9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312

Analysis

max time kernel
126s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe
Size

172KB
MD5

96daa9c1be2b4e3631d38115656e239b
SHA1

d5a8322d7a597ccc3b41ec1d1626e1f603b83563
SHA256

9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312
SHA512

0c5e6b635741541d85937c066a611fad760716b233dd255c53efc8b22889649078d0f3707abf0a32351fcb21332181db2e82d4adeaea0e0d6010d305c62026e2
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DELU3Jmd:gDCwfG1bnxLEXd

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GBQHURCC = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GBQHURCC = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GBQHURCC = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
456	avscan.exe
1580	avscan.exe
2640	hosts.exe
4736	hosts.exe
4704	avscan.exe
3776	hosts.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe
File created	\??\c:\windows\W_X_C.bat	9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe
File opened for modification	C:\Windows\hosts.exe	9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
4380	REG.exe
3056	REG.exe
2208	REG.exe
3800	REG.exe
2700	REG.exe
4648	REG.exe
3804	REG.exe
1796	REG.exe
3336	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
456	avscan.exe
2640	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4956	9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe
456	avscan.exe
1580	avscan.exe
2640	hosts.exe
4736	hosts.exe
4704	avscan.exe
3776	hosts.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 4380	4956	9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe	81
PID 4956 wrote to memory of 4380	4956	9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe	81
PID 4956 wrote to memory of 4380	4956	9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe	81
PID 4956 wrote to memory of 456	4956	9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe	83
PID 4956 wrote to memory of 456	4956	9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe	83
PID 4956 wrote to memory of 456	4956	9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe	83
PID 456 wrote to memory of 1580	456	avscan.exe	84
PID 456 wrote to memory of 1580	456	avscan.exe	84
PID 456 wrote to memory of 1580	456	avscan.exe	84
PID 456 wrote to memory of 4880	456	avscan.exe	85
PID 456 wrote to memory of 4880	456	avscan.exe	85
PID 456 wrote to memory of 4880	456	avscan.exe	85
PID 4956 wrote to memory of 4604	4956	9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe	88
PID 4956 wrote to memory of 4604	4956	9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe	88
PID 4956 wrote to memory of 4604	4956	9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe	88
PID 4880 wrote to memory of 2640	4880	cmd.exe	89
PID 4880 wrote to memory of 2640	4880	cmd.exe	89
PID 4880 wrote to memory of 2640	4880	cmd.exe	89
PID 4604 wrote to memory of 4736	4604	cmd.exe	90
PID 4604 wrote to memory of 4736	4604	cmd.exe	90
PID 4604 wrote to memory of 4736	4604	cmd.exe	90
PID 2640 wrote to memory of 4704	2640	hosts.exe	91
PID 2640 wrote to memory of 4704	2640	hosts.exe	91
PID 2640 wrote to memory of 4704	2640	hosts.exe	91
PID 2640 wrote to memory of 1412	2640	hosts.exe	92
PID 2640 wrote to memory of 1412	2640	hosts.exe	92
PID 2640 wrote to memory of 1412	2640	hosts.exe	92
PID 1412 wrote to memory of 3776	1412	cmd.exe	95
PID 1412 wrote to memory of 3776	1412	cmd.exe	95
PID 1412 wrote to memory of 3776	1412	cmd.exe	95
PID 4604 wrote to memory of 176	4604	cmd.exe	97
PID 4604 wrote to memory of 176	4604	cmd.exe	97
PID 4604 wrote to memory of 176	4604	cmd.exe	97
PID 4880 wrote to memory of 3416	4880	cmd.exe	96
PID 4880 wrote to memory of 3416	4880	cmd.exe	96
PID 4880 wrote to memory of 3416	4880	cmd.exe	96
PID 1412 wrote to memory of 4676	1412	cmd.exe	98
PID 1412 wrote to memory of 4676	1412	cmd.exe	98
PID 1412 wrote to memory of 4676	1412	cmd.exe	98
PID 456 wrote to memory of 4648	456	avscan.exe	101
PID 456 wrote to memory of 4648	456	avscan.exe	101
PID 456 wrote to memory of 4648	456	avscan.exe	101
PID 2640 wrote to memory of 3056	2640	hosts.exe	103
PID 2640 wrote to memory of 3056	2640	hosts.exe	103
PID 2640 wrote to memory of 3056	2640	hosts.exe	103
PID 456 wrote to memory of 3804	456	avscan.exe	111
PID 456 wrote to memory of 3804	456	avscan.exe	111
PID 456 wrote to memory of 3804	456	avscan.exe	111
PID 2640 wrote to memory of 2208	2640	hosts.exe	113
PID 2640 wrote to memory of 2208	2640	hosts.exe	113
PID 2640 wrote to memory of 2208	2640	hosts.exe	113
PID 456 wrote to memory of 3800	456	avscan.exe	115
PID 456 wrote to memory of 3800	456	avscan.exe	115
PID 456 wrote to memory of 3800	456	avscan.exe	115
PID 2640 wrote to memory of 1796	2640	hosts.exe	117
PID 2640 wrote to memory of 1796	2640	hosts.exe	117
PID 2640 wrote to memory of 1796	2640	hosts.exe	117
PID 456 wrote to memory of 3336	456	avscan.exe	119
PID 456 wrote to memory of 3336	456	avscan.exe	119
PID 456 wrote to memory of 3336	456	avscan.exe	119
PID 2640 wrote to memory of 2700	2640	hosts.exe	121
PID 2640 wrote to memory of 2700	2640	hosts.exe	121
PID 2640 wrote to memory of 2700	2640	hosts.exe	121

C:\Users\Admin\AppData\Local\Temp\9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe
"C:\Users\Admin\AppData\Local\Temp\9b5b96b9118e07afe09f079329d08842b30f27bf5f4161ee37d7a2b1808fa312.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:4380
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3776
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:4676
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:3056
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2208
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1796
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2700
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:3416
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4648
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:3804
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:3800
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:3336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4736
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:176

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
172KB

MD5
896d1f1f682bed8e3683750ce717d6ae

SHA1
929d4a4387edcd2556fbae08ed4ce6e37924df34

SHA256
eb3d7fdfb112cf3783eaea223dc9cd89b55493e177844388e9664cd7c3158e97

SHA512
d2ba74889e8eece8c4c7bb5811a77805e093821adc466a2fe529c30ca7d36b1aab3b44c71972316315821e2d82a8a38db684ce6d8d18001dfed189009f8e600c

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
172KB

MD5
896d1f1f682bed8e3683750ce717d6ae

SHA1
929d4a4387edcd2556fbae08ed4ce6e37924df34

SHA256
eb3d7fdfb112cf3783eaea223dc9cd89b55493e177844388e9664cd7c3158e97

SHA512
d2ba74889e8eece8c4c7bb5811a77805e093821adc466a2fe529c30ca7d36b1aab3b44c71972316315821e2d82a8a38db684ce6d8d18001dfed189009f8e600c

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
172KB

MD5
896d1f1f682bed8e3683750ce717d6ae

SHA1
929d4a4387edcd2556fbae08ed4ce6e37924df34

SHA256
eb3d7fdfb112cf3783eaea223dc9cd89b55493e177844388e9664cd7c3158e97

SHA512
d2ba74889e8eece8c4c7bb5811a77805e093821adc466a2fe529c30ca7d36b1aab3b44c71972316315821e2d82a8a38db684ce6d8d18001dfed189009f8e600c

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
172KB

MD5
896d1f1f682bed8e3683750ce717d6ae

SHA1
929d4a4387edcd2556fbae08ed4ce6e37924df34

SHA256
eb3d7fdfb112cf3783eaea223dc9cd89b55493e177844388e9664cd7c3158e97

SHA512
d2ba74889e8eece8c4c7bb5811a77805e093821adc466a2fe529c30ca7d36b1aab3b44c71972316315821e2d82a8a38db684ce6d8d18001dfed189009f8e600c

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
5b87381bf407d7c6018a8b11c3e20f92

SHA1
bb61b28d9c8fd7dfeb13a397c49a1be3abc06ca2

SHA256
4785d6a229d0872fe90c75ab620de9a680d7f07ccd27a134da2afc4ee88f34f3

SHA512
05db1178f671e9d6c3a1c601349093447b04ebddcd071a06f7cc92cbaf7efb53027bc92523a19372a08ca5af715cc9955649255f8be1909b5e594385b3dcbe3d

Download Submit
C:\Windows\hosts.exe

Filesize
172KB

MD5
469faf9cfc6c0798f46fefcc0fd68314

SHA1
e325f786aafec06e8d86d85ffda657bbd3254f15

SHA256
9e43458be9079075ab5043ff15df366971a6aa44c512d746967fb1c3c7ac3476

SHA512
2140dcee889e302d5e1d0ee422477f032cb64a1afc855bab4a14f2c93aa1eaaf109767b7d96eb92e86f85909479c32704f513b4679d878be54e5943661096b44

Download Submit
C:\Windows\hosts.exe

Filesize
172KB

MD5
469faf9cfc6c0798f46fefcc0fd68314

SHA1
e325f786aafec06e8d86d85ffda657bbd3254f15

SHA256
9e43458be9079075ab5043ff15df366971a6aa44c512d746967fb1c3c7ac3476

SHA512
2140dcee889e302d5e1d0ee422477f032cb64a1afc855bab4a14f2c93aa1eaaf109767b7d96eb92e86f85909479c32704f513b4679d878be54e5943661096b44

Download Submit
C:\Windows\hosts.exe

Filesize
172KB

MD5
469faf9cfc6c0798f46fefcc0fd68314

SHA1
e325f786aafec06e8d86d85ffda657bbd3254f15

SHA256
9e43458be9079075ab5043ff15df366971a6aa44c512d746967fb1c3c7ac3476

SHA512
2140dcee889e302d5e1d0ee422477f032cb64a1afc855bab4a14f2c93aa1eaaf109767b7d96eb92e86f85909479c32704f513b4679d878be54e5943661096b44

Download Submit
C:\Windows\hosts.exe

Filesize
172KB

MD5
469faf9cfc6c0798f46fefcc0fd68314

SHA1
e325f786aafec06e8d86d85ffda657bbd3254f15

SHA256
9e43458be9079075ab5043ff15df366971a6aa44c512d746967fb1c3c7ac3476

SHA512
2140dcee889e302d5e1d0ee422477f032cb64a1afc855bab4a14f2c93aa1eaaf109767b7d96eb92e86f85909479c32704f513b4679d878be54e5943661096b44

Download Submit
C:\windows\hosts.exe

Filesize
172KB

MD5
469faf9cfc6c0798f46fefcc0fd68314

SHA1
e325f786aafec06e8d86d85ffda657bbd3254f15

SHA256
9e43458be9079075ab5043ff15df366971a6aa44c512d746967fb1c3c7ac3476

SHA512
2140dcee889e302d5e1d0ee422477f032cb64a1afc855bab4a14f2c93aa1eaaf109767b7d96eb92e86f85909479c32704f513b4679d878be54e5943661096b44

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
memory/176-167-0x0000000000000000-mapping.dmp

Download
memory/456-135-0x0000000000000000-mapping.dmp

Download
memory/1412-161-0x0000000000000000-mapping.dmp

Download
memory/1580-141-0x0000000000000000-mapping.dmp

Download
memory/1796-175-0x0000000000000000-mapping.dmp

Download
memory/2208-173-0x0000000000000000-mapping.dmp

Download
memory/2640-148-0x0000000000000000-mapping.dmp

Download
memory/2700-177-0x0000000000000000-mapping.dmp

Download
memory/3056-171-0x0000000000000000-mapping.dmp

Download
memory/3336-176-0x0000000000000000-mapping.dmp

Download
memory/3416-168-0x0000000000000000-mapping.dmp

Download
memory/3776-163-0x0000000000000000-mapping.dmp

Download
memory/3800-174-0x0000000000000000-mapping.dmp

Download
memory/3804-172-0x0000000000000000-mapping.dmp

Download
memory/4380-134-0x0000000000000000-mapping.dmp

Download
memory/4604-146-0x0000000000000000-mapping.dmp

Download
memory/4648-170-0x0000000000000000-mapping.dmp

Download
memory/4676-169-0x0000000000000000-mapping.dmp

Download
memory/4704-155-0x0000000000000000-mapping.dmp

Download
memory/4736-153-0x0000000000000000-mapping.dmp

Download
memory/4880-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads