2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d

Analysis

max time kernel
130s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe
Size

175KB
MD5

6e2b49a5fdbe6d66a00aaa4b57496984
SHA1

54ac10e67956dd55618e1c54ab617a35c470d406
SHA256

2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d
SHA512

a8a5dcc4e3af67bf46930dfa58b31d0ce2a4a0406bcba4a0b4a155be11794cddbaac612189b5488eca0d3f5b0ef7fecb2c337c250d6795fefeb3634a8bf81bc9
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCmzy8JY48oXPO:gDCwfG1bnxG858wW

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ORXGKKZC = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ORXGKKZC = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1652	avscan.exe
864	avscan.exe
1320	hosts.exe
1252	hosts.exe
1508	avscan.exe
892	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1672	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe
1672	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe
1652	avscan.exe
1320	hosts.exe
1320	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe
File created	\??\c:\windows\W_X_C.bat	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe
File opened for modification	C:\Windows\hosts.exe	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1016	REG.exe
1580	REG.exe
1764	REG.exe
1640	REG.exe
1716	REG.exe
696	REG.exe
856	REG.exe
1188	REG.exe
1500	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1652	avscan.exe
1320	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1672	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe
1652	avscan.exe
864	avscan.exe
1320	hosts.exe
1252	hosts.exe
1508	avscan.exe
892	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 696	1672	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe	27
PID 1672 wrote to memory of 696	1672	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe	27
PID 1672 wrote to memory of 696	1672	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe	27
PID 1672 wrote to memory of 696	1672	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe	27
PID 1672 wrote to memory of 1652	1672	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe	29
PID 1672 wrote to memory of 1652	1672	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe	29
PID 1672 wrote to memory of 1652	1672	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe	29
PID 1672 wrote to memory of 1652	1672	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe	29
PID 1652 wrote to memory of 864	1652	avscan.exe	30
PID 1652 wrote to memory of 864	1652	avscan.exe	30
PID 1652 wrote to memory of 864	1652	avscan.exe	30
PID 1652 wrote to memory of 864	1652	avscan.exe	30
PID 1652 wrote to memory of 888	1652	avscan.exe	31
PID 1652 wrote to memory of 888	1652	avscan.exe	31
PID 1652 wrote to memory of 888	1652	avscan.exe	31
PID 1652 wrote to memory of 888	1652	avscan.exe	31
PID 1672 wrote to memory of 320	1672	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe	33
PID 1672 wrote to memory of 320	1672	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe	33
PID 1672 wrote to memory of 320	1672	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe	33
PID 1672 wrote to memory of 320	1672	2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe	33
PID 320 wrote to memory of 1252	320	cmd.exe	35
PID 320 wrote to memory of 1252	320	cmd.exe	35
PID 320 wrote to memory of 1252	320	cmd.exe	35
PID 320 wrote to memory of 1252	320	cmd.exe	35
PID 888 wrote to memory of 1320	888	cmd.exe	36
PID 888 wrote to memory of 1320	888	cmd.exe	36
PID 888 wrote to memory of 1320	888	cmd.exe	36
PID 888 wrote to memory of 1320	888	cmd.exe	36
PID 1320 wrote to memory of 1508	1320	hosts.exe	37
PID 1320 wrote to memory of 1508	1320	hosts.exe	37
PID 1320 wrote to memory of 1508	1320	hosts.exe	37
PID 1320 wrote to memory of 1508	1320	hosts.exe	37
PID 1320 wrote to memory of 1544	1320	hosts.exe	38
PID 1320 wrote to memory of 1544	1320	hosts.exe	38
PID 1320 wrote to memory of 1544	1320	hosts.exe	38
PID 1320 wrote to memory of 1544	1320	hosts.exe	38
PID 1544 wrote to memory of 892	1544	cmd.exe	40
PID 1544 wrote to memory of 892	1544	cmd.exe	40
PID 1544 wrote to memory of 892	1544	cmd.exe	40
PID 1544 wrote to memory of 892	1544	cmd.exe	40
PID 1544 wrote to memory of 1924	1544	cmd.exe	41
PID 1544 wrote to memory of 1924	1544	cmd.exe	41
PID 1544 wrote to memory of 1924	1544	cmd.exe	41
PID 1544 wrote to memory of 1924	1544	cmd.exe	41
PID 320 wrote to memory of 1728	320	cmd.exe	42
PID 320 wrote to memory of 1728	320	cmd.exe	42
PID 320 wrote to memory of 1728	320	cmd.exe	42
PID 320 wrote to memory of 1728	320	cmd.exe	42
PID 888 wrote to memory of 1504	888	cmd.exe	43
PID 888 wrote to memory of 1504	888	cmd.exe	43
PID 888 wrote to memory of 1504	888	cmd.exe	43
PID 888 wrote to memory of 1504	888	cmd.exe	43
PID 1652 wrote to memory of 856	1652	avscan.exe	44
PID 1652 wrote to memory of 856	1652	avscan.exe	44
PID 1652 wrote to memory of 856	1652	avscan.exe	44
PID 1652 wrote to memory of 856	1652	avscan.exe	44
PID 1320 wrote to memory of 1016	1320	hosts.exe	46
PID 1320 wrote to memory of 1016	1320	hosts.exe	46
PID 1320 wrote to memory of 1016	1320	hosts.exe	46
PID 1320 wrote to memory of 1016	1320	hosts.exe	46
PID 1320 wrote to memory of 1764	1320	hosts.exe	49
PID 1320 wrote to memory of 1764	1320	hosts.exe	49
PID 1320 wrote to memory of 1764	1320	hosts.exe	49
PID 1320 wrote to memory of 1764	1320	hosts.exe	49

C:\Users\Admin\AppData\Local\Temp\2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe
"C:\Users\Admin\AppData\Local\Temp\2e1a1273d0a911657f73809a39552b032497a2a92692bdc1c504d4f12e1cc29d.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:696
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1544
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:892
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1924
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1016
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1764
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1640
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1716
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1504
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:856
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1580
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1188
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1252
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
399KB

MD5
80e1a6192ae861ebb07596ef4b3386a2

SHA1
6ca7c2ee02f2c452aab733316635f089e35dedc1

SHA256
b4ee15b1e6097e9932017842efb1572a366eb718c2b22ac9357ad56de290bbb9

SHA512
e87b45832f794f1ad0ab00a18096bb108e3e2a2f7afd6c357af6cbb34a27c969f32ec3c8dfbb5513f076d668a82e1597660c323063eb62a58d5c26e74dfdb5cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
751KB

MD5
810671c3dab833637f0db4477c56a771

SHA1
f9613dcdc17121a5c781ef18e3b6a3d8df12411c

SHA256
e64519fd727adfb1d68b902ee8a8964690fcb5121187779965fc5de4c88f49f7

SHA512
2be285892388d7f442950dd9fca11562ff673028b1a5637aaafe14206f597b57b325b3019aaeb0aedc0c3251e7af3f2759df1e91a53a234cf65f09652c86f721

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
cb8c147dc12b3e4f705eeef6efa9ebd8

SHA1
21e521e12df933b3e3be8493d81fe0b6fbd404db

SHA256
5387459597ec6ba71a9d938ee82140144e29ecda0f1ef5f9ec1f1932f31732b8

SHA512
0448e9c386bfeac4a51400260c221bdf8869255a949b665141ea0f8136cf5392a001ace97cfb92dc701dd017c73c43895db3734edec6cf306ef125633549c782

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
cb8c147dc12b3e4f705eeef6efa9ebd8

SHA1
21e521e12df933b3e3be8493d81fe0b6fbd404db

SHA256
5387459597ec6ba71a9d938ee82140144e29ecda0f1ef5f9ec1f1932f31732b8

SHA512
0448e9c386bfeac4a51400260c221bdf8869255a949b665141ea0f8136cf5392a001ace97cfb92dc701dd017c73c43895db3734edec6cf306ef125633549c782

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.4MB

MD5
2cad112827a9e33a9b4ac102442b9f28

SHA1
d1faec37c372ac538bb812a3ecd4725ebc55d007

SHA256
36fd536e2ef075024306bdd726140805c983de3395c8a727b27a154c3005014d

SHA512
2e45cc9cadc25d29cf6f2560edc043becec06498ecf6d3f50bde104622a74f21054fd62b60cda4338521492b4f2e8208902cc99ce2a293002c5731a0b9a37915

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
165b8c0ba3b89081ccbb903507d379d7

SHA1
50cba82c2ba74d905a68888f5fb70910088a56e2

SHA256
3dc4249d580e83427858dbefe6bbeac93820fd4865ea92d11e1c81d730eb8957

SHA512
f38bfdc49908cab2fcbd92d2b78776ed7a3fb1b218e4f3671429b381e89d32efffadbb09db48e101b5ff6250b239e9d6819acf87a734a86114c255325abed06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
165b8c0ba3b89081ccbb903507d379d7

SHA1
50cba82c2ba74d905a68888f5fb70910088a56e2

SHA256
3dc4249d580e83427858dbefe6bbeac93820fd4865ea92d11e1c81d730eb8957

SHA512
f38bfdc49908cab2fcbd92d2b78776ed7a3fb1b218e4f3671429b381e89d32efffadbb09db48e101b5ff6250b239e9d6819acf87a734a86114c255325abed06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
165b8c0ba3b89081ccbb903507d379d7

SHA1
50cba82c2ba74d905a68888f5fb70910088a56e2

SHA256
3dc4249d580e83427858dbefe6bbeac93820fd4865ea92d11e1c81d730eb8957

SHA512
f38bfdc49908cab2fcbd92d2b78776ed7a3fb1b218e4f3671429b381e89d32efffadbb09db48e101b5ff6250b239e9d6819acf87a734a86114c255325abed06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
165b8c0ba3b89081ccbb903507d379d7

SHA1
50cba82c2ba74d905a68888f5fb70910088a56e2

SHA256
3dc4249d580e83427858dbefe6bbeac93820fd4865ea92d11e1c81d730eb8957

SHA512
f38bfdc49908cab2fcbd92d2b78776ed7a3fb1b218e4f3671429b381e89d32efffadbb09db48e101b5ff6250b239e9d6819acf87a734a86114c255325abed06a

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
6cb1a862c5d3015502be64b07c6b5ec7

SHA1
055b4b97bd55f4f0f47fd8c981fc216709e91936

SHA256
6ae3ae6c1d057e9376efd0711d9912dfddebd9f8a8b257cee104cba98195c48e

SHA512
5f8f0cdbbd70f06bc8783c0e762208a3c54daf0f2b064abd450116cb31963d0802bc59648e868d647031e0e321d151a20f1b71ccba613f6e1c0c7fbb7ee974ab

Download Submit
C:\Windows\hosts.exe

Filesize
175KB

MD5
e279a83f359152c6963b2b1c922714e6

SHA1
b3b8d802b45afee55806e2bd07bf998012c4331b

SHA256
0dadf21a5371d55d311366b758cf13e015fef290f58242028229ca0f38c0384d

SHA512
c1ee61db97198722c7b5f9c076c05e5895ae5f5e330049c3d4aef624d08027d62477117ef23bc92d2bf506497f4ccd6b2b3c9a31fd60045ab97b613e847e0a51

Download Submit
C:\Windows\hosts.exe

Filesize
175KB

MD5
e279a83f359152c6963b2b1c922714e6

SHA1
b3b8d802b45afee55806e2bd07bf998012c4331b

SHA256
0dadf21a5371d55d311366b758cf13e015fef290f58242028229ca0f38c0384d

SHA512
c1ee61db97198722c7b5f9c076c05e5895ae5f5e330049c3d4aef624d08027d62477117ef23bc92d2bf506497f4ccd6b2b3c9a31fd60045ab97b613e847e0a51

Download Submit
C:\Windows\hosts.exe

Filesize
175KB

MD5
e279a83f359152c6963b2b1c922714e6

SHA1
b3b8d802b45afee55806e2bd07bf998012c4331b

SHA256
0dadf21a5371d55d311366b758cf13e015fef290f58242028229ca0f38c0384d

SHA512
c1ee61db97198722c7b5f9c076c05e5895ae5f5e330049c3d4aef624d08027d62477117ef23bc92d2bf506497f4ccd6b2b3c9a31fd60045ab97b613e847e0a51

Download Submit
C:\Windows\hosts.exe

Filesize
175KB

MD5
e279a83f359152c6963b2b1c922714e6

SHA1
b3b8d802b45afee55806e2bd07bf998012c4331b

SHA256
0dadf21a5371d55d311366b758cf13e015fef290f58242028229ca0f38c0384d

SHA512
c1ee61db97198722c7b5f9c076c05e5895ae5f5e330049c3d4aef624d08027d62477117ef23bc92d2bf506497f4ccd6b2b3c9a31fd60045ab97b613e847e0a51

Download Submit
C:\windows\hosts.exe

Filesize
175KB

MD5
e279a83f359152c6963b2b1c922714e6

SHA1
b3b8d802b45afee55806e2bd07bf998012c4331b

SHA256
0dadf21a5371d55d311366b758cf13e015fef290f58242028229ca0f38c0384d

SHA512
c1ee61db97198722c7b5f9c076c05e5895ae5f5e330049c3d4aef624d08027d62477117ef23bc92d2bf506497f4ccd6b2b3c9a31fd60045ab97b613e847e0a51

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
165b8c0ba3b89081ccbb903507d379d7

SHA1
50cba82c2ba74d905a68888f5fb70910088a56e2

SHA256
3dc4249d580e83427858dbefe6bbeac93820fd4865ea92d11e1c81d730eb8957

SHA512
f38bfdc49908cab2fcbd92d2b78776ed7a3fb1b218e4f3671429b381e89d32efffadbb09db48e101b5ff6250b239e9d6819acf87a734a86114c255325abed06a

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
165b8c0ba3b89081ccbb903507d379d7

SHA1
50cba82c2ba74d905a68888f5fb70910088a56e2

SHA256
3dc4249d580e83427858dbefe6bbeac93820fd4865ea92d11e1c81d730eb8957

SHA512
f38bfdc49908cab2fcbd92d2b78776ed7a3fb1b218e4f3671429b381e89d32efffadbb09db48e101b5ff6250b239e9d6819acf87a734a86114c255325abed06a

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
165b8c0ba3b89081ccbb903507d379d7

SHA1
50cba82c2ba74d905a68888f5fb70910088a56e2

SHA256
3dc4249d580e83427858dbefe6bbeac93820fd4865ea92d11e1c81d730eb8957

SHA512
f38bfdc49908cab2fcbd92d2b78776ed7a3fb1b218e4f3671429b381e89d32efffadbb09db48e101b5ff6250b239e9d6819acf87a734a86114c255325abed06a

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
165b8c0ba3b89081ccbb903507d379d7

SHA1
50cba82c2ba74d905a68888f5fb70910088a56e2

SHA256
3dc4249d580e83427858dbefe6bbeac93820fd4865ea92d11e1c81d730eb8957

SHA512
f38bfdc49908cab2fcbd92d2b78776ed7a3fb1b218e4f3671429b381e89d32efffadbb09db48e101b5ff6250b239e9d6819acf87a734a86114c255325abed06a

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
175KB

MD5
165b8c0ba3b89081ccbb903507d379d7

SHA1
50cba82c2ba74d905a68888f5fb70910088a56e2

SHA256
3dc4249d580e83427858dbefe6bbeac93820fd4865ea92d11e1c81d730eb8957

SHA512
f38bfdc49908cab2fcbd92d2b78776ed7a3fb1b218e4f3671429b381e89d32efffadbb09db48e101b5ff6250b239e9d6819acf87a734a86114c255325abed06a

Download Submit
memory/1672-56-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1672-58-0x0000000074621000-0x0000000074623000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads