69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a

Analysis

max time kernel
158s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe
Size

694KB
MD5

f3accbc6f1e8c05d865202397f647737
SHA1

35477e11477cb21b52737ca3ca08b2df9be9e8d6
SHA256

69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a
SHA512

4185d1ad48e9fc551f2111d198539576929f9f5b4cca94e108c5227700d606406cf642941f6975d096d0e560534c08d9b9c2b9065b1e3ba6cb848d3b9521c3c9
SSDEEP

12288:g72bntEDs72bntEDU72bntEDs72bntEDUd:g72zms72zmU72zms72zmY

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WIJBFSKT = "W_X_C.bat"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WIJBFSKT = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WIJBFSKT = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
4248	avscan.exe
1836	avscan.exe
1404	hosts.exe
2380	hosts.exe
2500	avscan.exe
1368	hosts.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe
File created	\??\c:\windows\W_X_C.bat	69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
3608	REG.exe
4620	REG.exe
1968	REG.exe
2244	REG.exe
1592	REG.exe
3968	REG.exe
1924	REG.exe
1572	REG.exe
2296	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4248	avscan.exe
2380	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4672	69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe
4248	avscan.exe
1836	avscan.exe
1404	hosts.exe
2380	hosts.exe
2500	avscan.exe
1368	hosts.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 4620	4672	69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe	83
PID 4672 wrote to memory of 4620	4672	69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe	83
PID 4672 wrote to memory of 4620	4672	69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe	83
PID 4672 wrote to memory of 4248	4672	69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe	85
PID 4672 wrote to memory of 4248	4672	69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe	85
PID 4672 wrote to memory of 4248	4672	69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe	85
PID 4248 wrote to memory of 1836	4248	avscan.exe	86
PID 4248 wrote to memory of 1836	4248	avscan.exe	86
PID 4248 wrote to memory of 1836	4248	avscan.exe	86
PID 4248 wrote to memory of 4588	4248	avscan.exe	87
PID 4248 wrote to memory of 4588	4248	avscan.exe	87
PID 4248 wrote to memory of 4588	4248	avscan.exe	87
PID 4672 wrote to memory of 3968	4672	69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe	88
PID 4672 wrote to memory of 3968	4672	69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe	88
PID 4672 wrote to memory of 3968	4672	69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe	88
PID 3968 wrote to memory of 1404	3968	cmd.exe	91
PID 3968 wrote to memory of 1404	3968	cmd.exe	91
PID 3968 wrote to memory of 1404	3968	cmd.exe	91
PID 4588 wrote to memory of 2380	4588	cmd.exe	92
PID 4588 wrote to memory of 2380	4588	cmd.exe	92
PID 4588 wrote to memory of 2380	4588	cmd.exe	92
PID 2380 wrote to memory of 2500	2380	hosts.exe	93
PID 2380 wrote to memory of 2500	2380	hosts.exe	93
PID 2380 wrote to memory of 2500	2380	hosts.exe	93
PID 2380 wrote to memory of 1900	2380	hosts.exe	94
PID 2380 wrote to memory of 1900	2380	hosts.exe	94
PID 2380 wrote to memory of 1900	2380	hosts.exe	94
PID 1900 wrote to memory of 1368	1900	cmd.exe	96
PID 1900 wrote to memory of 1368	1900	cmd.exe	96
PID 1900 wrote to memory of 1368	1900	cmd.exe	96
PID 3968 wrote to memory of 2292	3968	cmd.exe	99
PID 3968 wrote to memory of 2292	3968	cmd.exe	99
PID 3968 wrote to memory of 2292	3968	cmd.exe	99
PID 4588 wrote to memory of 3052	4588	cmd.exe	101
PID 4588 wrote to memory of 3052	4588	cmd.exe	101
PID 4588 wrote to memory of 3052	4588	cmd.exe	101
PID 1900 wrote to memory of 2264	1900	cmd.exe	100
PID 1900 wrote to memory of 2264	1900	cmd.exe	100
PID 1900 wrote to memory of 2264	1900	cmd.exe	100
PID 4248 wrote to memory of 1572	4248	avscan.exe	102
PID 4248 wrote to memory of 1572	4248	avscan.exe	102
PID 4248 wrote to memory of 1572	4248	avscan.exe	102
PID 2380 wrote to memory of 1968	2380	hosts.exe	105
PID 2380 wrote to memory of 1968	2380	hosts.exe	105
PID 2380 wrote to memory of 1968	2380	hosts.exe	105
PID 4248 wrote to memory of 2296	4248	avscan.exe	109
PID 4248 wrote to memory of 2296	4248	avscan.exe	109
PID 4248 wrote to memory of 2296	4248	avscan.exe	109
PID 2380 wrote to memory of 2244	2380	hosts.exe	111
PID 2380 wrote to memory of 2244	2380	hosts.exe	111
PID 2380 wrote to memory of 2244	2380	hosts.exe	111
PID 4248 wrote to memory of 3608	4248	avscan.exe	116
PID 4248 wrote to memory of 3608	4248	avscan.exe	116
PID 4248 wrote to memory of 3608	4248	avscan.exe	116
PID 2380 wrote to memory of 1592	2380	hosts.exe	119
PID 2380 wrote to memory of 1592	2380	hosts.exe	119
PID 2380 wrote to memory of 1592	2380	hosts.exe	119
PID 4248 wrote to memory of 3968	4248	avscan.exe	127
PID 4248 wrote to memory of 3968	4248	avscan.exe	127
PID 4248 wrote to memory of 3968	4248	avscan.exe	127
PID 2380 wrote to memory of 1924	2380	hosts.exe	129
PID 2380 wrote to memory of 1924	2380	hosts.exe	129
PID 2380 wrote to memory of 1924	2380	hosts.exe	129

C:\Users\Admin\AppData\Local\Temp\69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe
"C:\Users\Admin\AppData\Local\Temp\69b36a82d3902f598ab29915094dbd90d36eef184bd091f66bf1843cf31c0f4a.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:4620
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4588
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2500
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1368
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:2264
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1968
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2244
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1592
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1924
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:3052
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1572
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2296
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:3608
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1404
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:2292

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
694KB

MD5
4340b7cf9eafe9253c67cb9b15400e1e

SHA1
8097fcf2dcdb3880eab793335730a22b3644cf37

SHA256
c874f1a33338990cfb12a28996ba2826316068252a1a08e86f8f67198d5ff9e0

SHA512
a038e7eb1d75f79fd9d4cabcaecba0af09c8a742a3254b7d5378a8edb9665871ca2b64c9494baafbebe2bab47949eca0dd8ab605184e904a9e5754c97284292b

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
694KB

MD5
4340b7cf9eafe9253c67cb9b15400e1e

SHA1
8097fcf2dcdb3880eab793335730a22b3644cf37

SHA256
c874f1a33338990cfb12a28996ba2826316068252a1a08e86f8f67198d5ff9e0

SHA512
a038e7eb1d75f79fd9d4cabcaecba0af09c8a742a3254b7d5378a8edb9665871ca2b64c9494baafbebe2bab47949eca0dd8ab605184e904a9e5754c97284292b

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
694KB

MD5
4340b7cf9eafe9253c67cb9b15400e1e

SHA1
8097fcf2dcdb3880eab793335730a22b3644cf37

SHA256
c874f1a33338990cfb12a28996ba2826316068252a1a08e86f8f67198d5ff9e0

SHA512
a038e7eb1d75f79fd9d4cabcaecba0af09c8a742a3254b7d5378a8edb9665871ca2b64c9494baafbebe2bab47949eca0dd8ab605184e904a9e5754c97284292b

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
694KB

MD5
4340b7cf9eafe9253c67cb9b15400e1e

SHA1
8097fcf2dcdb3880eab793335730a22b3644cf37

SHA256
c874f1a33338990cfb12a28996ba2826316068252a1a08e86f8f67198d5ff9e0

SHA512
a038e7eb1d75f79fd9d4cabcaecba0af09c8a742a3254b7d5378a8edb9665871ca2b64c9494baafbebe2bab47949eca0dd8ab605184e904a9e5754c97284292b

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
5f95187376125e68821db0d42b6e0a01

SHA1
24db87fd4f2e71873b08b285de3f584ed606bd7d

SHA256
f77ac566569872134310abf6755aaf712f96ddf7e544cd73fa03555415676777

SHA512
cecd0b1ab60ed7471870c6b5bb90d65b2e833d535f9a91aea96aae50a86e17fb15f23cd49da74d3ab6d50e54de75e02d9727d9b1d9ec2c32e3b80a4183c0a31c

Download Submit
C:\Windows\hosts.exe

Filesize
694KB

MD5
e7696b0f11d1f058062d955152eba6c5

SHA1
5056f08ca6fba2a5b688abb98038d345bc57432b

SHA256
a12e7fa19b5efac3a020836496fabc0610e4adcd1efe39daa2d211334be5ddd3

SHA512
058c861633e7fe7643d97fde19ebab63cb7d22b844fb058e523409233f4854e1e60f78c6457b64e7d983066e3c835c9d4ba8d2585922656b577c68b3bb8837fe

Download Submit
C:\Windows\hosts.exe

Filesize
694KB

MD5
e7696b0f11d1f058062d955152eba6c5

SHA1
5056f08ca6fba2a5b688abb98038d345bc57432b

SHA256
a12e7fa19b5efac3a020836496fabc0610e4adcd1efe39daa2d211334be5ddd3

SHA512
058c861633e7fe7643d97fde19ebab63cb7d22b844fb058e523409233f4854e1e60f78c6457b64e7d983066e3c835c9d4ba8d2585922656b577c68b3bb8837fe

Download Submit
C:\Windows\hosts.exe

Filesize
694KB

MD5
e7696b0f11d1f058062d955152eba6c5

SHA1
5056f08ca6fba2a5b688abb98038d345bc57432b

SHA256
a12e7fa19b5efac3a020836496fabc0610e4adcd1efe39daa2d211334be5ddd3

SHA512
058c861633e7fe7643d97fde19ebab63cb7d22b844fb058e523409233f4854e1e60f78c6457b64e7d983066e3c835c9d4ba8d2585922656b577c68b3bb8837fe

Download Submit
C:\Windows\hosts.exe

Filesize
694KB

MD5
e7696b0f11d1f058062d955152eba6c5

SHA1
5056f08ca6fba2a5b688abb98038d345bc57432b

SHA256
a12e7fa19b5efac3a020836496fabc0610e4adcd1efe39daa2d211334be5ddd3

SHA512
058c861633e7fe7643d97fde19ebab63cb7d22b844fb058e523409233f4854e1e60f78c6457b64e7d983066e3c835c9d4ba8d2585922656b577c68b3bb8837fe

Download Submit
C:\windows\hosts.exe

Filesize
694KB

MD5
e7696b0f11d1f058062d955152eba6c5

SHA1
5056f08ca6fba2a5b688abb98038d345bc57432b

SHA256
a12e7fa19b5efac3a020836496fabc0610e4adcd1efe39daa2d211334be5ddd3

SHA512
058c861633e7fe7643d97fde19ebab63cb7d22b844fb058e523409233f4854e1e60f78c6457b64e7d983066e3c835c9d4ba8d2585922656b577c68b3bb8837fe

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads