8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219

Analysis

max time kernel
198s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe
Size

348KB
MD5

3909ca20eaf5f8f23af553418c9cb400
SHA1

b5069e4181276460ce4f364a74c3030f7da15c9d
SHA256

8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219
SHA512

349f9dbed04845cad7246261f577edf00c7e4f4692b658cb46d598e0993cf71a588ac23ee870651f0dadff63cf770bd7b3eaaf6143cde292b581c5dd74f16e84
SSDEEP

6144:gDCwfG1bnxLE3faDCwfG1bnxLE3fbmaGc:g72bntEi72bntEzTGc

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WIJBFSKT = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WIJBFSKT = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WIJBFSKT = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
308	avscan.exe
4952	avscan.exe
4280	hosts.exe
4408	hosts.exe
2824	avscan.exe
3160	hosts.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	\??\c:\windows\W_X_C.bat	8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe
File opened for modification	C:\Windows\hosts.exe	8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
2224	REG.exe
1356	REG.exe
1272	REG.exe
1280	REG.exe
3472	REG.exe
480	REG.exe
3868	REG.exe
3560	REG.exe
3340	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
308	avscan.exe
4280	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5040	8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe
308	avscan.exe
4952	avscan.exe
4280	hosts.exe
4408	hosts.exe
2824	avscan.exe
3160	hosts.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 1272	5040	8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe	81
PID 5040 wrote to memory of 1272	5040	8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe	81
PID 5040 wrote to memory of 1272	5040	8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe	81
PID 5040 wrote to memory of 308	5040	8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe	83
PID 5040 wrote to memory of 308	5040	8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe	83
PID 5040 wrote to memory of 308	5040	8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe	83
PID 308 wrote to memory of 4952	308	avscan.exe	84
PID 308 wrote to memory of 4952	308	avscan.exe	84
PID 308 wrote to memory of 4952	308	avscan.exe	84
PID 308 wrote to memory of 3788	308	avscan.exe	85
PID 308 wrote to memory of 3788	308	avscan.exe	85
PID 308 wrote to memory of 3788	308	avscan.exe	85
PID 5040 wrote to memory of 3164	5040	8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe	86
PID 5040 wrote to memory of 3164	5040	8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe	86
PID 5040 wrote to memory of 3164	5040	8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe	86
PID 3164 wrote to memory of 4408	3164	cmd.exe	89
PID 3164 wrote to memory of 4408	3164	cmd.exe	89
PID 3164 wrote to memory of 4408	3164	cmd.exe	89
PID 3788 wrote to memory of 4280	3788	cmd.exe	90
PID 3788 wrote to memory of 4280	3788	cmd.exe	90
PID 3788 wrote to memory of 4280	3788	cmd.exe	90
PID 4280 wrote to memory of 2824	4280	hosts.exe	91
PID 4280 wrote to memory of 2824	4280	hosts.exe	91
PID 4280 wrote to memory of 2824	4280	hosts.exe	91
PID 4280 wrote to memory of 3840	4280	hosts.exe	92
PID 4280 wrote to memory of 3840	4280	hosts.exe	92
PID 4280 wrote to memory of 3840	4280	hosts.exe	92
PID 3840 wrote to memory of 3160	3840	cmd.exe	94
PID 3840 wrote to memory of 3160	3840	cmd.exe	94
PID 3840 wrote to memory of 3160	3840	cmd.exe	94
PID 3788 wrote to memory of 844	3788	cmd.exe	96
PID 3788 wrote to memory of 844	3788	cmd.exe	96
PID 3788 wrote to memory of 844	3788	cmd.exe	96
PID 3840 wrote to memory of 1680	3840	cmd.exe	98
PID 3840 wrote to memory of 1680	3840	cmd.exe	98
PID 3840 wrote to memory of 1680	3840	cmd.exe	98
PID 3164 wrote to memory of 4832	3164	cmd.exe	97
PID 3164 wrote to memory of 4832	3164	cmd.exe	97
PID 3164 wrote to memory of 4832	3164	cmd.exe	97
PID 308 wrote to memory of 1280	308	avscan.exe	99
PID 308 wrote to memory of 1280	308	avscan.exe	99
PID 308 wrote to memory of 1280	308	avscan.exe	99
PID 4280 wrote to memory of 2224	4280	hosts.exe	101
PID 4280 wrote to memory of 2224	4280	hosts.exe	101
PID 4280 wrote to memory of 2224	4280	hosts.exe	101
PID 4280 wrote to memory of 3340	4280	hosts.exe	106
PID 4280 wrote to memory of 3340	4280	hosts.exe	106
PID 4280 wrote to memory of 3340	4280	hosts.exe	106
PID 308 wrote to memory of 3560	308	avscan.exe	105
PID 308 wrote to memory of 3560	308	avscan.exe	105
PID 308 wrote to memory of 3560	308	avscan.exe	105
PID 4280 wrote to memory of 3472	4280	hosts.exe	111
PID 4280 wrote to memory of 3472	4280	hosts.exe	111
PID 4280 wrote to memory of 3472	4280	hosts.exe	111
PID 308 wrote to memory of 1356	308	avscan.exe	110
PID 308 wrote to memory of 1356	308	avscan.exe	110
PID 308 wrote to memory of 1356	308	avscan.exe	110
PID 4280 wrote to memory of 3868	4280	hosts.exe	116
PID 4280 wrote to memory of 3868	4280	hosts.exe	116
PID 4280 wrote to memory of 3868	4280	hosts.exe	116
PID 308 wrote to memory of 480	308	avscan.exe	115
PID 308 wrote to memory of 480	308	avscan.exe	115
PID 308 wrote to memory of 480	308	avscan.exe	115

C:\Users\Admin\AppData\Local\Temp\8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe
"C:\Users\Admin\AppData\Local\Temp\8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1272
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3788
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4280
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3840
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3160
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1680
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2224
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:3340
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:3472
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:3868
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:844
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1280
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:3560
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1356
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4408
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:4832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
348KB

MD5
c66f4ef3f6bf5529ffa24429e9d65737

SHA1
5450efe183955d2b32e5a89c0fabf46edfc41133

SHA256
f7338cbadfd4a40c360cb82fc4f46ac871f223044e48274c566950a8ad8386b5

SHA512
34ae3d284e393cebb67f8e4cf9aa34fb91f87407f77950fb155bce1607c44c237c5ef5e60ac77e552bcc8d18874f7deeff099a616bbea4e02335a9ddb1bcb281

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
348KB

MD5
c66f4ef3f6bf5529ffa24429e9d65737

SHA1
5450efe183955d2b32e5a89c0fabf46edfc41133

SHA256
f7338cbadfd4a40c360cb82fc4f46ac871f223044e48274c566950a8ad8386b5

SHA512
34ae3d284e393cebb67f8e4cf9aa34fb91f87407f77950fb155bce1607c44c237c5ef5e60ac77e552bcc8d18874f7deeff099a616bbea4e02335a9ddb1bcb281

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
348KB

MD5
c66f4ef3f6bf5529ffa24429e9d65737

SHA1
5450efe183955d2b32e5a89c0fabf46edfc41133

SHA256
f7338cbadfd4a40c360cb82fc4f46ac871f223044e48274c566950a8ad8386b5

SHA512
34ae3d284e393cebb67f8e4cf9aa34fb91f87407f77950fb155bce1607c44c237c5ef5e60ac77e552bcc8d18874f7deeff099a616bbea4e02335a9ddb1bcb281

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
348KB

MD5
c66f4ef3f6bf5529ffa24429e9d65737

SHA1
5450efe183955d2b32e5a89c0fabf46edfc41133

SHA256
f7338cbadfd4a40c360cb82fc4f46ac871f223044e48274c566950a8ad8386b5

SHA512
34ae3d284e393cebb67f8e4cf9aa34fb91f87407f77950fb155bce1607c44c237c5ef5e60ac77e552bcc8d18874f7deeff099a616bbea4e02335a9ddb1bcb281

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
5f95187376125e68821db0d42b6e0a01

SHA1
24db87fd4f2e71873b08b285de3f584ed606bd7d

SHA256
f77ac566569872134310abf6755aaf712f96ddf7e544cd73fa03555415676777

SHA512
cecd0b1ab60ed7471870c6b5bb90d65b2e833d535f9a91aea96aae50a86e17fb15f23cd49da74d3ab6d50e54de75e02d9727d9b1d9ec2c32e3b80a4183c0a31c

Download Submit
C:\Windows\hosts.exe

Filesize
348KB

MD5
ba36fdca977789a794a60b38839a7140

SHA1
2ab3d338c21cd4c3fc9c1eee569f635dd980c0a5

SHA256
64a4282e47a78abe324601456e36d866103057963c73342f243c7462655d3271

SHA512
e582332dc39deef9240bf1a8929270b771402824a9d849dd28c2fbcfd2b403abce2cdce34bdb670a894c227c0d6ccc4a4a3f8863c5388df767e1234fbd3bd917

Download Submit
C:\Windows\hosts.exe

Filesize
348KB

MD5
ba36fdca977789a794a60b38839a7140

SHA1
2ab3d338c21cd4c3fc9c1eee569f635dd980c0a5

SHA256
64a4282e47a78abe324601456e36d866103057963c73342f243c7462655d3271

SHA512
e582332dc39deef9240bf1a8929270b771402824a9d849dd28c2fbcfd2b403abce2cdce34bdb670a894c227c0d6ccc4a4a3f8863c5388df767e1234fbd3bd917

Download Submit
C:\Windows\hosts.exe

Filesize
348KB

MD5
ba36fdca977789a794a60b38839a7140

SHA1
2ab3d338c21cd4c3fc9c1eee569f635dd980c0a5

SHA256
64a4282e47a78abe324601456e36d866103057963c73342f243c7462655d3271

SHA512
e582332dc39deef9240bf1a8929270b771402824a9d849dd28c2fbcfd2b403abce2cdce34bdb670a894c227c0d6ccc4a4a3f8863c5388df767e1234fbd3bd917

Download Submit
C:\Windows\hosts.exe

Filesize
348KB

MD5
ba36fdca977789a794a60b38839a7140

SHA1
2ab3d338c21cd4c3fc9c1eee569f635dd980c0a5

SHA256
64a4282e47a78abe324601456e36d866103057963c73342f243c7462655d3271

SHA512
e582332dc39deef9240bf1a8929270b771402824a9d849dd28c2fbcfd2b403abce2cdce34bdb670a894c227c0d6ccc4a4a3f8863c5388df767e1234fbd3bd917

Download Submit
C:\windows\hosts.exe

Filesize
348KB

MD5
ba36fdca977789a794a60b38839a7140

SHA1
2ab3d338c21cd4c3fc9c1eee569f635dd980c0a5

SHA256
64a4282e47a78abe324601456e36d866103057963c73342f243c7462655d3271

SHA512
e582332dc39deef9240bf1a8929270b771402824a9d849dd28c2fbcfd2b403abce2cdce34bdb670a894c227c0d6ccc4a4a3f8863c5388df767e1234fbd3bd917

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads