49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d

Analysis

max time kernel
124s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe
Size

222KB
MD5

02a69354c57dbbc3c39cc463efff5b5a
SHA1

b00657df7a66d3d344a023a725bff6908b8ce784
SHA256

49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d
SHA512

b6bf45607c5f9b68f3f546a516e8a551f7bbe27bc4e60261b8d972a580e7a34ab6e97f675ea26ac985627d51cd1f75c203a0ba7807bd2110922f329b0c8e3cee
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQaYG:gDCwfG1bnxLERRNYG

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IYMUGYHL = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IYMUGYHL = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IYMUGYHL = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
2412	avscan.exe
64	avscan.exe
1356	hosts.exe
4716	hosts.exe
4520	avscan.exe
3196	hosts.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	\??\c:\windows\W_X_C.bat	49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe
File opened for modification	C:\Windows\hosts.exe	49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
2228	REG.exe
1692	REG.exe
2172	REG.exe
2760	REG.exe
3900	REG.exe
4184	REG.exe
360	REG.exe
2580	REG.exe
4000	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2412	avscan.exe
4716	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4812	49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe
2412	avscan.exe
64	avscan.exe
4716	hosts.exe
1356	hosts.exe
4520	avscan.exe
3196	hosts.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 2228	4812	49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe	80
PID 4812 wrote to memory of 2228	4812	49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe	80
PID 4812 wrote to memory of 2228	4812	49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe	80
PID 4812 wrote to memory of 2412	4812	49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe	82
PID 4812 wrote to memory of 2412	4812	49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe	82
PID 4812 wrote to memory of 2412	4812	49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe	82
PID 2412 wrote to memory of 64	2412	avscan.exe	83
PID 2412 wrote to memory of 64	2412	avscan.exe	83
PID 2412 wrote to memory of 64	2412	avscan.exe	83
PID 2412 wrote to memory of 1796	2412	avscan.exe	84
PID 2412 wrote to memory of 1796	2412	avscan.exe	84
PID 2412 wrote to memory of 1796	2412	avscan.exe	84
PID 4812 wrote to memory of 4640	4812	49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe	85
PID 4812 wrote to memory of 4640	4812	49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe	85
PID 4812 wrote to memory of 4640	4812	49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe	85
PID 4640 wrote to memory of 1356	4640	cmd.exe	89
PID 4640 wrote to memory of 1356	4640	cmd.exe	89
PID 4640 wrote to memory of 1356	4640	cmd.exe	89
PID 1796 wrote to memory of 4716	1796	cmd.exe	88
PID 1796 wrote to memory of 4716	1796	cmd.exe	88
PID 1796 wrote to memory of 4716	1796	cmd.exe	88
PID 4716 wrote to memory of 4520	4716	hosts.exe	91
PID 4716 wrote to memory of 4520	4716	hosts.exe	91
PID 4716 wrote to memory of 4520	4716	hosts.exe	91
PID 4716 wrote to memory of 1840	4716	hosts.exe	92
PID 4716 wrote to memory of 1840	4716	hosts.exe	92
PID 4716 wrote to memory of 1840	4716	hosts.exe	92
PID 4640 wrote to memory of 4680	4640	cmd.exe	94
PID 4640 wrote to memory of 4680	4640	cmd.exe	94
PID 4640 wrote to memory of 4680	4640	cmd.exe	94
PID 1840 wrote to memory of 3196	1840	cmd.exe	96
PID 1840 wrote to memory of 3196	1840	cmd.exe	96
PID 1840 wrote to memory of 3196	1840	cmd.exe	96
PID 1796 wrote to memory of 4308	1796	cmd.exe	95
PID 1796 wrote to memory of 4308	1796	cmd.exe	95
PID 1796 wrote to memory of 4308	1796	cmd.exe	95
PID 1840 wrote to memory of 3376	1840	cmd.exe	97
PID 1840 wrote to memory of 3376	1840	cmd.exe	97
PID 1840 wrote to memory of 3376	1840	cmd.exe	97
PID 2412 wrote to memory of 1692	2412	avscan.exe	105
PID 2412 wrote to memory of 1692	2412	avscan.exe	105
PID 2412 wrote to memory of 1692	2412	avscan.exe	105
PID 4716 wrote to memory of 360	4716	hosts.exe	107
PID 4716 wrote to memory of 360	4716	hosts.exe	107
PID 4716 wrote to memory of 360	4716	hosts.exe	107
PID 2412 wrote to memory of 2172	2412	avscan.exe	109
PID 2412 wrote to memory of 2172	2412	avscan.exe	109
PID 2412 wrote to memory of 2172	2412	avscan.exe	109
PID 4716 wrote to memory of 2760	4716	hosts.exe	111
PID 4716 wrote to memory of 2760	4716	hosts.exe	111
PID 4716 wrote to memory of 2760	4716	hosts.exe	111
PID 2412 wrote to memory of 3900	2412	avscan.exe	113
PID 2412 wrote to memory of 3900	2412	avscan.exe	113
PID 2412 wrote to memory of 3900	2412	avscan.exe	113
PID 4716 wrote to memory of 4184	4716	hosts.exe	115
PID 4716 wrote to memory of 4184	4716	hosts.exe	115
PID 4716 wrote to memory of 4184	4716	hosts.exe	115
PID 2412 wrote to memory of 2580	2412	avscan.exe	117
PID 2412 wrote to memory of 2580	2412	avscan.exe	117
PID 2412 wrote to memory of 2580	2412	avscan.exe	117
PID 4716 wrote to memory of 4000	4716	hosts.exe	119
PID 4716 wrote to memory of 4000	4716	hosts.exe	119
PID 4716 wrote to memory of 4000	4716	hosts.exe	119

C:\Users\Admin\AppData\Local\Temp\49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe
"C:\Users\Admin\AppData\Local\Temp\49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:2228
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:64
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4716
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1840
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3196
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:3376
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:360
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2760
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:4184
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:4000
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:4308
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1692
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2172
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:3900
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1356
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:4680

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
222KB

MD5
c409fa603b199ac1399bce510daf09c0

SHA1
77eee3e39d2d3ff4551d7fee72843e9c8ec9ea1a

SHA256
f21e778facefffe9a86fb39fad9561114bf7317255e6882ab0624c09b58d07c1

SHA512
c267cdca0c40149e018eea5ae57d800a0f7664d2fa782653b9c715476d7512572e7472b05addfbdbb0792ff1501d3d33af15a1a1398d38f269cbe0f1e2c3bcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
222KB

MD5
c409fa603b199ac1399bce510daf09c0

SHA1
77eee3e39d2d3ff4551d7fee72843e9c8ec9ea1a

SHA256
f21e778facefffe9a86fb39fad9561114bf7317255e6882ab0624c09b58d07c1

SHA512
c267cdca0c40149e018eea5ae57d800a0f7664d2fa782653b9c715476d7512572e7472b05addfbdbb0792ff1501d3d33af15a1a1398d38f269cbe0f1e2c3bcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
222KB

MD5
c409fa603b199ac1399bce510daf09c0

SHA1
77eee3e39d2d3ff4551d7fee72843e9c8ec9ea1a

SHA256
f21e778facefffe9a86fb39fad9561114bf7317255e6882ab0624c09b58d07c1

SHA512
c267cdca0c40149e018eea5ae57d800a0f7664d2fa782653b9c715476d7512572e7472b05addfbdbb0792ff1501d3d33af15a1a1398d38f269cbe0f1e2c3bcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
222KB

MD5
c409fa603b199ac1399bce510daf09c0

SHA1
77eee3e39d2d3ff4551d7fee72843e9c8ec9ea1a

SHA256
f21e778facefffe9a86fb39fad9561114bf7317255e6882ab0624c09b58d07c1

SHA512
c267cdca0c40149e018eea5ae57d800a0f7664d2fa782653b9c715476d7512572e7472b05addfbdbb0792ff1501d3d33af15a1a1398d38f269cbe0f1e2c3bcb0

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
0e0483d4802632100b6bfe8bc2e5d661

SHA1
767e0deb7dcaa7676004e6053957c36cecfeeefa

SHA256
81bbebb8d0e77ffffbc7b7d24afdcdce4089f4b04d1a12284eda861c25e03f9f

SHA512
8279b0559ca30a0adc6c8614870c3e445866c20f0617a7153cab41982b451dfe9ea44478f37b884465235714623ef26a56f5ea3d1cb81767487c494d3703ab29

Download Submit
C:\Windows\hosts.exe

Filesize
222KB

MD5
c8f847784a302ecf6caadc4c185fa89c

SHA1
08223476702bd3ee9d4e3ac2d7a2f6f58d5aac69

SHA256
e89df70b4c80f8e8623377e156bc04f1a0b5ebeaa58e78e92526f0971ad19ae4

SHA512
3bac7347472545ec89270aa6d866b85d83d46d84f002a9c29fbcc57b66cdbee08bbdbe43fea067284cb8bfa9356bd6dabdc4d4727fed74814358f0d8c31525ef

Download Submit
C:\Windows\hosts.exe

Filesize
222KB

MD5
c8f847784a302ecf6caadc4c185fa89c

SHA1
08223476702bd3ee9d4e3ac2d7a2f6f58d5aac69

SHA256
e89df70b4c80f8e8623377e156bc04f1a0b5ebeaa58e78e92526f0971ad19ae4

SHA512
3bac7347472545ec89270aa6d866b85d83d46d84f002a9c29fbcc57b66cdbee08bbdbe43fea067284cb8bfa9356bd6dabdc4d4727fed74814358f0d8c31525ef

Download Submit
C:\Windows\hosts.exe

Filesize
222KB

MD5
c8f847784a302ecf6caadc4c185fa89c

SHA1
08223476702bd3ee9d4e3ac2d7a2f6f58d5aac69

SHA256
e89df70b4c80f8e8623377e156bc04f1a0b5ebeaa58e78e92526f0971ad19ae4

SHA512
3bac7347472545ec89270aa6d866b85d83d46d84f002a9c29fbcc57b66cdbee08bbdbe43fea067284cb8bfa9356bd6dabdc4d4727fed74814358f0d8c31525ef

Download Submit
C:\Windows\hosts.exe

Filesize
222KB

MD5
c8f847784a302ecf6caadc4c185fa89c

SHA1
08223476702bd3ee9d4e3ac2d7a2f6f58d5aac69

SHA256
e89df70b4c80f8e8623377e156bc04f1a0b5ebeaa58e78e92526f0971ad19ae4

SHA512
3bac7347472545ec89270aa6d866b85d83d46d84f002a9c29fbcc57b66cdbee08bbdbe43fea067284cb8bfa9356bd6dabdc4d4727fed74814358f0d8c31525ef

Download Submit
C:\windows\hosts.exe

Filesize
222KB

MD5
c8f847784a302ecf6caadc4c185fa89c

SHA1
08223476702bd3ee9d4e3ac2d7a2f6f58d5aac69

SHA256
e89df70b4c80f8e8623377e156bc04f1a0b5ebeaa58e78e92526f0971ad19ae4

SHA512
3bac7347472545ec89270aa6d866b85d83d46d84f002a9c29fbcc57b66cdbee08bbdbe43fea067284cb8bfa9356bd6dabdc4d4727fed74814358f0d8c31525ef

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads