa90ab91dcaecf7a146bc1e4dee7534dc6254

SHA512
196d4754269734346fb58503151596ae6c762277e79d11e30156393883697d20feb9debfa3a3363fd2ea225664158c9274494d49359379813e81e62313511471

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
73ac9d8df7a75a87a1453457c6862a75

SHA1
e5866aa0fa81215b57391f93f8c4b26fb75b05ba

SHA256
c0c0d8d8e1239a9d97a88d7a5fdaa90ab91dcaecf7a146bc1e4dee7534dc6254

SHA512
196d4754269734346fb58503151596ae6c762277e79d11e30156393883697d20feb9debfa3a3363fd2ea225664158c9274494d49359379813e81e62313511471

Download Submit
memory/268-74-0x0000000000000000-mapping.dmp

Download
memory/276-76-0x0000000000000000-mapping.dmp

Download
memory/276-118-0x0000000000000000-mapping.dmp

Download
memory/540-95-0x0000000000000000-mapping.dmp

Download
memory/680-119-0x0000000000000000-mapping.dmp

Download
memory/908-93-0x0000000000000000-mapping.dmp

Download
memory/1064-96-0x0000000000000000-mapping.dmp

Download
memory/1128-94-0x0000000000000000-mapping.dmp

Download
memory/1204-111-0x0000000000000000-mapping.dmp

Download
memory/1312-110-0x0000000000000000-mapping.dmp

Download
memory/1344-85-0x0000000000000000-mapping.dmp

Download
memory/1396-77-0x0000000000000000-mapping.dmp

Download
memory/1492-113-0x0000000000000000-mapping.dmp

Download
memory/1504-114-0x0000000000000000-mapping.dmp

Download
memory/1656-61-0x0000000000000000-mapping.dmp

Download
memory/1720-68-0x0000000000000000-mapping.dmp

Download
memory/1760-56-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1760-58-0x0000000074131000-0x0000000074133000-memory.dmp

Filesize
8KB

Download
memory/1772-73-0x0000000000000000-mapping.dmp

Download
memory/1824-57-0x0000000000000000-mapping.dmp

Download
memory/1952-101-0x0000000000000000-mapping.dmp

Download
memory/1964-107-0x0000000000000000-mapping.dmp

Download
memory/1988-108-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads