32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee

Analysis

max time kernel
127s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2022, 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
Size

277KB
MD5

51df6c86fbfd306188018609adba4068
SHA1

6169ea83c701474374f08be9220e8a16fb628386
SHA256

32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee
SHA512

60ef0f212ff87b1fd2284e860360d746d410dcfa052d168babc867712d9d0ca2fb8fe5583118b5e29ff372e34dd1e501be24fa31fc112cb3c61bbf485e7d2c9f
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCmp+Mm1tfYBDjJFdrRlow2sRxDZc91HvHaHv:gDCwfG1bnxM1SF9FdbokZcvHm

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TMKNGOMU = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TMKNGOMU = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TMKNGOMU = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
4928	avscan.exe
652	avscan.exe
220	hosts.exe
2388	hosts.exe
1524	avscan.exe
524	hosts.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
File created	\??\c:\windows\W_X_C.bat	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
File opened for modification	C:\Windows\hosts.exe	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 7 IoCs

Modify Registry

T1112

pid	Process
2508	REG.exe
4460	REG.exe
420	REG.exe
3632	REG.exe
3024	REG.exe
3276	REG.exe
1000	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4928	avscan.exe
2388	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4768	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
4928	avscan.exe
652	avscan.exe
220	hosts.exe
2388	hosts.exe
1524	avscan.exe
524	hosts.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 4460	4768	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	83
PID 4768 wrote to memory of 4460	4768	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	83
PID 4768 wrote to memory of 4460	4768	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	83
PID 4768 wrote to memory of 4928	4768	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	85
PID 4768 wrote to memory of 4928	4768	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	85
PID 4768 wrote to memory of 4928	4768	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	85
PID 4928 wrote to memory of 652	4928	avscan.exe	87
PID 4928 wrote to memory of 652	4928	avscan.exe	87
PID 4928 wrote to memory of 652	4928	avscan.exe	87
PID 4768 wrote to memory of 1452	4768	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	89
PID 4768 wrote to memory of 1452	4768	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	89
PID 4768 wrote to memory of 1452	4768	32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe	89
PID 4928 wrote to memory of 2828	4928	avscan.exe	88
PID 4928 wrote to memory of 2828	4928	avscan.exe	88
PID 4928 wrote to memory of 2828	4928	avscan.exe	88
PID 2828 wrote to memory of 220	2828	cmd.exe	93
PID 2828 wrote to memory of 220	2828	cmd.exe	93
PID 2828 wrote to memory of 220	2828	cmd.exe	93
PID 1452 wrote to memory of 2388	1452	cmd.exe	92
PID 1452 wrote to memory of 2388	1452	cmd.exe	92
PID 1452 wrote to memory of 2388	1452	cmd.exe	92
PID 2388 wrote to memory of 1524	2388	hosts.exe	94
PID 2388 wrote to memory of 1524	2388	hosts.exe	94
PID 2388 wrote to memory of 1524	2388	hosts.exe	94
PID 2388 wrote to memory of 3168	2388	hosts.exe	95
PID 2388 wrote to memory of 3168	2388	hosts.exe	95
PID 2388 wrote to memory of 3168	2388	hosts.exe	95
PID 3168 wrote to memory of 524	3168	cmd.exe	97
PID 3168 wrote to memory of 524	3168	cmd.exe	97
PID 3168 wrote to memory of 524	3168	cmd.exe	97
PID 2828 wrote to memory of 4200	2828	cmd.exe	100
PID 2828 wrote to memory of 4200	2828	cmd.exe	100
PID 2828 wrote to memory of 4200	2828	cmd.exe	100
PID 3168 wrote to memory of 784	3168	cmd.exe	98
PID 3168 wrote to memory of 784	3168	cmd.exe	98
PID 3168 wrote to memory of 784	3168	cmd.exe	98
PID 1452 wrote to memory of 4740	1452	cmd.exe	99
PID 1452 wrote to memory of 4740	1452	cmd.exe	99
PID 1452 wrote to memory of 4740	1452	cmd.exe	99
PID 4928 wrote to memory of 420	4928	avscan.exe	105
PID 4928 wrote to memory of 420	4928	avscan.exe	105
PID 4928 wrote to memory of 420	4928	avscan.exe	105
PID 2388 wrote to memory of 3632	2388	hosts.exe	107
PID 2388 wrote to memory of 3632	2388	hosts.exe	107
PID 2388 wrote to memory of 3632	2388	hosts.exe	107
PID 4928 wrote to memory of 3024	4928	avscan.exe	112
PID 4928 wrote to memory of 3024	4928	avscan.exe	112
PID 4928 wrote to memory of 3024	4928	avscan.exe	112
PID 2388 wrote to memory of 3276	2388	hosts.exe	114
PID 2388 wrote to memory of 3276	2388	hosts.exe	114
PID 2388 wrote to memory of 3276	2388	hosts.exe	114
PID 4928 wrote to memory of 1000	4928	avscan.exe	117
PID 4928 wrote to memory of 1000	4928	avscan.exe	117
PID 4928 wrote to memory of 1000	4928	avscan.exe	117
PID 2388 wrote to memory of 2508	2388	hosts.exe	118
PID 2388 wrote to memory of 2508	2388	hosts.exe	118
PID 2388 wrote to memory of 2508	2388	hosts.exe	118

C:\Users\Admin\AppData\Local\Temp\32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
"C:\Users\Admin\AppData\Local\Temp\32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:4460
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:220
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:4200
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:420
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:3024
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3168
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:524
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:784
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:3632
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:3276
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:2508
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:4740

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
277KB

MD5
5d6c608fb4d62c8a808a8d4b2b8abefd

SHA1
671a4a0219b76362150f92a34b0956d6bff45736

SHA256
2a305f131a10ff533de79d4602a77ede7f8e72585bf889c6c96e5e5b98bf74a1

SHA512
cbad9003cc8dad3853204fdd320814947d4e82e43356b4b1980fce3148210418fde1e6ab6fb6db19c9c0007a2fb6706fe20ef6dd4c08b8add79f7d69e4057beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
277KB

MD5
5d6c608fb4d62c8a808a8d4b2b8abefd

SHA1
671a4a0219b76362150f92a34b0956d6bff45736

SHA256
2a305f131a10ff533de79d4602a77ede7f8e72585bf889c6c96e5e5b98bf74a1

SHA512
cbad9003cc8dad3853204fdd320814947d4e82e43356b4b1980fce3148210418fde1e6ab6fb6db19c9c0007a2fb6706fe20ef6dd4c08b8add79f7d69e4057beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
277KB

MD5
5d6c608fb4d62c8a808a8d4b2b8abefd

SHA1
671a4a0219b76362150f92a34b0956d6bff45736

SHA256
2a305f131a10ff533de79d4602a77ede7f8e72585bf889c6c96e5e5b98bf74a1

SHA512
cbad9003cc8dad3853204fdd320814947d4e82e43356b4b1980fce3148210418fde1e6ab6fb6db19c9c0007a2fb6706fe20ef6dd4c08b8add79f7d69e4057beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
277KB

MD5
5d6c608fb4d62c8a808a8d4b2b8abefd

SHA1
671a4a0219b76362150f92a34b0956d6bff45736

SHA256
2a305f131a10ff533de79d4602a77ede7f8e72585bf889c6c96e5e5b98bf74a1

SHA512
cbad9003cc8dad3853204fdd320814947d4e82e43356b4b1980fce3148210418fde1e6ab6fb6db19c9c0007a2fb6706fe20ef6dd4c08b8add79f7d69e4057beb

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
c35f93e634b81f2cb003c72a1fb9d1f2

SHA1
9b6c533eebab7958e9e167ab93a412d5411c7a89

SHA256
6afae199db9be5b7c4c5dac778ec8c45051666d11f93dd93c1700beb20e1136f

SHA512
5cc512763da54bc66ffff42e02dc28ad9cda03e46a8b9181425c619815fb7c7afe3a71fc73742e151e26de7a21ade101e59d6853fe70b7d99ea93195325c010d

Download Submit
C:\Windows\hosts.exe

Filesize
277KB

MD5
a926b51f8f71a07e17af3fd7aa0f0cd0

SHA1
05b1a3faccda80d726add1b5ce4e230c9ec849ca

SHA256
80eb4ac7f2a124a4d96fd83ef9abe46ffd1ef7bd35286f6e4980d227890a7f40

SHA512
2c266e39113a1fabc6b64c70f5b895ebfd70286127160da3d4c960cd9d58575bdc0cff83747002daeb18d95f07b3f187c873559a8dcaf3ec5ff5ed55b3be339e

Download Submit
C:\Windows\hosts.exe

Filesize
277KB

MD5
a926b51f8f71a07e17af3fd7aa0f0cd0

SHA1
05b1a3faccda80d726add1b5ce4e230c9ec849ca

SHA256
80eb4ac7f2a124a4d96fd83ef9abe46ffd1ef7bd35286f6e4980d227890a7f40

SHA512
2c266e39113a1fabc6b64c70f5b895ebfd70286127160da3d4c960cd9d58575bdc0cff83747002daeb18d95f07b3f187c873559a8dcaf3ec5ff5ed55b3be339e

Download Submit
C:\Windows\hosts.exe

Filesize
277KB

MD5
a926b51f8f71a07e17af3fd7aa0f0cd0

SHA1
05b1a3faccda80d726add1b5ce4e230c9ec849ca

SHA256
80eb4ac7f2a124a4d96fd83ef9abe46ffd1ef7bd35286f6e4980d227890a7f40

SHA512
2c266e39113a1fabc6b64c70f5b895ebfd70286127160da3d4c960cd9d58575bdc0cff83747002daeb18d95f07b3f187c873559a8dcaf3ec5ff5ed55b3be339e

Download Submit
C:\Windows\hosts.exe

Filesize
277KB

MD5
a926b51f8f71a07e17af3fd7aa0f0cd0

SHA1
05b1a3faccda80d726add1b5ce4e230c9ec849ca

SHA256
80eb4ac7f2a124a4d96fd83ef9abe46ffd1ef7bd35286f6e4980d227890a7f40

SHA512
2c266e39113a1fabc6b64c70f5b895ebfd70286127160da3d4c960cd9d58575bdc0cff83747002daeb18d95f07b3f187c873559a8dcaf3ec5ff5ed55b3be339e

Download Submit
C:\windows\hosts.exe

Filesize
277KB

MD5
a926b51f8f71a07e17af3fd7aa0f0cd0

SHA1
05b1a3faccda80d726add1b5ce4e230c9ec849ca

SHA256
80eb4ac7f2a124a4d96fd83ef9abe46ffd1ef7bd35286f6e4980d227890a7f40

SHA512
2c266e39113a1fabc6b64c70f5b895ebfd70286127160da3d4c960cd9d58575bdc0cff83747002daeb18d95f07b3f187c873559a8dcaf3ec5ff5ed55b3be339e

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads