6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89

Analysis

max time kernel
129s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe
Size

188KB
MD5

091b857bf7f5ca1c875a68ace871e8c3
SHA1

25e4af8be0e3517371fcfb73e25c78a2c6556287
SHA256

6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89
SHA512

7c8661a36b702cc6f83ee98d3b4bd8043d8d323798d7671d6da37976b879fa5dd8f520452f6b1892791e54776a8e6880cef2904483f7f8d55d5269ff8ff42123
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQ9nQ1wJ:gDCwfG1bnxLERRa

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZERMMMDR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1048	avscan.exe
1992	avscan.exe
280	hosts.exe
1816	hosts.exe
876	avscan.exe
1972	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
856	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe
856	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe
1048	avscan.exe
280	hosts.exe
280	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe
File created	\??\c:\windows\W_X_C.bat	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe
File opened for modification	C:\Windows\hosts.exe	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1924	REG.exe
656	REG.exe
1232	REG.exe
1072	REG.exe
1624	REG.exe
1396	REG.exe
936	REG.exe
1968	REG.exe
1064	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1048	avscan.exe
280	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
856	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe
1048	avscan.exe
1992	avscan.exe
280	hosts.exe
1816	hosts.exe
876	avscan.exe
1972	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 1072	856	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe	27
PID 856 wrote to memory of 1072	856	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe	27
PID 856 wrote to memory of 1072	856	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe	27
PID 856 wrote to memory of 1072	856	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe	27
PID 856 wrote to memory of 1048	856	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe	29
PID 856 wrote to memory of 1048	856	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe	29
PID 856 wrote to memory of 1048	856	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe	29
PID 856 wrote to memory of 1048	856	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe	29
PID 1048 wrote to memory of 1992	1048	avscan.exe	30
PID 1048 wrote to memory of 1992	1048	avscan.exe	30
PID 1048 wrote to memory of 1992	1048	avscan.exe	30
PID 1048 wrote to memory of 1992	1048	avscan.exe	30
PID 1048 wrote to memory of 1648	1048	avscan.exe	31
PID 1048 wrote to memory of 1648	1048	avscan.exe	31
PID 1048 wrote to memory of 1648	1048	avscan.exe	31
PID 1048 wrote to memory of 1648	1048	avscan.exe	31
PID 856 wrote to memory of 972	856	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe	33
PID 856 wrote to memory of 972	856	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe	33
PID 856 wrote to memory of 972	856	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe	33
PID 856 wrote to memory of 972	856	6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe	33
PID 1648 wrote to memory of 280	1648	cmd.exe	36
PID 1648 wrote to memory of 280	1648	cmd.exe	36
PID 1648 wrote to memory of 280	1648	cmd.exe	36
PID 1648 wrote to memory of 280	1648	cmd.exe	36
PID 972 wrote to memory of 1816	972	cmd.exe	35
PID 972 wrote to memory of 1816	972	cmd.exe	35
PID 972 wrote to memory of 1816	972	cmd.exe	35
PID 972 wrote to memory of 1816	972	cmd.exe	35
PID 280 wrote to memory of 876	280	hosts.exe	37
PID 280 wrote to memory of 876	280	hosts.exe	37
PID 280 wrote to memory of 876	280	hosts.exe	37
PID 280 wrote to memory of 876	280	hosts.exe	37
PID 972 wrote to memory of 1696	972	cmd.exe	38
PID 972 wrote to memory of 1696	972	cmd.exe	38
PID 972 wrote to memory of 1696	972	cmd.exe	38
PID 972 wrote to memory of 1696	972	cmd.exe	38
PID 1648 wrote to memory of 1180	1648	cmd.exe	39
PID 1648 wrote to memory of 1180	1648	cmd.exe	39
PID 1648 wrote to memory of 1180	1648	cmd.exe	39
PID 1648 wrote to memory of 1180	1648	cmd.exe	39
PID 280 wrote to memory of 804	280	hosts.exe	40
PID 280 wrote to memory of 804	280	hosts.exe	40
PID 280 wrote to memory of 804	280	hosts.exe	40
PID 280 wrote to memory of 804	280	hosts.exe	40
PID 804 wrote to memory of 1972	804	cmd.exe	42
PID 804 wrote to memory of 1972	804	cmd.exe	42
PID 804 wrote to memory of 1972	804	cmd.exe	42
PID 804 wrote to memory of 1972	804	cmd.exe	42
PID 804 wrote to memory of 560	804	cmd.exe	43
PID 804 wrote to memory of 560	804	cmd.exe	43
PID 804 wrote to memory of 560	804	cmd.exe	43
PID 804 wrote to memory of 560	804	cmd.exe	43
PID 1048 wrote to memory of 1064	1048	avscan.exe	44
PID 1048 wrote to memory of 1064	1048	avscan.exe	44
PID 1048 wrote to memory of 1064	1048	avscan.exe	44
PID 1048 wrote to memory of 1064	1048	avscan.exe	44
PID 280 wrote to memory of 1624	280	hosts.exe	45
PID 280 wrote to memory of 1624	280	hosts.exe	45
PID 280 wrote to memory of 1624	280	hosts.exe	45
PID 280 wrote to memory of 1624	280	hosts.exe	45
PID 1048 wrote to memory of 1396	1048	avscan.exe	48
PID 1048 wrote to memory of 1396	1048	avscan.exe	48
PID 1048 wrote to memory of 1396	1048	avscan.exe	48
PID 1048 wrote to memory of 1396	1048	avscan.exe	48

C:\Users\Admin\AppData\Local\Temp\6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe
"C:\Users\Admin\AppData\Local\Temp\6d6aed52295247e307937da943064d8573c5f974272548b35aa7979497880f89.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1072
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:280
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:876
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:804
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1972
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:560
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1624
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:936
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:656
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1232
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1180
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1064
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1396
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1924
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1816
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
236KB

MD5
a39b37d9c298823e155ecc042277bc16

SHA1
3a42460d617735a66212f5f502586e4aea234e5f

SHA256
10ce96ed3237b29c84fc4b37520c226847c00ebb4ad5cd966374c0c4c8336a9b

SHA512
d28a28c5945b57649fd77f8a7f3ee06ac03caf3b6583b3bf23a8a136d2ffe51f7cff3072b0af05d427fb5a197c10d457a11ee657f20e2faccf562809b506bb1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
612KB

MD5
7738cc227c179607d2b455e602240eac

SHA1
9f8175814b84ef77bce55f32ed163bccca6db412

SHA256
4cc5ababba70385fbdb27d5d7f3bf7955e0bbc910ff448e87cec7869d87df177

SHA512
86427720d70f2d3922f1ef36dec6a35504a16fbd0c8a215eabb8c93180e3e9a5f028ce5c038c86db21f8ad45beea9fca5945f77c27fba711a66a54bca6b22c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
988KB

MD5
f48622b92bfba66767c232dc4e0e38b0

SHA1
7fed88a3d46d8ce0c9692fc0a978968f9c9dd0ab

SHA256
783f2d6b9ef4a7c6b19120b5232b0d6046de51201938c799c590e57c1e47a776

SHA512
059dd87c5ea8071f46cce2d262f403f1900d498f62fd44f24911a9b9042c11466d6545e5141d747de13e20b12c3f4e728c6f20c7c715b2cf921d4b4fb05efcf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.3MB

MD5
a048d1c55d139acff8bae39168b10a27

SHA1
95ce61aecdb9db4ad4e6bf77fa1814edbeb58023

SHA256
e45a7cd8c0056d0f514e8645c05c7ac3bd529eeccb074338e8a324bed471d297

SHA512
1caae3edf7a55652b2e8b4f37e3e33fe651a3d229c92cea45214bc809f89d863d5cb7714a2c2db15dd0547ecb78e93172011e5c8a7413ea726298115345da4d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
188KB

MD5
55043343239f740a75e4a7df0c126513

SHA1
d8eee134e44c86bcc5df3fd4c27fe51458cedb78

SHA256
37722e3e1a32cf5d793714a859b293e0508f187299b9d88da649fb035090788a

SHA512
2e340e7e0cda8d21c4765ee2bac8225b4dc3fc0f1c60fa0e84066502febbf33d75af80aa4e095716af51bf873d9bcf8989b76fc6da6a38580af1cb2c34e870aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
188KB

MD5
55043343239f740a75e4a7df0c126513

SHA1
d8eee134e44c86bcc5df3fd4c27fe51458cedb78

SHA256
37722e3e1a32cf5d793714a859b293e0508f187299b9d88da649fb035090788a

SHA512
2e340e7e0cda8d21c4765ee2bac8225b4dc3fc0f1c60fa0e84066502febbf33d75af80aa4e095716af51bf873d9bcf8989b76fc6da6a38580af1cb2c34e870aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
188KB

MD5
55043343239f740a75e4a7df0c126513

SHA1
d8eee134e44c86bcc5df3fd4c27fe51458cedb78

SHA256
37722e3e1a32cf5d793714a859b293e0508f187299b9d88da649fb035090788a

SHA512
2e340e7e0cda8d21c4765ee2bac8225b4dc3fc0f1c60fa0e84066502febbf33d75af80aa4e095716af51bf873d9bcf8989b76fc6da6a38580af1cb2c34e870aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
188KB

MD5
55043343239f740a75e4a7df0c126513

SHA1
d8eee134e44c86bcc5df3fd4c27fe51458cedb78

SHA256
37722e3e1a32cf5d793714a859b293e0508f187299b9d88da649fb035090788a

SHA512
2e340e7e0cda8d21c4765ee2bac8225b4dc3fc0f1c60fa0e84066502febbf33d75af80aa4e095716af51bf873d9bcf8989b76fc6da6a38580af1cb2c34e870aa

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
b147c267b47c4a6cfa3a72c41407541b

SHA1
062231bf7639b26f92e6d5ef78d515f8eaa9639d

SHA256
c9b7b5b912ab24c729de962727ac33835dd58f17754f9368ac702b9987f3baf6

SHA512
4f646fee7eaa29f33604b3f349b3d90a65bec39fdbe80bac6dcd2cd67b17475e51f833a66a5207d3008fede867792605bab132d6672e206bfefaa83aa344ac64

Download Submit
C:\Windows\hosts.exe

Filesize
188KB

MD5
45bbffa5cfae2e667de565f3d3f704d9

SHA1
56f0da1f960795273a3df90d4efd0849e7708e4e

SHA256
f2bfcfe42c7c49c33bf0bd23af0f1d32b4740683b65003ca4f9b4d7fc0427088

SHA512
f68ff64b8c9bf1bc376adbabe75acc93f7ec76ccc5c2d8e68b284a4322b688c3ce59d5b3c4f5330b6cc32d4a9a2ffcf043a0c41373ac02c039651b6c47cb9161

Download Submit
C:\Windows\hosts.exe

Filesize
188KB

MD5
45bbffa5cfae2e667de565f3d3f704d9

SHA1
56f0da1f960795273a3df90d4efd0849e7708e4e

SHA256
f2bfcfe42c7c49c33bf0bd23af0f1d32b4740683b65003ca4f9b4d7fc0427088

SHA512
f68ff64b8c9bf1bc376adbabe75acc93f7ec76ccc5c2d8e68b284a4322b688c3ce59d5b3c4f5330b6cc32d4a9a2ffcf043a0c41373ac02c039651b6c47cb9161

Download Submit
C:\Windows\hosts.exe

Filesize
188KB

MD5
45bbffa5cfae2e667de565f3d3f704d9

SHA1
56f0da1f960795273a3df90d4efd0849e7708e4e

SHA256
f2bfcfe42c7c49c33bf0bd23af0f1d32b4740683b65003ca4f9b4d7fc0427088

SHA512
f68ff64b8c9bf1bc376adbabe75acc93f7ec76ccc5c2d8e68b284a4322b688c3ce59d5b3c4f5330b6cc32d4a9a2ffcf043a0c41373ac02c039651b6c47cb9161

Download Submit
C:\Windows\hosts.exe

Filesize
188KB

MD5
45bbffa5cfae2e667de565f3d3f704d9

SHA1
56f0da1f960795273a3df90d4efd0849e7708e4e

SHA256
f2bfcfe42c7c49c33bf0bd23af0f1d32b4740683b65003ca4f9b4d7fc0427088

SHA512
f68ff64b8c9bf1bc376adbabe75acc93f7ec76ccc5c2d8e68b284a4322b688c3ce59d5b3c4f5330b6cc32d4a9a2ffcf043a0c41373ac02c039651b6c47cb9161

Download Submit
C:\windows\hosts.exe

Filesize
188KB

MD5
45bbffa5cfae2e667de565f3d3f704d9

SHA1
56f0da1f960795273a3df90d4efd0849e7708e4e

SHA256
f2bfcfe42c7c49c33bf0bd23af0f1d32b4740683b65003ca4f9b4d7fc0427088

SHA512
f68ff64b8c9bf1bc376adbabe75acc93f7ec76ccc5c2d8e68b284a4322b688c3ce59d5b3c4f5330b6cc32d4a9a2ffcf043a0c41373ac02c039651b6c47cb9161

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
188KB

MD5
55043343239f740a75e4a7df0c126513

SHA1
d8eee134e44c86bcc5df3fd4c27fe51458cedb78

SHA256
37722e3e1a32cf5d793714a859b293e0508f187299b9d88da649fb035090788a

SHA512
2e340e7e0cda8d21c4765ee2bac8225b4dc3fc0f1c60fa0e84066502febbf33d75af80aa4e095716af51bf873d9bcf8989b76fc6da6a38580af1cb2c34e870aa

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
188KB

MD5
55043343239f740a75e4a7df0c126513

SHA1
d8eee134e44c86bcc5df3fd4c27fe51458cedb78

SHA256
37722e3e1a32cf5d793714a859b293e0508f187299b9d88da649fb035090788a

SHA512
2e340e7e0cda8d21c4765ee2bac8225b4dc3fc0f1c60fa0e84066502febbf33d75af80aa4e095716af51bf873d9bcf8989b76fc6da6a38580af1cb2c34e870aa

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
188KB

MD5
55043343239f740a75e4a7df0c126513

SHA1
d8eee134e44c86bcc5df3fd4c27fe51458cedb78

SHA256
37722e3e1a32cf5d793714a859b293e0508f187299b9d88da649fb035090788a

SHA512
2e340e7e0cda8d21c4765ee2bac8225b4dc3fc0f1c60fa0e84066502febbf33d75af80aa4e095716af51bf873d9bcf8989b76fc6da6a38580af1cb2c34e870aa

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
188KB

MD5
55043343239f740a75e4a7df0c126513

SHA1
d8eee134e44c86bcc5df3fd4c27fe51458cedb78

SHA256
37722e3e1a32cf5d793714a859b293e0508f187299b9d88da649fb035090788a

SHA512
2e340e7e0cda8d21c4765ee2bac8225b4dc3fc0f1c60fa0e84066502febbf33d75af80aa4e095716af51bf873d9bcf8989b76fc6da6a38580af1cb2c34e870aa

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
188KB

MD5
55043343239f740a75e4a7df0c126513

SHA1
d8eee134e44c86bcc5df3fd4c27fe51458cedb78

SHA256
37722e3e1a32cf5d793714a859b293e0508f187299b9d88da649fb035090788a

SHA512
2e340e7e0cda8d21c4765ee2bac8225b4dc3fc0f1c60fa0e84066502febbf33d75af80aa4e095716af51bf873d9bcf8989b76fc6da6a38580af1cb2c34e870aa

Download Submit
memory/856-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/856-58-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads