b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881

Analysis

max time kernel
145s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
Size

797KB
MD5

dcd83bc2a230d56c8503fe376c79b507
SHA1

481a19082db5f6f1b97467aa95815e50987ae4fe
SHA256

b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881
SHA512

a4adc1636c9a5f3cab90e5db784e87490df286b97cee284099556b03d555dd636dcff0fc8b761314b62edb5e02e134b6e1313e85d256fd0dc96fd9ac04ee1a01
SSDEEP

12288:g72bnI+kL72bnI+kDO472bnI+kL72bnI+kDOMYh:g72z072z3472z072z3MYh

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GBQHURCC = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GBQHURCC = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GBQHURCC = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
4844	avscan.exe
4824	avscan.exe
2880	hosts.exe
4008	hosts.exe
4456	avscan.exe
1044	hosts.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
File created	\??\c:\windows\W_X_C.bat	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
File opened for modification	C:\Windows\hosts.exe	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
2416	REG.exe
508	REG.exe
2588	REG.exe
2284	REG.exe
2132	REG.exe
5084	REG.exe
4164	REG.exe
3032	REG.exe
3292	REG.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1748	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
4844	avscan.exe
2880	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1748	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
4844	avscan.exe
4824	avscan.exe
2880	hosts.exe
4008	hosts.exe
4456	avscan.exe
1044	hosts.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 3032	1748	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	82
PID 1748 wrote to memory of 3032	1748	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	82
PID 1748 wrote to memory of 3032	1748	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	82
PID 1748 wrote to memory of 4844	1748	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	83
PID 1748 wrote to memory of 4844	1748	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	83
PID 1748 wrote to memory of 4844	1748	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	83
PID 4844 wrote to memory of 4824	4844	avscan.exe	84
PID 4844 wrote to memory of 4824	4844	avscan.exe	84
PID 4844 wrote to memory of 4824	4844	avscan.exe	84
PID 1748 wrote to memory of 972	1748	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	86
PID 1748 wrote to memory of 972	1748	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	86
PID 1748 wrote to memory of 972	1748	b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe	86
PID 4844 wrote to memory of 532	4844	avscan.exe	85
PID 4844 wrote to memory of 532	4844	avscan.exe	85
PID 4844 wrote to memory of 532	4844	avscan.exe	85
PID 972 wrote to memory of 4008	972	cmd.exe	90
PID 972 wrote to memory of 4008	972	cmd.exe	90
PID 972 wrote to memory of 4008	972	cmd.exe	90
PID 532 wrote to memory of 2880	532	cmd.exe	91
PID 532 wrote to memory of 2880	532	cmd.exe	91
PID 532 wrote to memory of 2880	532	cmd.exe	91
PID 2880 wrote to memory of 4456	2880	hosts.exe	92
PID 2880 wrote to memory of 4456	2880	hosts.exe	92
PID 2880 wrote to memory of 4456	2880	hosts.exe	92
PID 2880 wrote to memory of 2088	2880	hosts.exe	93
PID 2880 wrote to memory of 2088	2880	hosts.exe	93
PID 2880 wrote to memory of 2088	2880	hosts.exe	93
PID 2088 wrote to memory of 1044	2088	cmd.exe	95
PID 2088 wrote to memory of 1044	2088	cmd.exe	95
PID 2088 wrote to memory of 1044	2088	cmd.exe	95
PID 972 wrote to memory of 1352	972	cmd.exe	97
PID 972 wrote to memory of 1352	972	cmd.exe	97
PID 972 wrote to memory of 1352	972	cmd.exe	97
PID 532 wrote to memory of 3708	532	cmd.exe	96
PID 532 wrote to memory of 3708	532	cmd.exe	96
PID 532 wrote to memory of 3708	532	cmd.exe	96
PID 2088 wrote to memory of 2332	2088	cmd.exe	98
PID 2088 wrote to memory of 2332	2088	cmd.exe	98
PID 2088 wrote to memory of 2332	2088	cmd.exe	98
PID 4844 wrote to memory of 3292	4844	avscan.exe	100
PID 4844 wrote to memory of 3292	4844	avscan.exe	100
PID 4844 wrote to memory of 3292	4844	avscan.exe	100
PID 2880 wrote to memory of 2284	2880	hosts.exe	102
PID 2880 wrote to memory of 2284	2880	hosts.exe	102
PID 2880 wrote to memory of 2284	2880	hosts.exe	102
PID 4844 wrote to memory of 2132	4844	avscan.exe	104
PID 4844 wrote to memory of 2132	4844	avscan.exe	104
PID 4844 wrote to memory of 2132	4844	avscan.exe	104
PID 2880 wrote to memory of 2416	2880	hosts.exe	106
PID 2880 wrote to memory of 2416	2880	hosts.exe	106
PID 2880 wrote to memory of 2416	2880	hosts.exe	106
PID 4844 wrote to memory of 5084	4844	avscan.exe	108
PID 4844 wrote to memory of 5084	4844	avscan.exe	108
PID 4844 wrote to memory of 5084	4844	avscan.exe	108
PID 2880 wrote to memory of 4164	2880	hosts.exe	110
PID 2880 wrote to memory of 4164	2880	hosts.exe	110
PID 2880 wrote to memory of 4164	2880	hosts.exe	110
PID 4844 wrote to memory of 508	4844	avscan.exe	112
PID 4844 wrote to memory of 508	4844	avscan.exe	112
PID 4844 wrote to memory of 508	4844	avscan.exe	112
PID 2880 wrote to memory of 2588	2880	hosts.exe	114
PID 2880 wrote to memory of 2588	2880	hosts.exe	114
PID 2880 wrote to memory of 2588	2880	hosts.exe	114

C:\Users\Admin\AppData\Local\Temp\b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe
"C:\Users\Admin\AppData\Local\Temp\b840fd6db035e870ba51d42ab948f168700b343444acf99d815609a12b812881.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1044
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:2332
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2284
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2416
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:4164
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2588
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:3708
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:3292
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2132
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:5084
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4008
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
797KB

MD5
65f732b5101adeb975373a615404dba5

SHA1
7dbaa8355f92dc8137069ebcf6952f38129d663f

SHA256
471a0c6c9933b908d47e8989ee8b0a70589638cf633243a748f5ae4994914aac

SHA512
aed7d5c400f07a71d285237f9f9d76106617701342ee6acfdb69de71e8ce4267198a0c3eca2b2df2c966c865c28ffade9157dfe97c9feecccd6776f9028e6f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
797KB

MD5
65f732b5101adeb975373a615404dba5

SHA1
7dbaa8355f92dc8137069ebcf6952f38129d663f

SHA256
471a0c6c9933b908d47e8989ee8b0a70589638cf633243a748f5ae4994914aac

SHA512
aed7d5c400f07a71d285237f9f9d76106617701342ee6acfdb69de71e8ce4267198a0c3eca2b2df2c966c865c28ffade9157dfe97c9feecccd6776f9028e6f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
797KB

MD5
65f732b5101adeb975373a615404dba5

SHA1
7dbaa8355f92dc8137069ebcf6952f38129d663f

SHA256
471a0c6c9933b908d47e8989ee8b0a70589638cf633243a748f5ae4994914aac

SHA512
aed7d5c400f07a71d285237f9f9d76106617701342ee6acfdb69de71e8ce4267198a0c3eca2b2df2c966c865c28ffade9157dfe97c9feecccd6776f9028e6f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
797KB

MD5
65f732b5101adeb975373a615404dba5

SHA1
7dbaa8355f92dc8137069ebcf6952f38129d663f

SHA256
471a0c6c9933b908d47e8989ee8b0a70589638cf633243a748f5ae4994914aac

SHA512
aed7d5c400f07a71d285237f9f9d76106617701342ee6acfdb69de71e8ce4267198a0c3eca2b2df2c966c865c28ffade9157dfe97c9feecccd6776f9028e6f8a

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
5b87381bf407d7c6018a8b11c3e20f92

SHA1
bb61b28d9c8fd7dfeb13a397c49a1be3abc06ca2

SHA256
4785d6a229d0872fe90c75ab620de9a680d7f07ccd27a134da2afc4ee88f34f3

SHA512
05db1178f671e9d6c3a1c601349093447b04ebddcd071a06f7cc92cbaf7efb53027bc92523a19372a08ca5af715cc9955649255f8be1909b5e594385b3dcbe3d

Download Submit
C:\Windows\hosts.exe

Filesize
797KB

MD5
18fc9c7bc550645d31272ce1b9db7b4e

SHA1
a18d6472166d9adee5d94c99c911650741c2a409

SHA256
4175a83807fc42a71199751bdbc5ec0eeb331185def481f76f8cdf61b8cc272b

SHA512
cd9095f0a51137b3e56f05886023ab4789164598318130c8b9c3b8b58040c47a0b7f675f6a0b253b3182dfb163094b75ec60011b01683ff35fedc32de429ef81

Download Submit
C:\Windows\hosts.exe

Filesize
797KB

MD5
18fc9c7bc550645d31272ce1b9db7b4e

SHA1
a18d6472166d9adee5d94c99c911650741c2a409

SHA256
4175a83807fc42a71199751bdbc5ec0eeb331185def481f76f8cdf61b8cc272b

SHA512
cd9095f0a51137b3e56f05886023ab4789164598318130c8b9c3b8b58040c47a0b7f675f6a0b253b3182dfb163094b75ec60011b01683ff35fedc32de429ef81

Download Submit
C:\Windows\hosts.exe

Filesize
797KB

MD5
18fc9c7bc550645d31272ce1b9db7b4e

SHA1
a18d6472166d9adee5d94c99c911650741c2a409

SHA256
4175a83807fc42a71199751bdbc5ec0eeb331185def481f76f8cdf61b8cc272b

SHA512
cd9095f0a51137b3e56f05886023ab4789164598318130c8b9c3b8b58040c47a0b7f675f6a0b253b3182dfb163094b75ec60011b01683ff35fedc32de429ef81

Download Submit
C:\Windows\hosts.exe

Filesize
797KB

MD5
18fc9c7bc550645d31272ce1b9db7b4e

SHA1
a18d6472166d9adee5d94c99c911650741c2a409

SHA256
4175a83807fc42a71199751bdbc5ec0eeb331185def481f76f8cdf61b8cc272b

SHA512
cd9095f0a51137b3e56f05886023ab4789164598318130c8b9c3b8b58040c47a0b7f675f6a0b253b3182dfb163094b75ec60011b01683ff35fedc32de429ef81

Download Submit
C:\windows\hosts.exe

Filesize
797KB

MD5
18fc9c7bc550645d31272ce1b9db7b4e

SHA1
a18d6472166d9adee5d94c99c911650741c2a409

SHA256
4175a83807fc42a71199751bdbc5ec0eeb331185def481f76f8cdf61b8cc272b

SHA512
cd9095f0a51137b3e56f05886023ab4789164598318130c8b9c3b8b58040c47a0b7f675f6a0b253b3182dfb163094b75ec60011b01683ff35fedc32de429ef81

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads