5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0

Analysis

max time kernel
154s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
Size

351KB
MD5

682d1377fe7007fced29346b2365ec56
SHA1

15b80c307ad86e2a1a275902bb64baa822c67155
SHA256

5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0
SHA512

2ec0a68e75854b6432923a061f53a847faaf620b40f537115d79496ca2f7f8f56d0efc2129c7d2c5ea9ed3270f8ba79b3ed35b4247d1e48eaa16ae23517dc11c
SSDEEP

6144:gDCwfG1bnxMwslM0Yk55Qcpp5n+m9SDxqe:g72bnuwsO0YkTQyCDAe

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TMKNGOMU = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TMKNGOMU = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TMKNGOMU = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
3076	avscan.exe
4436	avscan.exe
4632	hosts.exe
4612	hosts.exe
60	avscan.exe
4284	hosts.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
File created	\??\c:\windows\W_X_C.bat	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
File opened for modification	C:\Windows\hosts.exe	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe

Modifies registry key 1 TTPs 8 IoCs

Modify Registry

T1112

pid	Process
3976	REG.exe
4860	REG.exe
372	REG.exe
1196	REG.exe
4380	REG.exe
3172	REG.exe
4244	REG.exe
2436	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3076	avscan.exe
4632	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2476	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
3076	avscan.exe
4436	avscan.exe
4632	hosts.exe
4612	hosts.exe
60	avscan.exe
4284	hosts.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 1196	2476	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	80
PID 2476 wrote to memory of 1196	2476	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	80
PID 2476 wrote to memory of 1196	2476	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	80
PID 2476 wrote to memory of 3076	2476	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	82
PID 2476 wrote to memory of 3076	2476	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	82
PID 2476 wrote to memory of 3076	2476	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	82
PID 3076 wrote to memory of 4436	3076	avscan.exe	83
PID 3076 wrote to memory of 4436	3076	avscan.exe	83
PID 3076 wrote to memory of 4436	3076	avscan.exe	83
PID 2476 wrote to memory of 1236	2476	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	84
PID 2476 wrote to memory of 1236	2476	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	84
PID 2476 wrote to memory of 1236	2476	5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe	84
PID 3076 wrote to memory of 4684	3076	avscan.exe	86
PID 3076 wrote to memory of 4684	3076	avscan.exe	86
PID 3076 wrote to memory of 4684	3076	avscan.exe	86
PID 3076 wrote to memory of 4380	3076	avscan.exe	89
PID 3076 wrote to memory of 4380	3076	avscan.exe	89
PID 3076 wrote to memory of 4380	3076	avscan.exe	89
PID 1236 wrote to memory of 4612	1236	cmd.exe	92
PID 1236 wrote to memory of 4612	1236	cmd.exe	92
PID 1236 wrote to memory of 4612	1236	cmd.exe	92
PID 4684 wrote to memory of 4632	4684	cmd.exe	91
PID 4684 wrote to memory of 4632	4684	cmd.exe	91
PID 4684 wrote to memory of 4632	4684	cmd.exe	91
PID 4632 wrote to memory of 60	4632	hosts.exe	93
PID 4632 wrote to memory of 60	4632	hosts.exe	93
PID 4632 wrote to memory of 60	4632	hosts.exe	93
PID 4632 wrote to memory of 4164	4632	hosts.exe	95
PID 4632 wrote to memory of 4164	4632	hosts.exe	95
PID 4632 wrote to memory of 4164	4632	hosts.exe	95
PID 4164 wrote to memory of 4284	4164	cmd.exe	97
PID 4164 wrote to memory of 4284	4164	cmd.exe	97
PID 4164 wrote to memory of 4284	4164	cmd.exe	97
PID 4684 wrote to memory of 3656	4684	cmd.exe	98
PID 4684 wrote to memory of 3656	4684	cmd.exe	98
PID 4684 wrote to memory of 3656	4684	cmd.exe	98
PID 4164 wrote to memory of 3836	4164	cmd.exe	99
PID 4164 wrote to memory of 3836	4164	cmd.exe	99
PID 4164 wrote to memory of 3836	4164	cmd.exe	99
PID 1236 wrote to memory of 3472	1236	cmd.exe	100
PID 1236 wrote to memory of 3472	1236	cmd.exe	100
PID 1236 wrote to memory of 3472	1236	cmd.exe	100
PID 3076 wrote to memory of 3172	3076	avscan.exe	101
PID 3076 wrote to memory of 3172	3076	avscan.exe	101
PID 3076 wrote to memory of 3172	3076	avscan.exe	101
PID 4632 wrote to memory of 4244	4632	hosts.exe	103
PID 4632 wrote to memory of 4244	4632	hosts.exe	103
PID 4632 wrote to memory of 4244	4632	hosts.exe	103
PID 3076 wrote to memory of 2436	3076	avscan.exe	110
PID 3076 wrote to memory of 2436	3076	avscan.exe	110
PID 3076 wrote to memory of 2436	3076	avscan.exe	110
PID 4632 wrote to memory of 3976	4632	hosts.exe	112
PID 4632 wrote to memory of 3976	4632	hosts.exe	112
PID 4632 wrote to memory of 3976	4632	hosts.exe	112
PID 3076 wrote to memory of 4860	3076	avscan.exe	115
PID 3076 wrote to memory of 4860	3076	avscan.exe	115
PID 3076 wrote to memory of 4860	3076	avscan.exe	115
PID 4632 wrote to memory of 372	4632	hosts.exe	118
PID 4632 wrote to memory of 372	4632	hosts.exe	118
PID 4632 wrote to memory of 372	4632	hosts.exe	118

C:\Users\Admin\AppData\Local\Temp\5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe
"C:\Users\Admin\AppData\Local\Temp\5596cda6d24f5eb91523adb068e9940064746e2083d8f0fa2ef7ad15c72a1be0.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1196
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4632
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:60
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4164
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4284
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:3836
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:4244
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:3976
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:372
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:3656
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4380
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:3172
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2436
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4612
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:3472

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
bf6923c68fbbfb85129fbb0dba4367f6

SHA1
285c25d7dbdaf708d3dd43b5dc20903567dc0b30

SHA256
6ae658828bc4d0f9a99007f89a5834370468c01b06c4b93512af052d3dd001b0

SHA512
5f3a80ba5a70f317d2510b9c207a9b0b0dbca035ccfdf00fd8fb3ed0c4556555baf4acc598e141f584dbb752bff90c9355f639cb082fddc973103d461f4a52a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
bf6923c68fbbfb85129fbb0dba4367f6

SHA1
285c25d7dbdaf708d3dd43b5dc20903567dc0b30

SHA256
6ae658828bc4d0f9a99007f89a5834370468c01b06c4b93512af052d3dd001b0

SHA512
5f3a80ba5a70f317d2510b9c207a9b0b0dbca035ccfdf00fd8fb3ed0c4556555baf4acc598e141f584dbb752bff90c9355f639cb082fddc973103d461f4a52a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
bf6923c68fbbfb85129fbb0dba4367f6

SHA1
285c25d7dbdaf708d3dd43b5dc20903567dc0b30

SHA256
6ae658828bc4d0f9a99007f89a5834370468c01b06c4b93512af052d3dd001b0

SHA512
5f3a80ba5a70f317d2510b9c207a9b0b0dbca035ccfdf00fd8fb3ed0c4556555baf4acc598e141f584dbb752bff90c9355f639cb082fddc973103d461f4a52a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
bf6923c68fbbfb85129fbb0dba4367f6

SHA1
285c25d7dbdaf708d3dd43b5dc20903567dc0b30

SHA256
6ae658828bc4d0f9a99007f89a5834370468c01b06c4b93512af052d3dd001b0

SHA512
5f3a80ba5a70f317d2510b9c207a9b0b0dbca035ccfdf00fd8fb3ed0c4556555baf4acc598e141f584dbb752bff90c9355f639cb082fddc973103d461f4a52a0

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
c35f93e634b81f2cb003c72a1fb9d1f2

SHA1
9b6c533eebab7958e9e167ab93a412d5411c7a89

SHA256
6afae199db9be5b7c4c5dac778ec8c45051666d11f93dd93c1700beb20e1136f

SHA512
5cc512763da54bc66ffff42e02dc28ad9cda03e46a8b9181425c619815fb7c7afe3a71fc73742e151e26de7a21ade101e59d6853fe70b7d99ea93195325c010d

Download Submit
C:\Windows\hosts.exe

Filesize
351KB

MD5
996d8ddc575f19cf74dc970facba6ded

SHA1
b2c0f2c56c13de4d7468b538880f9440b709cbc2

SHA256
8ae5883b9af9db8a3a6a1e94b765891607e7ebae69226ed8f87e83b864fc66c6

SHA512
484a314aaa133cf213a901f5a89ae76a37d840506a0ee2023c53cd7639bc9817bec14bfff838575417fc46a75fe93e22223db784b29d651e21c7cb2f8367a465

Download Submit
C:\Windows\hosts.exe

Filesize
351KB

MD5
996d8ddc575f19cf74dc970facba6ded

SHA1
b2c0f2c56c13de4d7468b538880f9440b709cbc2

SHA256
8ae5883b9af9db8a3a6a1e94b765891607e7ebae69226ed8f87e83b864fc66c6

SHA512
484a314aaa133cf213a901f5a89ae76a37d840506a0ee2023c53cd7639bc9817bec14bfff838575417fc46a75fe93e22223db784b29d651e21c7cb2f8367a465

Download Submit
C:\Windows\hosts.exe

Filesize
351KB

MD5
996d8ddc575f19cf74dc970facba6ded

SHA1
b2c0f2c56c13de4d7468b538880f9440b709cbc2

SHA256
8ae5883b9af9db8a3a6a1e94b765891607e7ebae69226ed8f87e83b864fc66c6

SHA512
484a314aaa133cf213a901f5a89ae76a37d840506a0ee2023c53cd7639bc9817bec14bfff838575417fc46a75fe93e22223db784b29d651e21c7cb2f8367a465

Download Submit
C:\Windows\hosts.exe

Filesize
351KB

MD5
996d8ddc575f19cf74dc970facba6ded

SHA1
b2c0f2c56c13de4d7468b538880f9440b709cbc2

SHA256
8ae5883b9af9db8a3a6a1e94b765891607e7ebae69226ed8f87e83b864fc66c6

SHA512
484a314aaa133cf213a901f5a89ae76a37d840506a0ee2023c53cd7639bc9817bec14bfff838575417fc46a75fe93e22223db784b29d651e21c7cb2f8367a465

Download Submit
C:\windows\hosts.exe

Filesize
351KB

MD5
996d8ddc575f19cf74dc970facba6ded

SHA1
b2c0f2c56c13de4d7468b538880f9440b709cbc2

SHA256
8ae5883b9af9db8a3a6a1e94b765891607e7ebae69226ed8f87e83b864fc66c6

SHA512
484a314aaa133cf213a901f5a89ae76a37d840506a0ee2023c53cd7639bc9817bec14bfff838575417fc46a75fe93e22223db784b29d651e21c7cb2f8367a465

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads