215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b

Analysis

max time kernel
139s
max time network
61s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe
Size

241KB
MD5

0f98f79bbde9fedacbea7da9449b7506
SHA1

6a6af4979adad12fde9a9bda7684bbf5ff0de35a
SHA256

215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b
SHA512

764cbf18b073d966fb422beb8c029c923cbc40e50745de5af801ceec5213a863b04e4aaf66fe0e4ba45681567ca04a1796eafcac1e00af50de25d58ec478ae00
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQyMWoe0c8TilDcq1WC6dS:gDCwfG1bnxLERRh5yc8TO91WC6dS

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GRXNNIIE = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1208	avscan.exe
1788	avscan.exe
396	hosts.exe
852	hosts.exe
1280	avscan.exe
1648	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1804	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe
1804	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe
1208	avscan.exe
396	hosts.exe
396	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe
File created	\??\c:\windows\W_X_C.bat	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe
File opened for modification	C:\Windows\hosts.exe	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
304	REG.exe
1004	REG.exe
1532	REG.exe
1120	REG.exe
1968	REG.exe
2008	REG.exe
960	REG.exe
1928	REG.exe
1672	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1208	avscan.exe
396	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1804	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe
1208	avscan.exe
1788	avscan.exe
396	hosts.exe
852	hosts.exe
1280	avscan.exe
1648	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 1120	1804	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe	27
PID 1804 wrote to memory of 1120	1804	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe	27
PID 1804 wrote to memory of 1120	1804	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe	27
PID 1804 wrote to memory of 1120	1804	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe	27
PID 1804 wrote to memory of 1208	1804	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe	29
PID 1804 wrote to memory of 1208	1804	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe	29
PID 1804 wrote to memory of 1208	1804	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe	29
PID 1804 wrote to memory of 1208	1804	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe	29
PID 1208 wrote to memory of 1788	1208	avscan.exe	30
PID 1208 wrote to memory of 1788	1208	avscan.exe	30
PID 1208 wrote to memory of 1788	1208	avscan.exe	30
PID 1208 wrote to memory of 1788	1208	avscan.exe	30
PID 1208 wrote to memory of 1736	1208	avscan.exe	31
PID 1208 wrote to memory of 1736	1208	avscan.exe	31
PID 1208 wrote to memory of 1736	1208	avscan.exe	31
PID 1208 wrote to memory of 1736	1208	avscan.exe	31
PID 1804 wrote to memory of 584	1804	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe	33
PID 1804 wrote to memory of 584	1804	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe	33
PID 1804 wrote to memory of 584	1804	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe	33
PID 1804 wrote to memory of 584	1804	215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe	33
PID 1736 wrote to memory of 396	1736	cmd.exe	35
PID 1736 wrote to memory of 396	1736	cmd.exe	35
PID 1736 wrote to memory of 396	1736	cmd.exe	35
PID 1736 wrote to memory of 396	1736	cmd.exe	35
PID 584 wrote to memory of 852	584	cmd.exe	36
PID 584 wrote to memory of 852	584	cmd.exe	36
PID 584 wrote to memory of 852	584	cmd.exe	36
PID 584 wrote to memory of 852	584	cmd.exe	36
PID 396 wrote to memory of 1280	396	hosts.exe	37
PID 396 wrote to memory of 1280	396	hosts.exe	37
PID 396 wrote to memory of 1280	396	hosts.exe	37
PID 396 wrote to memory of 1280	396	hosts.exe	37
PID 584 wrote to memory of 1656	584	cmd.exe	38
PID 584 wrote to memory of 1656	584	cmd.exe	38
PID 584 wrote to memory of 1656	584	cmd.exe	38
PID 584 wrote to memory of 1656	584	cmd.exe	38
PID 396 wrote to memory of 1960	396	hosts.exe	39
PID 396 wrote to memory of 1960	396	hosts.exe	39
PID 396 wrote to memory of 1960	396	hosts.exe	39
PID 396 wrote to memory of 1960	396	hosts.exe	39
PID 1960 wrote to memory of 1648	1960	cmd.exe	41
PID 1960 wrote to memory of 1648	1960	cmd.exe	41
PID 1960 wrote to memory of 1648	1960	cmd.exe	41
PID 1960 wrote to memory of 1648	1960	cmd.exe	41
PID 1960 wrote to memory of 1644	1960	cmd.exe	42
PID 1960 wrote to memory of 1644	1960	cmd.exe	42
PID 1960 wrote to memory of 1644	1960	cmd.exe	42
PID 1960 wrote to memory of 1644	1960	cmd.exe	42
PID 396 wrote to memory of 1928	396	hosts.exe	43
PID 396 wrote to memory of 1928	396	hosts.exe	43
PID 396 wrote to memory of 1928	396	hosts.exe	43
PID 396 wrote to memory of 1928	396	hosts.exe	43
PID 1208 wrote to memory of 1968	1208	avscan.exe	45
PID 1208 wrote to memory of 1968	1208	avscan.exe	45
PID 1208 wrote to memory of 1968	1208	avscan.exe	45
PID 1208 wrote to memory of 1968	1208	avscan.exe	45
PID 396 wrote to memory of 304	396	hosts.exe	47
PID 396 wrote to memory of 304	396	hosts.exe	47
PID 396 wrote to memory of 304	396	hosts.exe	47
PID 396 wrote to memory of 304	396	hosts.exe	47
PID 1208 wrote to memory of 1672	1208	avscan.exe	48
PID 1208 wrote to memory of 1672	1208	avscan.exe	48
PID 1208 wrote to memory of 1672	1208	avscan.exe	48
PID 1208 wrote to memory of 1672	1208	avscan.exe	48

C:\Users\Admin\AppData\Local\Temp\215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe
"C:\Users\Admin\AppData\Local\Temp\215e5912e68742d153b50b7afb977682cbbdf10743b18bf5fe3605517e2e922b.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1120
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1280
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1648
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1644
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1928
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:304
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:960
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1004
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1968
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1672
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2008
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:852
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
531KB

MD5
fa9da71bfb7354c55f87e545f1f81512

SHA1
2bf5ec6c45b706846c2abdf4cf51cc41c3a00d8d

SHA256
17a07b5fdfdc2d2796c149c16869c97f839af57bc83a1787e0398d51395b6a21

SHA512
4ea425d2770d14e01a85614ef2440b6bc590f6424c8f4de72a797df0b2f26d2281ea7351bf1450f44a2692a32528f04d9b78a7f3e5eaab978ef55704dfedb15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1014KB

MD5
3ba2ce6fb9de7df2d59364f923904d4d

SHA1
a22ef6bb28d9ff367937a2337932799385f669af

SHA256
60c2b16006e102f5c905bec5177639bba6e9eabaf6d23e58840507ce93a3ca96

SHA512
76e2bc2f0206e0137bd7833b725e1f3e149c89dc318eeb6995e251f2b1834b12d234b984713b3bd3140690d65053aff1c67bfeb6a0213e9879b0315cc361ec89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.5MB

MD5
7e4ff80d6e8fc5d0b61190df324af91f

SHA1
65eddbe0ec568df14660d7a80fc75e5d2086e1ab

SHA256
d234a16b132b290b113a7205f95993ef309a798b2fc04ce6375417466151c54f

SHA512
88329d980750430acd4fb6d0913401ffbea034bf5ff66ff56a9227889ebccf892e7876eaedc375598af50aa2372f10af5e913af019b0a5208b1d619537c78aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.9MB

MD5
78cc1d84612f02600d041756f1ed58a6

SHA1
9d090423fb8b9852014a591f4633be93d18faf65

SHA256
50edc12154024b187ea2d932db2d6c296be5280cc3c3641ee4de8e343b03b841

SHA512
599561230e5fdd631820402bee643cbf75c5d74d48584b8458084a97b91c4002f2deac81cd3b7598548d94bf5216c7d3021797c31f143a0a053a426b45953c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
241KB

MD5
37035cdbf7542aee00fb1ac64ff0d30c

SHA1
7f63cb979e045a5b64ebf6b65b2323373d75fca9

SHA256
3cd496fcc10b0fe5d1289682b0f0afeaf1fdeeef6fd42233e0e0fdaf28ae0d7e

SHA512
e521d8f896cb291168d9a481175e221005789a39b4ab47a9c5e548cd227ed43f0b69e4c45bc84d15e94c9481af5040d775f4131ee9ae57f6b5caa669b04498ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
241KB

MD5
37035cdbf7542aee00fb1ac64ff0d30c

SHA1
7f63cb979e045a5b64ebf6b65b2323373d75fca9

SHA256
3cd496fcc10b0fe5d1289682b0f0afeaf1fdeeef6fd42233e0e0fdaf28ae0d7e

SHA512
e521d8f896cb291168d9a481175e221005789a39b4ab47a9c5e548cd227ed43f0b69e4c45bc84d15e94c9481af5040d775f4131ee9ae57f6b5caa669b04498ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
241KB

MD5
37035cdbf7542aee00fb1ac64ff0d30c

SHA1
7f63cb979e045a5b64ebf6b65b2323373d75fca9

SHA256
3cd496fcc10b0fe5d1289682b0f0afeaf1fdeeef6fd42233e0e0fdaf28ae0d7e

SHA512
e521d8f896cb291168d9a481175e221005789a39b4ab47a9c5e548cd227ed43f0b69e4c45bc84d15e94c9481af5040d775f4131ee9ae57f6b5caa669b04498ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
241KB

MD5
37035cdbf7542aee00fb1ac64ff0d30c

SHA1
7f63cb979e045a5b64ebf6b65b2323373d75fca9

SHA256
3cd496fcc10b0fe5d1289682b0f0afeaf1fdeeef6fd42233e0e0fdaf28ae0d7e

SHA512
e521d8f896cb291168d9a481175e221005789a39b4ab47a9c5e548cd227ed43f0b69e4c45bc84d15e94c9481af5040d775f4131ee9ae57f6b5caa669b04498ab

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
9eb0c6074d8e54f7da6508b5f6809e78

SHA1
61f003a28c45377e9fc641a0dd1382e6931c11f0

SHA256
df6f01f8c7c5ad4b1e66d19309ad60f0189bc607d7a07c184d9d94abd29c3ee8

SHA512
f6db15038cf4312647c59574cf2352c132c36cd060293977427b719066e5519838c6fed059d3a1d4e3277b575d9132d29d150c45cebd8a3852e705f3297f6d08

Download Submit
C:\Windows\hosts.exe

Filesize
241KB

MD5
d53cc2122b98da64244275ec1231885b

SHA1
4db3f501cb1950ff5708d7db5f6c21d1bd5881a8

SHA256
4df4b330fb67a077ec54f02a020b41f82b19fe4508bfbc73f56cefd13a9f8311

SHA512
e3c5b43879d2a69755197e9e27c30df29a9bd4c6d1742897a1b3d571d132d76f95ea62361c4f17da779a6d4fe4d5d3e52b6d463f9155ccf9ea3897a42d466ec1

Download Submit
C:\Windows\hosts.exe

Filesize
241KB

MD5
d53cc2122b98da64244275ec1231885b

SHA1
4db3f501cb1950ff5708d7db5f6c21d1bd5881a8

SHA256
4df4b330fb67a077ec54f02a020b41f82b19fe4508bfbc73f56cefd13a9f8311

SHA512
e3c5b43879d2a69755197e9e27c30df29a9bd4c6d1742897a1b3d571d132d76f95ea62361c4f17da779a6d4fe4d5d3e52b6d463f9155ccf9ea3897a42d466ec1

Download Submit
C:\Windows\hosts.exe

Filesize
241KB

MD5
d53cc2122b98da64244275ec1231885b

SHA1
4db3f501cb1950ff5708d7db5f6c21d1bd5881a8

SHA256
4df4b330fb67a077ec54f02a020b41f82b19fe4508bfbc73f56cefd13a9f8311

SHA512
e3c5b43879d2a69755197e9e27c30df29a9bd4c6d1742897a1b3d571d132d76f95ea62361c4f17da779a6d4fe4d5d3e52b6d463f9155ccf9ea3897a42d466ec1

Download Submit
C:\Windows\hosts.exe

Filesize
241KB

MD5
d53cc2122b98da64244275ec1231885b

SHA1
4db3f501cb1950ff5708d7db5f6c21d1bd5881a8

SHA256
4df4b330fb67a077ec54f02a020b41f82b19fe4508bfbc73f56cefd13a9f8311

SHA512
e3c5b43879d2a69755197e9e27c30df29a9bd4c6d1742897a1b3d571d132d76f95ea62361c4f17da779a6d4fe4d5d3e52b6d463f9155ccf9ea3897a42d466ec1

Download Submit
C:\windows\hosts.exe

Filesize
241KB

MD5
d53cc2122b98da64244275ec1231885b

SHA1
4db3f501cb1950ff5708d7db5f6c21d1bd5881a8

SHA256
4df4b330fb67a077ec54f02a020b41f82b19fe4508bfbc73f56cefd13a9f8311

SHA512
e3c5b43879d2a69755197e9e27c30df29a9bd4c6d1742897a1b3d571d132d76f95ea62361c4f17da779a6d4fe4d5d3e52b6d463f9155ccf9ea3897a42d466ec1

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
241KB

MD5
37035cdbf7542aee00fb1ac64ff0d30c

SHA1
7f63cb979e045a5b64ebf6b65b2323373d75fca9

SHA256
3cd496fcc10b0fe5d1289682b0f0afeaf1fdeeef6fd42233e0e0fdaf28ae0d7e

SHA512
e521d8f896cb291168d9a481175e221005789a39b4ab47a9c5e548cd227ed43f0b69e4c45bc84d15e94c9481af5040d775f4131ee9ae57f6b5caa669b04498ab

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
241KB

MD5
37035cdbf7542aee00fb1ac64ff0d30c

SHA1
7f63cb979e045a5b64ebf6b65b2323373d75fca9

SHA256
3cd496fcc10b0fe5d1289682b0f0afeaf1fdeeef6fd42233e0e0fdaf28ae0d7e

SHA512
e521d8f896cb291168d9a481175e221005789a39b4ab47a9c5e548cd227ed43f0b69e4c45bc84d15e94c9481af5040d775f4131ee9ae57f6b5caa669b04498ab

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
241KB

MD5
37035cdbf7542aee00fb1ac64ff0d30c

SHA1
7f63cb979e045a5b64ebf6b65b2323373d75fca9

SHA256
3cd496fcc10b0fe5d1289682b0f0afeaf1fdeeef6fd42233e0e0fdaf28ae0d7e

SHA512
e521d8f896cb291168d9a481175e221005789a39b4ab47a9c5e548cd227ed43f0b69e4c45bc84d15e94c9481af5040d775f4131ee9ae57f6b5caa669b04498ab

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
241KB

MD5
37035cdbf7542aee00fb1ac64ff0d30c

SHA1
7f63cb979e045a5b64ebf6b65b2323373d75fca9

SHA256
3cd496fcc10b0fe5d1289682b0f0afeaf1fdeeef6fd42233e0e0fdaf28ae0d7e

SHA512
e521d8f896cb291168d9a481175e221005789a39b4ab47a9c5e548cd227ed43f0b69e4c45bc84d15e94c9481af5040d775f4131ee9ae57f6b5caa669b04498ab

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
241KB

MD5
37035cdbf7542aee00fb1ac64ff0d30c

SHA1
7f63cb979e045a5b64ebf6b65b2323373d75fca9

SHA256
3cd496fcc10b0fe5d1289682b0f0afeaf1fdeeef6fd42233e0e0fdaf28ae0d7e

SHA512
e521d8f896cb291168d9a481175e221005789a39b4ab47a9c5e548cd227ed43f0b69e4c45bc84d15e94c9481af5040d775f4131ee9ae57f6b5caa669b04498ab

Download Submit
memory/1804-56-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1804-58-0x00000000740C1000-0x00000000740C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads