3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c

Analysis

max time kernel
125s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 09:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe
Size

171KB
MD5

d9885615e02ccb31e35b40e31f06855d
SHA1

46a1105c79198b55decda69bf8b5a4d42e9f574f
SHA256

3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c
SHA512

9adb122bec02969f98dc64d76ce18161440e24506a68242a52fb4e3796bc4def1139eb4c8c66d1f8e5ed520ae72bce3f86c35b659008ccf50e392408958b620b
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCmT4k3hsanEtOX:gDCwfG1bnxM6saEtOX

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TMKNGOMU = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TMKNGOMU = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TMKNGOMU = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1976	avscan.exe
440	avscan.exe
2588	hosts.exe
2352	hosts.exe
3068	avscan.exe
2736	hosts.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	\??\c:\windows\W_X_C.bat	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe
File opened for modification	C:\Windows\hosts.exe	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
4784	REG.exe
2140	REG.exe
736	REG.exe
2212	REG.exe
4552	REG.exe
3936	REG.exe
4668	REG.exe
4452	REG.exe
4856	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1976	avscan.exe
2352	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
336	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe
1976	avscan.exe
440	avscan.exe
2352	hosts.exe
2588	hosts.exe
3068	avscan.exe
2736	hosts.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 4784	336	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	81
PID 336 wrote to memory of 4784	336	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	81
PID 336 wrote to memory of 4784	336	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	81
PID 336 wrote to memory of 1976	336	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	83
PID 336 wrote to memory of 1976	336	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	83
PID 336 wrote to memory of 1976	336	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	83
PID 1976 wrote to memory of 440	1976	avscan.exe	84
PID 1976 wrote to memory of 440	1976	avscan.exe	84
PID 1976 wrote to memory of 440	1976	avscan.exe	84
PID 1976 wrote to memory of 3056	1976	avscan.exe	85
PID 1976 wrote to memory of 3056	1976	avscan.exe	85
PID 1976 wrote to memory of 3056	1976	avscan.exe	85
PID 336 wrote to memory of 400	336	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	86
PID 336 wrote to memory of 400	336	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	86
PID 336 wrote to memory of 400	336	3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe	86
PID 400 wrote to memory of 2588	400	cmd.exe	89
PID 400 wrote to memory of 2588	400	cmd.exe	89
PID 400 wrote to memory of 2588	400	cmd.exe	89
PID 3056 wrote to memory of 2352	3056	cmd.exe	90
PID 3056 wrote to memory of 2352	3056	cmd.exe	90
PID 3056 wrote to memory of 2352	3056	cmd.exe	90
PID 2352 wrote to memory of 3068	2352	hosts.exe	91
PID 2352 wrote to memory of 3068	2352	hosts.exe	91
PID 2352 wrote to memory of 3068	2352	hosts.exe	91
PID 2352 wrote to memory of 1464	2352	hosts.exe	92
PID 2352 wrote to memory of 1464	2352	hosts.exe	92
PID 2352 wrote to memory of 1464	2352	hosts.exe	92
PID 3056 wrote to memory of 3784	3056	cmd.exe	95
PID 3056 wrote to memory of 3784	3056	cmd.exe	95
PID 3056 wrote to memory of 3784	3056	cmd.exe	95
PID 400 wrote to memory of 3084	400	cmd.exe	96
PID 400 wrote to memory of 3084	400	cmd.exe	96
PID 400 wrote to memory of 3084	400	cmd.exe	96
PID 1464 wrote to memory of 2736	1464	cmd.exe	97
PID 1464 wrote to memory of 2736	1464	cmd.exe	97
PID 1464 wrote to memory of 2736	1464	cmd.exe	97
PID 1464 wrote to memory of 4132	1464	cmd.exe	98
PID 1464 wrote to memory of 4132	1464	cmd.exe	98
PID 1464 wrote to memory of 4132	1464	cmd.exe	98
PID 1976 wrote to memory of 2140	1976	avscan.exe	100
PID 1976 wrote to memory of 2140	1976	avscan.exe	100
PID 1976 wrote to memory of 2140	1976	avscan.exe	100
PID 2352 wrote to memory of 4552	2352	hosts.exe	102
PID 2352 wrote to memory of 4552	2352	hosts.exe	102
PID 2352 wrote to memory of 4552	2352	hosts.exe	102
PID 1976 wrote to memory of 3936	1976	avscan.exe	110
PID 1976 wrote to memory of 3936	1976	avscan.exe	110
PID 1976 wrote to memory of 3936	1976	avscan.exe	110
PID 2352 wrote to memory of 4668	2352	hosts.exe	112
PID 2352 wrote to memory of 4668	2352	hosts.exe	112
PID 2352 wrote to memory of 4668	2352	hosts.exe	112
PID 1976 wrote to memory of 4452	1976	avscan.exe	114
PID 1976 wrote to memory of 4452	1976	avscan.exe	114
PID 1976 wrote to memory of 4452	1976	avscan.exe	114
PID 2352 wrote to memory of 736	2352	hosts.exe	116
PID 2352 wrote to memory of 736	2352	hosts.exe	116
PID 2352 wrote to memory of 736	2352	hosts.exe	116
PID 1976 wrote to memory of 4856	1976	avscan.exe	118
PID 1976 wrote to memory of 4856	1976	avscan.exe	118
PID 1976 wrote to memory of 4856	1976	avscan.exe	118
PID 2352 wrote to memory of 2212	2352	hosts.exe	120
PID 2352 wrote to memory of 2212	2352	hosts.exe	120
PID 2352 wrote to memory of 2212	2352	hosts.exe	120

C:\Users\Admin\AppData\Local\Temp\3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe
"C:\Users\Admin\AppData\Local\Temp\3eaa901d1b151fb67d5df543a987041c17568914932136fd9d74315138c8b95c.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:336
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:4784
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2736
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:4132
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:4552
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:4668
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:736
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2212
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:3784
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2140
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:3936
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4452
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2588
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:3084

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
73ac9d8df7a75a87a1453457c6862a75

SHA1
e5866aa0fa81215b57391f93f8c4b26fb75b05ba

SHA256
c0c0d8d8e1239a9d97a88d7a5fdaa90ab91dcaecf7a146bc1e4dee7534dc6254

SHA512
196d4754269734346fb58503151596ae6c762277e79d11e30156393883697d20feb9debfa3a3363fd2ea225664158c9274494d49359379813e81e62313511471

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
73ac9d8df7a75a87a1453457c6862a75

SHA1
e5866aa0fa81215b57391f93f8c4b26fb75b05ba

SHA256
c0c0d8d8e1239a9d97a88d7a5fdaa90ab91dcaecf7a146bc1e4dee7534dc6254

SHA512
196d4754269734346fb58503151596ae6c762277e79d11e30156393883697d20feb9debfa3a3363fd2ea225664158c9274494d49359379813e81e62313511471

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
73ac9d8df7a75a87a1453457c6862a75

SHA1
e5866aa0fa81215b57391f93f8c4b26fb75b05ba

SHA256
c0c0d8d8e1239a9d97a88d7a5fdaa90ab91dcaecf7a146bc1e4dee7534dc6254

SHA512
196d4754269734346fb58503151596ae6c762277e79d11e30156393883697d20feb9debfa3a3363fd2ea225664158c9274494d49359379813e81e62313511471

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
171KB

MD5
73ac9d8df7a75a87a1453457c6862a75

SHA1
e5866aa0fa81215b57391f93f8c4b26fb75b05ba

SHA256
c0c0d8d8e1239a9d97a88d7a5fdaa90ab91dcaecf7a146bc1e4dee7534dc6254

SHA512
196d4754269734346fb58503151596ae6c762277e79d11e30156393883697d20feb9debfa3a3363fd2ea225664158c9274494d49359379813e81e62313511471

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
c35f93e634b81f2cb003c72a1fb9d1f2

SHA1
9b6c533eebab7958e9e167ab93a412d5411c7a89

SHA256
6afae199db9be5b7c4c5dac778ec8c45051666d11f93dd93c1700beb20e1136f

SHA512
5cc512763da54bc66ffff42e02dc28ad9cda03e46a8b9181425c619815fb7c7afe3a71fc73742e151e26de7a21ade101e59d6853fe70b7d99ea93195325c010d

Download Submit
C:\Windows\hosts.exe

Filesize
171KB

MD5
fa0839dadcb72e104e6b2b020ddd2904

SHA1
72b5c9bb3d13bba92ef7d95fc99426a3cf2471f0

SHA256
18627b32ca31ecac47f306f26cf35ffe64ee29841c331cd22985054b1ab0229c

SHA512
467bd4e4063b67a6f50798a6ecf8b0e661d365d125eba6d136f9b959140699b05b1d928bca0f376c0d6eae13cd41d21d9db9d829d5095910d2f4ca7edff4032f

Download Submit
C:\Windows\hosts.exe

Filesize
171KB

MD5
fa0839dadcb72e104e6b2b020ddd2904

SHA1
72b5c9bb3d13bba92ef7d95fc99426a3cf2471f0

SHA256
18627b32ca31ecac47f306f26cf35ffe64ee29841c331cd22985054b1ab0229c

SHA512
467bd4e4063b67a6f50798a6ecf8b0e661d365d125eba6d136f9b959140699b05b1d928bca0f376c0d6eae13cd41d21d9db9d829d5095910d2f4ca7edff4032f

Download Submit
C:\Windows\hosts.exe

Filesize
171KB

MD5
fa0839dadcb72e104e6b2b020ddd2904

SHA1
72b5c9bb3d13bba92ef7d95fc99426a3cf2471f0

SHA256
18627b32ca31ecac47f306f26cf35ffe64ee29841c331cd22985054b1ab0229c

SHA512
467bd4e4063b67a6f50798a6ecf8b0e661d365d125eba6d136f9b959140699b05b1d928bca0f376c0d6eae13cd41d21d9db9d829d5095910d2f4ca7edff4032f

Download Submit
C:\Windows\hosts.exe

Filesize
171KB

MD5
fa0839dadcb72e104e6b2b020ddd2904

SHA1
72b5c9bb3d13bba92ef7d95fc99426a3cf2471f0

SHA256
18627b32ca31ecac47f306f26cf35ffe64ee29841c331cd22985054b1ab0229c

SHA512
467bd4e4063b67a6f50798a6ecf8b0e661d365d125eba6d136f9b959140699b05b1d928bca0f376c0d6eae13cd41d21d9db9d829d5095910d2f4ca7edff4032f

Download Submit
C:\windows\hosts.exe

Filesize
171KB

MD5
fa0839dadcb72e104e6b2b020ddd2904

SHA1
72b5c9bb3d13bba92ef7d95fc99426a3cf2471f0

SHA256
18627b32ca31ecac47f306f26cf35ffe64ee29841c331cd22985054b1ab0229c

SHA512
467bd4e4063b67a6f50798a6ecf8b0e661d365d125eba6d136f9b959140699b05b1d928bca0f376c0d6eae13cd41d21d9db9d829d5095910d2f4ca7edff4032f

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads