eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c

Analysis

max time kernel
181s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe
Size

707KB
MD5

c93d34cb11f7781692627f9de7c088c6
SHA1

af7216424a6147df8486894082d02918b8cd752a
SHA256

eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c
SHA512

f8b8e55cce3921818a360c2e3d26b41690a13056d9ad09ded536888b4631cc7385bfaf2997a2ea03e43e9159b460d5a4e64c73b902bff48c3b9aca94e8db7185
SSDEEP

12288:g72bntEDW72bntEDP72bntEDW72bntED7G1y:g72zmW72zmP72zmW72zm7d

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WIJBFSKT = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WIJBFSKT = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WIJBFSKT = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
2372	avscan.exe
4940	avscan.exe
2508	hosts.exe
3168	hosts.exe
4404	avscan.exe
4520	hosts.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe
File created	\??\c:\windows\W_X_C.bat	eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe

Modifies registry key 1 TTPs 8 IoCs

Modify Registry

T1112

pid	Process
4000	REG.exe
1684	REG.exe
4340	REG.exe
4592	REG.exe
2368	REG.exe
3052	REG.exe
4796	REG.exe
4056	REG.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3436	eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe
2372	avscan.exe
2508	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3436	eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe
2372	avscan.exe
4940	avscan.exe
2508	hosts.exe
3168	hosts.exe
4404	avscan.exe
4520	hosts.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 4592	3436	eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe	85
PID 3436 wrote to memory of 4592	3436	eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe	85
PID 3436 wrote to memory of 4592	3436	eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe	85
PID 3436 wrote to memory of 2372	3436	eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe	87
PID 3436 wrote to memory of 2372	3436	eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe	87
PID 3436 wrote to memory of 2372	3436	eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe	87
PID 2372 wrote to memory of 4940	2372	avscan.exe	88
PID 2372 wrote to memory of 4940	2372	avscan.exe	88
PID 2372 wrote to memory of 4940	2372	avscan.exe	88
PID 2372 wrote to memory of 1212	2372	avscan.exe	89
PID 2372 wrote to memory of 1212	2372	avscan.exe	89
PID 2372 wrote to memory of 1212	2372	avscan.exe	89
PID 3436 wrote to memory of 1184	3436	eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe	90
PID 3436 wrote to memory of 1184	3436	eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe	90
PID 3436 wrote to memory of 1184	3436	eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe	90
PID 1184 wrote to memory of 2508	1184	cmd.exe	94
PID 1184 wrote to memory of 2508	1184	cmd.exe	94
PID 1184 wrote to memory of 2508	1184	cmd.exe	94
PID 1212 wrote to memory of 3168	1212	cmd.exe	93
PID 1212 wrote to memory of 3168	1212	cmd.exe	93
PID 1212 wrote to memory of 3168	1212	cmd.exe	93
PID 2508 wrote to memory of 4404	2508	hosts.exe	95
PID 2508 wrote to memory of 4404	2508	hosts.exe	95
PID 2508 wrote to memory of 4404	2508	hosts.exe	95
PID 2508 wrote to memory of 2104	2508	hosts.exe	96
PID 2508 wrote to memory of 2104	2508	hosts.exe	96
PID 2508 wrote to memory of 2104	2508	hosts.exe	96
PID 2104 wrote to memory of 4520	2104	cmd.exe	98
PID 2104 wrote to memory of 4520	2104	cmd.exe	98
PID 2104 wrote to memory of 4520	2104	cmd.exe	98
PID 1184 wrote to memory of 1496	1184	cmd.exe	100
PID 1184 wrote to memory of 1496	1184	cmd.exe	100
PID 1184 wrote to memory of 1496	1184	cmd.exe	100
PID 2104 wrote to memory of 4916	2104	cmd.exe	102
PID 2104 wrote to memory of 4916	2104	cmd.exe	102
PID 2104 wrote to memory of 4916	2104	cmd.exe	102
PID 1212 wrote to memory of 372	1212	cmd.exe	101
PID 1212 wrote to memory of 372	1212	cmd.exe	101
PID 1212 wrote to memory of 372	1212	cmd.exe	101
PID 2372 wrote to memory of 2368	2372	avscan.exe	104
PID 2372 wrote to memory of 2368	2372	avscan.exe	104
PID 2372 wrote to memory of 2368	2372	avscan.exe	104
PID 2508 wrote to memory of 3052	2508	hosts.exe	106
PID 2508 wrote to memory of 3052	2508	hosts.exe	106
PID 2508 wrote to memory of 3052	2508	hosts.exe	106
PID 2372 wrote to memory of 4796	2372	avscan.exe	108
PID 2372 wrote to memory of 4796	2372	avscan.exe	108
PID 2372 wrote to memory of 4796	2372	avscan.exe	108
PID 2508 wrote to memory of 4056	2508	hosts.exe	110
PID 2508 wrote to memory of 4056	2508	hosts.exe	110
PID 2508 wrote to memory of 4056	2508	hosts.exe	110
PID 2372 wrote to memory of 4000	2372	avscan.exe	112
PID 2372 wrote to memory of 4000	2372	avscan.exe	112
PID 2372 wrote to memory of 4000	2372	avscan.exe	112
PID 2508 wrote to memory of 1684	2508	hosts.exe	113
PID 2508 wrote to memory of 1684	2508	hosts.exe	113
PID 2508 wrote to memory of 1684	2508	hosts.exe	113
PID 2372 wrote to memory of 4340	2372	avscan.exe	121
PID 2372 wrote to memory of 4340	2372	avscan.exe	121
PID 2372 wrote to memory of 4340	2372	avscan.exe	121

C:\Users\Admin\AppData\Local\Temp\eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe
"C:\Users\Admin\AppData\Local\Temp\eda12b31ad1e5c27f8850258e43829957adf4999c8819b9a6d7676dbb880a78c.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:4592
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3168
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:372
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2368
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4796
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4000
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4520
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:4916
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:3052
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:4056
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1684
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1496

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
707KB

MD5
0192f345f7b576101956a68a1839891a

SHA1
d391ddc6bdbda64b631a2fdb586ea3e6effb8407

SHA256
8b8aac35d39876892fd6c598b99b509981db62178139984781cfd4e0ddefd197

SHA512
5a45ae86630407de131b92219118334b37e1fe5a5d0935a60dd5c553b828d4b32aa48dd0d672d9ffc2aea5c84127579e476304455d2d78ecaf66458d4be15cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
707KB

MD5
0192f345f7b576101956a68a1839891a

SHA1
d391ddc6bdbda64b631a2fdb586ea3e6effb8407

SHA256
8b8aac35d39876892fd6c598b99b509981db62178139984781cfd4e0ddefd197

SHA512
5a45ae86630407de131b92219118334b37e1fe5a5d0935a60dd5c553b828d4b32aa48dd0d672d9ffc2aea5c84127579e476304455d2d78ecaf66458d4be15cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
707KB

MD5
0192f345f7b576101956a68a1839891a

SHA1
d391ddc6bdbda64b631a2fdb586ea3e6effb8407

SHA256
8b8aac35d39876892fd6c598b99b509981db62178139984781cfd4e0ddefd197

SHA512
5a45ae86630407de131b92219118334b37e1fe5a5d0935a60dd5c553b828d4b32aa48dd0d672d9ffc2aea5c84127579e476304455d2d78ecaf66458d4be15cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
707KB

MD5
0192f345f7b576101956a68a1839891a

SHA1
d391ddc6bdbda64b631a2fdb586ea3e6effb8407

SHA256
8b8aac35d39876892fd6c598b99b509981db62178139984781cfd4e0ddefd197

SHA512
5a45ae86630407de131b92219118334b37e1fe5a5d0935a60dd5c553b828d4b32aa48dd0d672d9ffc2aea5c84127579e476304455d2d78ecaf66458d4be15cc7

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
5f95187376125e68821db0d42b6e0a01

SHA1
24db87fd4f2e71873b08b285de3f584ed606bd7d

SHA256
f77ac566569872134310abf6755aaf712f96ddf7e544cd73fa03555415676777

SHA512
cecd0b1ab60ed7471870c6b5bb90d65b2e833d535f9a91aea96aae50a86e17fb15f23cd49da74d3ab6d50e54de75e02d9727d9b1d9ec2c32e3b80a4183c0a31c

Download Submit
C:\Windows\hosts.exe

Filesize
707KB

MD5
c0fb399cc81830711dbe3fb07e79ddc1

SHA1
9dc1eef8e55d9f18e15e15fd4081d8b3c7cec8d3

SHA256
95dfa737ae25a80748c07f355f165088f84b466412955ae565eb42120431217a

SHA512
2966195dba06193bce7b8b29e49106f3112f8050cb19fc226602d8be143474d4699e11ed149106f06aa1e9acc5d0cf81cabe6a1b273811c146c843e02817cead

Download Submit
C:\Windows\hosts.exe

Filesize
707KB

MD5
c0fb399cc81830711dbe3fb07e79ddc1

SHA1
9dc1eef8e55d9f18e15e15fd4081d8b3c7cec8d3

SHA256
95dfa737ae25a80748c07f355f165088f84b466412955ae565eb42120431217a

SHA512
2966195dba06193bce7b8b29e49106f3112f8050cb19fc226602d8be143474d4699e11ed149106f06aa1e9acc5d0cf81cabe6a1b273811c146c843e02817cead

Download Submit
C:\Windows\hosts.exe

Filesize
707KB

MD5
c0fb399cc81830711dbe3fb07e79ddc1

SHA1
9dc1eef8e55d9f18e15e15fd4081d8b3c7cec8d3

SHA256
95dfa737ae25a80748c07f355f165088f84b466412955ae565eb42120431217a

SHA512
2966195dba06193bce7b8b29e49106f3112f8050cb19fc226602d8be143474d4699e11ed149106f06aa1e9acc5d0cf81cabe6a1b273811c146c843e02817cead

Download Submit
C:\Windows\hosts.exe

Filesize
707KB

MD5
c0fb399cc81830711dbe3fb07e79ddc1

SHA1
9dc1eef8e55d9f18e15e15fd4081d8b3c7cec8d3

SHA256
95dfa737ae25a80748c07f355f165088f84b466412955ae565eb42120431217a

SHA512
2966195dba06193bce7b8b29e49106f3112f8050cb19fc226602d8be143474d4699e11ed149106f06aa1e9acc5d0cf81cabe6a1b273811c146c843e02817cead

Download Submit
C:\windows\hosts.exe

Filesize
707KB

MD5
c0fb399cc81830711dbe3fb07e79ddc1

SHA1
9dc1eef8e55d9f18e15e15fd4081d8b3c7cec8d3

SHA256
95dfa737ae25a80748c07f355f165088f84b466412955ae565eb42120431217a

SHA512
2966195dba06193bce7b8b29e49106f3112f8050cb19fc226602d8be143474d4699e11ed149106f06aa1e9acc5d0cf81cabe6a1b273811c146c843e02817cead

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
memory/372-169-0x0000000000000000-mapping.dmp

Download
memory/1184-146-0x0000000000000000-mapping.dmp

Download
memory/1212-145-0x0000000000000000-mapping.dmp

Download
memory/1496-167-0x0000000000000000-mapping.dmp

Download
memory/1684-175-0x0000000000000000-mapping.dmp

Download
memory/2104-161-0x0000000000000000-mapping.dmp

Download
memory/2368-170-0x0000000000000000-mapping.dmp

Download
memory/2372-135-0x0000000000000000-mapping.dmp

Download
memory/2508-148-0x0000000000000000-mapping.dmp

Download
memory/3052-171-0x0000000000000000-mapping.dmp

Download
memory/3168-149-0x0000000000000000-mapping.dmp

Download
memory/4000-174-0x0000000000000000-mapping.dmp

Download
memory/4056-173-0x0000000000000000-mapping.dmp

Download
memory/4340-176-0x0000000000000000-mapping.dmp

Download
memory/4404-155-0x0000000000000000-mapping.dmp

Download
memory/4520-162-0x0000000000000000-mapping.dmp

Download
memory/4592-134-0x0000000000000000-mapping.dmp

Download
memory/4796-172-0x0000000000000000-mapping.dmp

Download
memory/4916-168-0x0000000000000000-mapping.dmp

Download
memory/4940-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads