8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0

Analysis

max time kernel
165s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
Size

657KB
MD5

71f5cd3dd572d5147962eea9d22e2b9e
SHA1

b81eaf651d7aa70bf700a444e66c3ce47343a89c
SHA256

8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0
SHA512

f44d81eb083f0f4600876c77ca80019a820fd8cbcb36ee7fab7e09db893d1bc5c73213d3d5d3e37dac683b8adb6b231954729162a0737e49d561e60b464696cb
SSDEEP

12288:g72bnueKBLWoD1+OteKIjX9aTQT5Hk45QRbaxlwfCGWPI/D+WC:g72zDKFD1e9UDq

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SOCAAGDT = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SOCAAGDT = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SOCAAGDT = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
4128	avscan.exe
3448	avscan.exe
1720	hosts.exe
2872	hosts.exe
2204	avscan.exe
532	hosts.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
File created	\??\c:\windows\W_X_C.bat	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
File opened for modification	C:\Windows\hosts.exe	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
796	REG.exe
3668	REG.exe
2124	REG.exe
616	REG.exe
4056	REG.exe
4636	REG.exe
712	REG.exe
1596	REG.exe
3340	REG.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3592	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
4128	avscan.exe
1720	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3592	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
4128	avscan.exe
3448	avscan.exe
1720	hosts.exe
2872	hosts.exe
2204	avscan.exe
532	hosts.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 1596	3592	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	82
PID 3592 wrote to memory of 1596	3592	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	82
PID 3592 wrote to memory of 1596	3592	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	82
PID 3592 wrote to memory of 4128	3592	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	84
PID 3592 wrote to memory of 4128	3592	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	84
PID 3592 wrote to memory of 4128	3592	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	84
PID 4128 wrote to memory of 3448	4128	avscan.exe	85
PID 4128 wrote to memory of 3448	4128	avscan.exe	85
PID 4128 wrote to memory of 3448	4128	avscan.exe	85
PID 4128 wrote to memory of 4632	4128	avscan.exe	86
PID 4128 wrote to memory of 4632	4128	avscan.exe	86
PID 4128 wrote to memory of 4632	4128	avscan.exe	86
PID 3592 wrote to memory of 4136	3592	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	87
PID 3592 wrote to memory of 4136	3592	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	87
PID 3592 wrote to memory of 4136	3592	8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe	87
PID 4632 wrote to memory of 1720	4632	cmd.exe	90
PID 4632 wrote to memory of 1720	4632	cmd.exe	90
PID 4632 wrote to memory of 1720	4632	cmd.exe	90
PID 4136 wrote to memory of 2872	4136	cmd.exe	91
PID 4136 wrote to memory of 2872	4136	cmd.exe	91
PID 4136 wrote to memory of 2872	4136	cmd.exe	91
PID 1720 wrote to memory of 2204	1720	hosts.exe	92
PID 1720 wrote to memory of 2204	1720	hosts.exe	92
PID 1720 wrote to memory of 2204	1720	hosts.exe	92
PID 1720 wrote to memory of 2744	1720	hosts.exe	93
PID 1720 wrote to memory of 2744	1720	hosts.exe	93
PID 1720 wrote to memory of 2744	1720	hosts.exe	93
PID 4136 wrote to memory of 3504	4136	cmd.exe	95
PID 4136 wrote to memory of 3504	4136	cmd.exe	95
PID 4136 wrote to memory of 3504	4136	cmd.exe	95
PID 4632 wrote to memory of 4772	4632	cmd.exe	96
PID 4632 wrote to memory of 4772	4632	cmd.exe	96
PID 4632 wrote to memory of 4772	4632	cmd.exe	96
PID 2744 wrote to memory of 532	2744	cmd.exe	97
PID 2744 wrote to memory of 532	2744	cmd.exe	97
PID 2744 wrote to memory of 532	2744	cmd.exe	97
PID 2744 wrote to memory of 972	2744	cmd.exe	98
PID 2744 wrote to memory of 972	2744	cmd.exe	98
PID 2744 wrote to memory of 972	2744	cmd.exe	98
PID 4128 wrote to memory of 3340	4128	avscan.exe	103
PID 4128 wrote to memory of 3340	4128	avscan.exe	103
PID 4128 wrote to memory of 3340	4128	avscan.exe	103
PID 1720 wrote to memory of 616	1720	hosts.exe	104
PID 1720 wrote to memory of 616	1720	hosts.exe	104
PID 1720 wrote to memory of 616	1720	hosts.exe	104
PID 1720 wrote to memory of 4056	1720	hosts.exe	110
PID 1720 wrote to memory of 4056	1720	hosts.exe	110
PID 1720 wrote to memory of 4056	1720	hosts.exe	110
PID 4128 wrote to memory of 3668	4128	avscan.exe	111
PID 4128 wrote to memory of 3668	4128	avscan.exe	111
PID 4128 wrote to memory of 3668	4128	avscan.exe	111
PID 1720 wrote to memory of 4636	1720	hosts.exe	119
PID 1720 wrote to memory of 4636	1720	hosts.exe	119
PID 1720 wrote to memory of 4636	1720	hosts.exe	119
PID 4128 wrote to memory of 2124	4128	avscan.exe	118
PID 4128 wrote to memory of 2124	4128	avscan.exe	118
PID 4128 wrote to memory of 2124	4128	avscan.exe	118
PID 4128 wrote to memory of 712	4128	avscan.exe	124
PID 4128 wrote to memory of 712	4128	avscan.exe	124
PID 4128 wrote to memory of 712	4128	avscan.exe	124
PID 1720 wrote to memory of 796	1720	hosts.exe	123
PID 1720 wrote to memory of 796	1720	hosts.exe	123
PID 1720 wrote to memory of 796	1720	hosts.exe	123

C:\Users\Admin\AppData\Local\Temp\8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe
"C:\Users\Admin\AppData\Local\Temp\8a86262f2f0a8924f499900f7695bb8e659b549c05dff658205b710d2308bac0.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1596
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2204
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:532
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:972
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:616
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:4056
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:4636
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:796
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:4772
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:3340
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:3668
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2124
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2872
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:3504

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
657KB

MD5
8f86ee2d999a0d5d1d57190625b026f4

SHA1
e366e93b062ce686f6e980b0dd92e81bb10a2f61

SHA256
7efe944c946c104fc491109983b76ad17b2ba12641314ef221d965c649ca5f15

SHA512
0738631bbb2fb2ecb34e3578b15e8680abd6d756b12dc2b461becbb08491f368ebe04308c6c1de60b5946df0c278488bce95036feb179389ff573ce2d1b1d1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
657KB

MD5
8f86ee2d999a0d5d1d57190625b026f4

SHA1
e366e93b062ce686f6e980b0dd92e81bb10a2f61

SHA256
7efe944c946c104fc491109983b76ad17b2ba12641314ef221d965c649ca5f15

SHA512
0738631bbb2fb2ecb34e3578b15e8680abd6d756b12dc2b461becbb08491f368ebe04308c6c1de60b5946df0c278488bce95036feb179389ff573ce2d1b1d1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
657KB

MD5
8f86ee2d999a0d5d1d57190625b026f4

SHA1
e366e93b062ce686f6e980b0dd92e81bb10a2f61

SHA256
7efe944c946c104fc491109983b76ad17b2ba12641314ef221d965c649ca5f15

SHA512
0738631bbb2fb2ecb34e3578b15e8680abd6d756b12dc2b461becbb08491f368ebe04308c6c1de60b5946df0c278488bce95036feb179389ff573ce2d1b1d1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
657KB

MD5
8f86ee2d999a0d5d1d57190625b026f4

SHA1
e366e93b062ce686f6e980b0dd92e81bb10a2f61

SHA256
7efe944c946c104fc491109983b76ad17b2ba12641314ef221d965c649ca5f15

SHA512
0738631bbb2fb2ecb34e3578b15e8680abd6d756b12dc2b461becbb08491f368ebe04308c6c1de60b5946df0c278488bce95036feb179389ff573ce2d1b1d1bf

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
b53e5ef6d903f57c7c038b3d3d3db0cb

SHA1
57f5ec8ae3c79e86657ca29d4463ee475becf39b

SHA256
a04a3493a1c2d3d58fc9180512aed93cff63f94c2202f1ce9d62c1c7d82b8d0a

SHA512
603af007038ea2416d7616c38cf020d985f0498955e37c8270fd1b0c4fafa70b1e7c927a5d21d659717e2a6382bb7038711c6bf7a8b9ce1e1d2a9a3cf4a955cf

Download Submit
C:\Windows\hosts.exe

Filesize
657KB

MD5
2fa2cd2d009cf91ef436ce15d7bee1db

SHA1
f68a6c340915e3e7e4a0598ae405ebf90f40b9bc

SHA256
3d217e11dbec507f5ea932c6136622b5d7817c4cb3d5ad4614d67f22f5a342ea

SHA512
15d6db76407bd7baa0b225c1ca429ec67d48ffc28051a4a34d09ff7af6a5030f1e7533a4bcbd07a8d81d1c80bbc984bd9072dd47574228bc477ba1e484f7d011

Download Submit
C:\Windows\hosts.exe

Filesize
657KB

MD5
2fa2cd2d009cf91ef436ce15d7bee1db

SHA1
f68a6c340915e3e7e4a0598ae405ebf90f40b9bc

SHA256
3d217e11dbec507f5ea932c6136622b5d7817c4cb3d5ad4614d67f22f5a342ea

SHA512
15d6db76407bd7baa0b225c1ca429ec67d48ffc28051a4a34d09ff7af6a5030f1e7533a4bcbd07a8d81d1c80bbc984bd9072dd47574228bc477ba1e484f7d011

Download Submit
C:\Windows\hosts.exe

Filesize
657KB

MD5
2fa2cd2d009cf91ef436ce15d7bee1db

SHA1
f68a6c340915e3e7e4a0598ae405ebf90f40b9bc

SHA256
3d217e11dbec507f5ea932c6136622b5d7817c4cb3d5ad4614d67f22f5a342ea

SHA512
15d6db76407bd7baa0b225c1ca429ec67d48ffc28051a4a34d09ff7af6a5030f1e7533a4bcbd07a8d81d1c80bbc984bd9072dd47574228bc477ba1e484f7d011

Download Submit
C:\Windows\hosts.exe

Filesize
657KB

MD5
2fa2cd2d009cf91ef436ce15d7bee1db

SHA1
f68a6c340915e3e7e4a0598ae405ebf90f40b9bc

SHA256
3d217e11dbec507f5ea932c6136622b5d7817c4cb3d5ad4614d67f22f5a342ea

SHA512
15d6db76407bd7baa0b225c1ca429ec67d48ffc28051a4a34d09ff7af6a5030f1e7533a4bcbd07a8d81d1c80bbc984bd9072dd47574228bc477ba1e484f7d011

Download Submit
C:\windows\hosts.exe

Filesize
657KB

MD5
2fa2cd2d009cf91ef436ce15d7bee1db

SHA1
f68a6c340915e3e7e4a0598ae405ebf90f40b9bc

SHA256
3d217e11dbec507f5ea932c6136622b5d7817c4cb3d5ad4614d67f22f5a342ea

SHA512
15d6db76407bd7baa0b225c1ca429ec67d48ffc28051a4a34d09ff7af6a5030f1e7533a4bcbd07a8d81d1c80bbc984bd9072dd47574228bc477ba1e484f7d011

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads