379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687

Analysis

max time kernel
144s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 18:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
Size

220KB
MD5

0d4742b26606392e5a23cb9b353eff9f
SHA1

315cd20fef7b567c8369f022d2805d416615d82b
SHA256

379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687
SHA512

7d5de0e7dd077e9fc50fa612fb122296ad051ab73ce57f6bfd4cbe6d6cbfb4452d142ad501e57f4a25f0c9c25b605d31260820216bb40e67518c9bf81aea2a4b
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQB17lgVUInUMEqvbuSDxh:gDCwfG1bnxLERRMlmjU7qvySDxh

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TMKNGOMU = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TMKNGOMU = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TMKNGOMU = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
2628	avscan.exe
4668	avscan.exe
3444	hosts.exe
3272	hosts.exe
4484	avscan.exe
216	hosts.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
File created	\??\c:\windows\W_X_C.bat	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
File opened for modification	C:\Windows\hosts.exe	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
3128	REG.exe
664	REG.exe
4664	REG.exe
3376	REG.exe
1540	REG.exe
3196	REG.exe
2340	REG.exe
4604	REG.exe
4500	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2628	avscan.exe
3272	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4852	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
2628	avscan.exe
4668	avscan.exe
3444	hosts.exe
3272	hosts.exe
4484	avscan.exe
216	hosts.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 4664	4852	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	79
PID 4852 wrote to memory of 4664	4852	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	79
PID 4852 wrote to memory of 4664	4852	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	79
PID 4852 wrote to memory of 2628	4852	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	81
PID 4852 wrote to memory of 2628	4852	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	81
PID 4852 wrote to memory of 2628	4852	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	81
PID 2628 wrote to memory of 4668	2628	avscan.exe	82
PID 2628 wrote to memory of 4668	2628	avscan.exe	82
PID 2628 wrote to memory of 4668	2628	avscan.exe	82
PID 2628 wrote to memory of 4660	2628	avscan.exe	83
PID 2628 wrote to memory of 4660	2628	avscan.exe	83
PID 2628 wrote to memory of 4660	2628	avscan.exe	83
PID 4852 wrote to memory of 4688	4852	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	84
PID 4852 wrote to memory of 4688	4852	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	84
PID 4852 wrote to memory of 4688	4852	379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe	84
PID 4688 wrote to memory of 3444	4688	cmd.exe	88
PID 4688 wrote to memory of 3444	4688	cmd.exe	88
PID 4688 wrote to memory of 3444	4688	cmd.exe	88
PID 4660 wrote to memory of 3272	4660	cmd.exe	87
PID 4660 wrote to memory of 3272	4660	cmd.exe	87
PID 4660 wrote to memory of 3272	4660	cmd.exe	87
PID 3272 wrote to memory of 4484	3272	hosts.exe	90
PID 3272 wrote to memory of 4484	3272	hosts.exe	90
PID 3272 wrote to memory of 4484	3272	hosts.exe	90
PID 3272 wrote to memory of 1056	3272	hosts.exe	91
PID 3272 wrote to memory of 1056	3272	hosts.exe	91
PID 3272 wrote to memory of 1056	3272	hosts.exe	91
PID 4688 wrote to memory of 3928	4688	cmd.exe	94
PID 4660 wrote to memory of 3092	4660	cmd.exe	93
PID 4660 wrote to memory of 3092	4660	cmd.exe	93
PID 4660 wrote to memory of 3092	4660	cmd.exe	93
PID 4688 wrote to memory of 3928	4688	cmd.exe	94
PID 4688 wrote to memory of 3928	4688	cmd.exe	94
PID 1056 wrote to memory of 216	1056	cmd.exe	95
PID 1056 wrote to memory of 216	1056	cmd.exe	95
PID 1056 wrote to memory of 216	1056	cmd.exe	95
PID 1056 wrote to memory of 3736	1056	cmd.exe	96
PID 1056 wrote to memory of 3736	1056	cmd.exe	96
PID 1056 wrote to memory of 3736	1056	cmd.exe	96
PID 2628 wrote to memory of 3376	2628	avscan.exe	98
PID 2628 wrote to memory of 3376	2628	avscan.exe	98
PID 2628 wrote to memory of 3376	2628	avscan.exe	98
PID 3272 wrote to memory of 1540	3272	hosts.exe	100
PID 3272 wrote to memory of 1540	3272	hosts.exe	100
PID 3272 wrote to memory of 1540	3272	hosts.exe	100
PID 3272 wrote to memory of 3128	3272	hosts.exe	102
PID 3272 wrote to memory of 3128	3272	hosts.exe	102
PID 3272 wrote to memory of 3128	3272	hosts.exe	102
PID 2628 wrote to memory of 3196	2628	avscan.exe	104
PID 2628 wrote to memory of 3196	2628	avscan.exe	104
PID 2628 wrote to memory of 3196	2628	avscan.exe	104
PID 3272 wrote to memory of 2340	3272	hosts.exe	106
PID 3272 wrote to memory of 2340	3272	hosts.exe	106
PID 3272 wrote to memory of 2340	3272	hosts.exe	106
PID 2628 wrote to memory of 4604	2628	avscan.exe	108
PID 2628 wrote to memory of 4604	2628	avscan.exe	108
PID 2628 wrote to memory of 4604	2628	avscan.exe	108
PID 3272 wrote to memory of 664	3272	hosts.exe	110
PID 3272 wrote to memory of 664	3272	hosts.exe	110
PID 3272 wrote to memory of 664	3272	hosts.exe	110
PID 2628 wrote to memory of 4500	2628	avscan.exe	111
PID 2628 wrote to memory of 4500	2628	avscan.exe	111
PID 2628 wrote to memory of 4500	2628	avscan.exe	111

C:\Users\Admin\AppData\Local\Temp\379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe
"C:\Users\Admin\AppData\Local\Temp\379e0a281a1fe1de0a5558f52c5f4ec7f69ec89c1226b1610ee5afe1a9744687.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:4664
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3272
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4484
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:216
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:3736
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1540
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:3128
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2340
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:664
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:3092
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:3376
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:3196
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4604
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3444
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:3928

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
220KB

MD5
8a783c90431eeaf0289e74b84f04719d

SHA1
6ee4cec62df4f8a046800d83b9090b4310637cf2

SHA256
6282d28be540066032fea6bd069277560bf99123a0d46e4955000afd252344dc

SHA512
543ef92b1ee48fefdd005f558277d6f7be8f652f17b524bed945a78b2098dc58cb56f480738aceb34845dc084e767ea87161afdf710e706c3a0ddffc84c36d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
220KB

MD5
8a783c90431eeaf0289e74b84f04719d

SHA1
6ee4cec62df4f8a046800d83b9090b4310637cf2

SHA256
6282d28be540066032fea6bd069277560bf99123a0d46e4955000afd252344dc

SHA512
543ef92b1ee48fefdd005f558277d6f7be8f652f17b524bed945a78b2098dc58cb56f480738aceb34845dc084e767ea87161afdf710e706c3a0ddffc84c36d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
220KB

MD5
8a783c90431eeaf0289e74b84f04719d

SHA1
6ee4cec62df4f8a046800d83b9090b4310637cf2

SHA256
6282d28be540066032fea6bd069277560bf99123a0d46e4955000afd252344dc

SHA512
543ef92b1ee48fefdd005f558277d6f7be8f652f17b524bed945a78b2098dc58cb56f480738aceb34845dc084e767ea87161afdf710e706c3a0ddffc84c36d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
220KB

MD5
8a783c90431eeaf0289e74b84f04719d

SHA1
6ee4cec62df4f8a046800d83b9090b4310637cf2

SHA256
6282d28be540066032fea6bd069277560bf99123a0d46e4955000afd252344dc

SHA512
543ef92b1ee48fefdd005f558277d6f7be8f652f17b524bed945a78b2098dc58cb56f480738aceb34845dc084e767ea87161afdf710e706c3a0ddffc84c36d8e

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
c35f93e634b81f2cb003c72a1fb9d1f2

SHA1
9b6c533eebab7958e9e167ab93a412d5411c7a89

SHA256
6afae199db9be5b7c4c5dac778ec8c45051666d11f93dd93c1700beb20e1136f

SHA512
5cc512763da54bc66ffff42e02dc28ad9cda03e46a8b9181425c619815fb7c7afe3a71fc73742e151e26de7a21ade101e59d6853fe70b7d99ea93195325c010d

Download Submit
C:\Windows\hosts.exe

Filesize
220KB

MD5
974f6c6900654dcc863be63082d71e76

SHA1
a9c07a96aa5d49198910fbc60ed9bdb6d93cc26d

SHA256
359d13afe53ab83c001b1d3cb2a49ee063455d56b45a5f0aaa3e897a9a63dcaa

SHA512
a0fed57547e09226fa86995440dce961072f78bd2c71e6934ad301d5501bdc465ded179f387134a4a056470d8d8995b7e2314277ff4da3b67a8f724f280b2c64

Download Submit
C:\Windows\hosts.exe

Filesize
220KB

MD5
974f6c6900654dcc863be63082d71e76

SHA1
a9c07a96aa5d49198910fbc60ed9bdb6d93cc26d

SHA256
359d13afe53ab83c001b1d3cb2a49ee063455d56b45a5f0aaa3e897a9a63dcaa

SHA512
a0fed57547e09226fa86995440dce961072f78bd2c71e6934ad301d5501bdc465ded179f387134a4a056470d8d8995b7e2314277ff4da3b67a8f724f280b2c64

Download Submit
C:\Windows\hosts.exe

Filesize
220KB

MD5
974f6c6900654dcc863be63082d71e76

SHA1
a9c07a96aa5d49198910fbc60ed9bdb6d93cc26d

SHA256
359d13afe53ab83c001b1d3cb2a49ee063455d56b45a5f0aaa3e897a9a63dcaa

SHA512
a0fed57547e09226fa86995440dce961072f78bd2c71e6934ad301d5501bdc465ded179f387134a4a056470d8d8995b7e2314277ff4da3b67a8f724f280b2c64

Download Submit
C:\Windows\hosts.exe

Filesize
220KB

MD5
974f6c6900654dcc863be63082d71e76

SHA1
a9c07a96aa5d49198910fbc60ed9bdb6d93cc26d

SHA256
359d13afe53ab83c001b1d3cb2a49ee063455d56b45a5f0aaa3e897a9a63dcaa

SHA512
a0fed57547e09226fa86995440dce961072f78bd2c71e6934ad301d5501bdc465ded179f387134a4a056470d8d8995b7e2314277ff4da3b67a8f724f280b2c64

Download Submit
C:\windows\hosts.exe

Filesize
220KB

MD5
974f6c6900654dcc863be63082d71e76

SHA1
a9c07a96aa5d49198910fbc60ed9bdb6d93cc26d

SHA256
359d13afe53ab83c001b1d3cb2a49ee063455d56b45a5f0aaa3e897a9a63dcaa

SHA512
a0fed57547e09226fa86995440dce961072f78bd2c71e6934ad301d5501bdc465ded179f387134a4a056470d8d8995b7e2314277ff4da3b67a8f724f280b2c64

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads