0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd

Analysis

max time kernel
133s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe
Size

310KB
MD5

1022aa1257f58abcccf40165565fb7ce
SHA1

043b88526e5635a65018edb2118bd70dd8359864
SHA256

0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd
SHA512

99c722de9e166fa58a5b494b36a0a0369faf5f08b039838338adf890906047d442fe29feba5ae4aee3cbda14fe5fb7fbae494f788427912f2298b627a6ce4161
SSDEEP

6144:gDCwfG1bnxLERR4saXhSTMw8ElzImLZAqXa+:g72bntEL4/YyEdvL8+

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1752	avscan.exe
2040	avscan.exe
944	hosts.exe
1632	hosts.exe
1072	avscan.exe
892	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
896	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe
896	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe
1752	avscan.exe
944	hosts.exe
944	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe
File created	\??\c:\windows\W_X_C.bat	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe
File opened for modification	C:\Windows\hosts.exe	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
976	REG.exe
1636	REG.exe
792	REG.exe
2036	REG.exe
316	REG.exe
1444	REG.exe
1712	REG.exe
832	REG.exe
1536	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1752	avscan.exe
944	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
896	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe
1752	avscan.exe
2040	avscan.exe
944	hosts.exe
1632	hosts.exe
1072	avscan.exe
892	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 976	896	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe	28
PID 896 wrote to memory of 976	896	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe	28
PID 896 wrote to memory of 976	896	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe	28
PID 896 wrote to memory of 976	896	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe	28
PID 896 wrote to memory of 1752	896	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe	30
PID 896 wrote to memory of 1752	896	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe	30
PID 896 wrote to memory of 1752	896	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe	30
PID 896 wrote to memory of 1752	896	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe	30
PID 1752 wrote to memory of 2040	1752	avscan.exe	31
PID 1752 wrote to memory of 2040	1752	avscan.exe	31
PID 1752 wrote to memory of 2040	1752	avscan.exe	31
PID 1752 wrote to memory of 2040	1752	avscan.exe	31
PID 1752 wrote to memory of 1768	1752	avscan.exe	32
PID 1752 wrote to memory of 1768	1752	avscan.exe	32
PID 1752 wrote to memory of 1768	1752	avscan.exe	32
PID 1752 wrote to memory of 1768	1752	avscan.exe	32
PID 896 wrote to memory of 1544	896	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe	33
PID 896 wrote to memory of 1544	896	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe	33
PID 896 wrote to memory of 1544	896	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe	33
PID 896 wrote to memory of 1544	896	0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe	33
PID 1544 wrote to memory of 944	1544	cmd.exe	36
PID 1544 wrote to memory of 944	1544	cmd.exe	36
PID 1544 wrote to memory of 944	1544	cmd.exe	36
PID 1544 wrote to memory of 944	1544	cmd.exe	36
PID 1768 wrote to memory of 1632	1768	cmd.exe	37
PID 1768 wrote to memory of 1632	1768	cmd.exe	37
PID 1768 wrote to memory of 1632	1768	cmd.exe	37
PID 1768 wrote to memory of 1632	1768	cmd.exe	37
PID 944 wrote to memory of 1072	944	hosts.exe	38
PID 944 wrote to memory of 1072	944	hosts.exe	38
PID 944 wrote to memory of 1072	944	hosts.exe	38
PID 944 wrote to memory of 1072	944	hosts.exe	38
PID 944 wrote to memory of 1940	944	hosts.exe	39
PID 944 wrote to memory of 1940	944	hosts.exe	39
PID 944 wrote to memory of 1940	944	hosts.exe	39
PID 944 wrote to memory of 1940	944	hosts.exe	39
PID 1940 wrote to memory of 892	1940	cmd.exe	41
PID 1940 wrote to memory of 892	1940	cmd.exe	41
PID 1940 wrote to memory of 892	1940	cmd.exe	41
PID 1940 wrote to memory of 892	1940	cmd.exe	41
PID 1768 wrote to memory of 836	1768	cmd.exe	42
PID 1768 wrote to memory of 836	1768	cmd.exe	42
PID 1768 wrote to memory of 836	1768	cmd.exe	42
PID 1768 wrote to memory of 836	1768	cmd.exe	42
PID 1544 wrote to memory of 1392	1544	cmd.exe	43
PID 1544 wrote to memory of 1392	1544	cmd.exe	43
PID 1544 wrote to memory of 1392	1544	cmd.exe	43
PID 1544 wrote to memory of 1392	1544	cmd.exe	43
PID 1940 wrote to memory of 1868	1940	cmd.exe	44
PID 1940 wrote to memory of 1868	1940	cmd.exe	44
PID 1940 wrote to memory of 1868	1940	cmd.exe	44
PID 1940 wrote to memory of 1868	1940	cmd.exe	44
PID 1752 wrote to memory of 316	1752	avscan.exe	45
PID 1752 wrote to memory of 316	1752	avscan.exe	45
PID 1752 wrote to memory of 316	1752	avscan.exe	45
PID 1752 wrote to memory of 316	1752	avscan.exe	45
PID 944 wrote to memory of 1444	944	hosts.exe	47
PID 944 wrote to memory of 1444	944	hosts.exe	47
PID 944 wrote to memory of 1444	944	hosts.exe	47
PID 944 wrote to memory of 1444	944	hosts.exe	47
PID 944 wrote to memory of 832	944	hosts.exe	50
PID 944 wrote to memory of 832	944	hosts.exe	50
PID 944 wrote to memory of 832	944	hosts.exe	50
PID 944 wrote to memory of 832	944	hosts.exe	50

C:\Users\Admin\AppData\Local\Temp\0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe
"C:\Users\Admin\AppData\Local\Temp\0648e1083bd420efd9c10d2b2307efcc2e5cbc3a44d1b7783e1030414aa133bd.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:896
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:976
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1632
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:836
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:316
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1712
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:792
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1072
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:892
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:1868
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1444
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:832
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1536
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1636
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
668KB

MD5
2813ed4c67919c560ac621af4f686157

SHA1
fd7b78d8bb83f5861c58e22384ba1bf9e7748646

SHA256
4b8bbbe3b8082e5233860ab23b50beca9a46cc45a4084287f643aa791da0dc4d

SHA512
9cddd007a3c37af1c9b48957a939afe6960aa4226a1cfbd0c9e3115f0064cfedff1e9a03a5711368d38c02ff1ea781e9d2cea7fee7ffe5359a38b62b79a55feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.3MB

MD5
0f60cc72578cb978999006ef8353a7f6

SHA1
be49a3843d03fa19d5bc9514c1ebb4b84a951102

SHA256
846e21879352be6de0b6e7548f471f6be8b1ef25c4d4d06e0b684cad382d30dc

SHA512
b936a46c1ff9453926757c20fa9c3559e8949fd10133b0225de955683aca0160f6dcdc61f0f22aa9d7ac0263cf2e8200f11bb22add7ab6993c0de5110471318d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.9MB

MD5
053b7c9200bfeba42f085e87a11154b3

SHA1
d3bdd57bb0326e1cc1a9f64bd3f7d1f7037417bc

SHA256
b78ec26fd09537c7214260835654d5b9e47cd19d8428c77437eae6c3485cfd44

SHA512
1cddb580f79758651351a499c0f77110a33a56a502dd9153f27098478b20b3cf9fe013a27949d34753a6f89cac6dcfa2979be365487b38c48a10585238b21085

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
2.5MB

MD5
350abe62ec8c7832db3d55b0c5a95dc7

SHA1
d55769faf1a931f45e2332a4c122a5d795de758f

SHA256
5b0fb8f2f25254ec1f50a2eae0f0fa03763578901c9e8dc30fd4c8d994501a93

SHA512
5baaabb7013feec3320c4b6fe45183960369a3f443fae60a061d430885424f8df510a67fc7d1835b1045022b002095baa409d18e344e133f633b000498ae3e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
310KB

MD5
83818dc42cf5bb97dbf6170a99bbb79c

SHA1
40874a0384d9068a7b7dd2a8aac6b76e1de976e0

SHA256
3e212a1803a10a4c070c2f8d499f582c24a2ed6f1056250feead0a7e54cc3234

SHA512
467772f4bdb6a1129a9ac0c552fc48d4dba5cf7815ee27d4d6668fcd540d4e3ed49872f197aa541e4051cc79cc1087ac4bdbf3c9a4d0bbe70451c88540b411c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
310KB

MD5
83818dc42cf5bb97dbf6170a99bbb79c

SHA1
40874a0384d9068a7b7dd2a8aac6b76e1de976e0

SHA256
3e212a1803a10a4c070c2f8d499f582c24a2ed6f1056250feead0a7e54cc3234

SHA512
467772f4bdb6a1129a9ac0c552fc48d4dba5cf7815ee27d4d6668fcd540d4e3ed49872f197aa541e4051cc79cc1087ac4bdbf3c9a4d0bbe70451c88540b411c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
310KB

MD5
83818dc42cf5bb97dbf6170a99bbb79c

SHA1
40874a0384d9068a7b7dd2a8aac6b76e1de976e0

SHA256
3e212a1803a10a4c070c2f8d499f582c24a2ed6f1056250feead0a7e54cc3234

SHA512
467772f4bdb6a1129a9ac0c552fc48d4dba5cf7815ee27d4d6668fcd540d4e3ed49872f197aa541e4051cc79cc1087ac4bdbf3c9a4d0bbe70451c88540b411c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
310KB

MD5
83818dc42cf5bb97dbf6170a99bbb79c

SHA1
40874a0384d9068a7b7dd2a8aac6b76e1de976e0

SHA256
3e212a1803a10a4c070c2f8d499f582c24a2ed6f1056250feead0a7e54cc3234

SHA512
467772f4bdb6a1129a9ac0c552fc48d4dba5cf7815ee27d4d6668fcd540d4e3ed49872f197aa541e4051cc79cc1087ac4bdbf3c9a4d0bbe70451c88540b411c4

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
b147c267b47c4a6cfa3a72c41407541b

SHA1
062231bf7639b26f92e6d5ef78d515f8eaa9639d

SHA256
c9b7b5b912ab24c729de962727ac33835dd58f17754f9368ac702b9987f3baf6

SHA512
4f646fee7eaa29f33604b3f349b3d90a65bec39fdbe80bac6dcd2cd67b17475e51f833a66a5207d3008fede867792605bab132d6672e206bfefaa83aa344ac64

Download Submit
C:\Windows\hosts.exe

Filesize
310KB

MD5
e185a7e19368248151d6008c9fb74335

SHA1
8b60d4893f24db0c175a9de193671fe21a930eb0

SHA256
f38a5f01fc2ccf4006cde9dc36f3e4756998c07f3496654d2b1470fa328f41a5

SHA512
52ff519996f64adfd9b7c76b58c2f384141002aba8ab23755399ad91f8cf125bff88c92cc3fbeafe680b5d158c5e784d8f122e340ff67e6eedfaf9e16d402a90

Download Submit
C:\Windows\hosts.exe

Filesize
310KB

MD5
e185a7e19368248151d6008c9fb74335

SHA1
8b60d4893f24db0c175a9de193671fe21a930eb0

SHA256
f38a5f01fc2ccf4006cde9dc36f3e4756998c07f3496654d2b1470fa328f41a5

SHA512
52ff519996f64adfd9b7c76b58c2f384141002aba8ab23755399ad91f8cf125bff88c92cc3fbeafe680b5d158c5e784d8f122e340ff67e6eedfaf9e16d402a90

Download Submit
C:\Windows\hosts.exe

Filesize
310KB

MD5
e185a7e19368248151d6008c9fb74335

SHA1
8b60d4893f24db0c175a9de193671fe21a930eb0

SHA256
f38a5f01fc2ccf4006cde9dc36f3e4756998c07f3496654d2b1470fa328f41a5

SHA512
52ff519996f64adfd9b7c76b58c2f384141002aba8ab23755399ad91f8cf125bff88c92cc3fbeafe680b5d158c5e784d8f122e340ff67e6eedfaf9e16d402a90

Download Submit
C:\Windows\hosts.exe

Filesize
310KB

MD5
e185a7e19368248151d6008c9fb74335

SHA1
8b60d4893f24db0c175a9de193671fe21a930eb0

SHA256
f38a5f01fc2ccf4006cde9dc36f3e4756998c07f3496654d2b1470fa328f41a5

SHA512
52ff519996f64adfd9b7c76b58c2f384141002aba8ab23755399ad91f8cf125bff88c92cc3fbeafe680b5d158c5e784d8f122e340ff67e6eedfaf9e16d402a90

Download Submit
C:\windows\hosts.exe

Filesize
310KB

MD5
e185a7e19368248151d6008c9fb74335

SHA1
8b60d4893f24db0c175a9de193671fe21a930eb0

SHA256
f38a5f01fc2ccf4006cde9dc36f3e4756998c07f3496654d2b1470fa328f41a5

SHA512
52ff519996f64adfd9b7c76b58c2f384141002aba8ab23755399ad91f8cf125bff88c92cc3fbeafe680b5d158c5e784d8f122e340ff67e6eedfaf9e16d402a90

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
310KB

MD5
83818dc42cf5bb97dbf6170a99bbb79c

SHA1
40874a0384d9068a7b7dd2a8aac6b76e1de976e0

SHA256
3e212a1803a10a4c070c2f8d499f582c24a2ed6f1056250feead0a7e54cc3234

SHA512
467772f4bdb6a1129a9ac0c552fc48d4dba5cf7815ee27d4d6668fcd540d4e3ed49872f197aa541e4051cc79cc1087ac4bdbf3c9a4d0bbe70451c88540b411c4

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
310KB

MD5
83818dc42cf5bb97dbf6170a99bbb79c

SHA1
40874a0384d9068a7b7dd2a8aac6b76e1de976e0

SHA256
3e212a1803a10a4c070c2f8d499f582c24a2ed6f1056250feead0a7e54cc3234

SHA512
467772f4bdb6a1129a9ac0c552fc48d4dba5cf7815ee27d4d6668fcd540d4e3ed49872f197aa541e4051cc79cc1087ac4bdbf3c9a4d0bbe70451c88540b411c4

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
310KB

MD5
83818dc42cf5bb97dbf6170a99bbb79c

SHA1
40874a0384d9068a7b7dd2a8aac6b76e1de976e0

SHA256
3e212a1803a10a4c070c2f8d499f582c24a2ed6f1056250feead0a7e54cc3234

SHA512
467772f4bdb6a1129a9ac0c552fc48d4dba5cf7815ee27d4d6668fcd540d4e3ed49872f197aa541e4051cc79cc1087ac4bdbf3c9a4d0bbe70451c88540b411c4

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
310KB

MD5
83818dc42cf5bb97dbf6170a99bbb79c

SHA1
40874a0384d9068a7b7dd2a8aac6b76e1de976e0

SHA256
3e212a1803a10a4c070c2f8d499f582c24a2ed6f1056250feead0a7e54cc3234

SHA512
467772f4bdb6a1129a9ac0c552fc48d4dba5cf7815ee27d4d6668fcd540d4e3ed49872f197aa541e4051cc79cc1087ac4bdbf3c9a4d0bbe70451c88540b411c4

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
310KB

MD5
83818dc42cf5bb97dbf6170a99bbb79c

SHA1
40874a0384d9068a7b7dd2a8aac6b76e1de976e0

SHA256
3e212a1803a10a4c070c2f8d499f582c24a2ed6f1056250feead0a7e54cc3234

SHA512
467772f4bdb6a1129a9ac0c552fc48d4dba5cf7815ee27d4d6668fcd540d4e3ed49872f197aa541e4051cc79cc1087ac4bdbf3c9a4d0bbe70451c88540b411c4

Download Submit
memory/896-56-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/896-58-0x0000000074831000-0x0000000074833000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads