1102ad15a84f32ac874383c808df23e29654f35bcae7df1aab0150e1708a3fa6

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 17:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe
Size

424KB
MD5

0c27c301c4175a8edfd2e116b16f41c0
SHA1

61af7180cb86be566c2099f9d657c4b225a75ca4
SHA256

1102ad15a84f32ac874383c808df23e29654f35bcae7df1aab0150e1708a3fa6
SHA512

129af3914d9d8b7667fa701616ff28ca0e3647b34450dd1b9a35fb4c851ea21421d97d80e45f7a23b6e18d161ec9d4bcb33ba2009b16e1f3418f177748ff2000
SSDEEP

6144:gDCwfG1bnxLEDrDCwfG1bnxLEDfKnydFb4YMIwT:g72bntEDr72bntEDSydjMLT

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MDUTPCWA = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MDUTPCWA = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MDUTPCWA = "W_X_C.bat"	WScript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 6 IoCs

pid	Process
3192	avscan.exe
4584	avscan.exe
2516	hosts.exe
468	hosts.exe
2908	avscan.exe
1092	hosts.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe
File created	\??\c:\windows\W_X_C.bat	NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe
File opened for modification	C:\Windows\hosts.exe	NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings	NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
4628	REG.exe
3624	REG.exe
2968	REG.exe
2808	REG.exe
3768	REG.exe
2092	REG.exe
3888	REG.exe
4772	REG.exe
2320	REG.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
388	NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe
3192	avscan.exe
468	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
388	NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe
3192	avscan.exe
4584	avscan.exe
468	hosts.exe
2516	hosts.exe
2908	avscan.exe
1092	hosts.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 2092	388	NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe	82
PID 388 wrote to memory of 2092	388	NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe	82
PID 388 wrote to memory of 2092	388	NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe	82
PID 388 wrote to memory of 3192	388	NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe	84
PID 388 wrote to memory of 3192	388	NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe	84
PID 388 wrote to memory of 3192	388	NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe	84
PID 3192 wrote to memory of 4584	3192	avscan.exe	85
PID 3192 wrote to memory of 4584	3192	avscan.exe	85
PID 3192 wrote to memory of 4584	3192	avscan.exe	85
PID 3192 wrote to memory of 2164	3192	avscan.exe	86
PID 3192 wrote to memory of 2164	3192	avscan.exe	86
PID 3192 wrote to memory of 2164	3192	avscan.exe	86
PID 388 wrote to memory of 4760	388	NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe	87
PID 388 wrote to memory of 4760	388	NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe	87
PID 388 wrote to memory of 4760	388	NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe	87
PID 2164 wrote to memory of 2516	2164	cmd.exe	90
PID 2164 wrote to memory of 2516	2164	cmd.exe	90
PID 2164 wrote to memory of 2516	2164	cmd.exe	90
PID 4760 wrote to memory of 468	4760	cmd.exe	91
PID 4760 wrote to memory of 468	4760	cmd.exe	91
PID 4760 wrote to memory of 468	4760	cmd.exe	91
PID 468 wrote to memory of 2908	468	hosts.exe	92
PID 468 wrote to memory of 2908	468	hosts.exe	92
PID 468 wrote to memory of 2908	468	hosts.exe	92
PID 468 wrote to memory of 4476	468	hosts.exe	93
PID 468 wrote to memory of 4476	468	hosts.exe	93
PID 468 wrote to memory of 4476	468	hosts.exe	93
PID 4476 wrote to memory of 1092	4476	cmd.exe	95
PID 4476 wrote to memory of 1092	4476	cmd.exe	95
PID 4476 wrote to memory of 1092	4476	cmd.exe	95
PID 3192 wrote to memory of 4628	3192	avscan.exe	96
PID 3192 wrote to memory of 4628	3192	avscan.exe	96
PID 3192 wrote to memory of 4628	3192	avscan.exe	96
PID 2164 wrote to memory of 4404	2164	cmd.exe	102
PID 4760 wrote to memory of 3588	4760	cmd.exe	101
PID 2164 wrote to memory of 4404	2164	cmd.exe	102
PID 2164 wrote to memory of 4404	2164	cmd.exe	102
PID 4760 wrote to memory of 3588	4760	cmd.exe	101
PID 4760 wrote to memory of 3588	4760	cmd.exe	101
PID 4476 wrote to memory of 1480	4476	cmd.exe	103
PID 4476 wrote to memory of 1480	4476	cmd.exe	103
PID 4476 wrote to memory of 1480	4476	cmd.exe	103
PID 468 wrote to memory of 3624	468	hosts.exe	108
PID 468 wrote to memory of 3624	468	hosts.exe	108
PID 468 wrote to memory of 3624	468	hosts.exe	108
PID 3192 wrote to memory of 3888	3192	avscan.exe	111
PID 3192 wrote to memory of 3888	3192	avscan.exe	111
PID 3192 wrote to memory of 3888	3192	avscan.exe	111
PID 468 wrote to memory of 2968	468	hosts.exe	116
PID 468 wrote to memory of 2968	468	hosts.exe	116
PID 468 wrote to memory of 2968	468	hosts.exe	116
PID 3192 wrote to memory of 2808	3192	avscan.exe	118
PID 3192 wrote to memory of 2808	3192	avscan.exe	118
PID 3192 wrote to memory of 2808	3192	avscan.exe	118
PID 468 wrote to memory of 4772	468	hosts.exe	120
PID 468 wrote to memory of 4772	468	hosts.exe	120
PID 468 wrote to memory of 4772	468	hosts.exe	120
PID 3192 wrote to memory of 2320	3192	avscan.exe	122
PID 3192 wrote to memory of 2320	3192	avscan.exe	122
PID 3192 wrote to memory of 2320	3192	avscan.exe	122
PID 468 wrote to memory of 3768	468	hosts.exe	124
PID 468 wrote to memory of 3768	468	hosts.exe	124
PID 468 wrote to memory of 3768	468	hosts.exe	124

C:\Users\Admin\AppData\Local\Temp\NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0c27c301c4175a8edfd2e116b16f41c0_JC.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2516
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:4404
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4628
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:3888
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2808
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1092
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:1480
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:3624
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:2968
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:4772
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:3768
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:3588

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
424KB

MD5
29428a0ff5102970d9b76609679bad81

SHA1
dcad56ddadc962875e2b54e30bfde8b670a4985a

SHA256
175c56fe4e5294bfbbb9d9a3a36579caf86613c81a70ed997eae251231f5ddd5

SHA512
4a60960e9b8e6b3653f00920aa2e526b62b31c2bf5b143b6bd06cb77511cab761774ecebb99ddb319e419aa02bae1f0bb73dce74322684c34cc37f6735457e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
424KB

MD5
29428a0ff5102970d9b76609679bad81

SHA1
dcad56ddadc962875e2b54e30bfde8b670a4985a

SHA256
175c56fe4e5294bfbbb9d9a3a36579caf86613c81a70ed997eae251231f5ddd5

SHA512
4a60960e9b8e6b3653f00920aa2e526b62b31c2bf5b143b6bd06cb77511cab761774ecebb99ddb319e419aa02bae1f0bb73dce74322684c34cc37f6735457e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
424KB

MD5
29428a0ff5102970d9b76609679bad81

SHA1
dcad56ddadc962875e2b54e30bfde8b670a4985a

SHA256
175c56fe4e5294bfbbb9d9a3a36579caf86613c81a70ed997eae251231f5ddd5

SHA512
4a60960e9b8e6b3653f00920aa2e526b62b31c2bf5b143b6bd06cb77511cab761774ecebb99ddb319e419aa02bae1f0bb73dce74322684c34cc37f6735457e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
424KB

MD5
29428a0ff5102970d9b76609679bad81

SHA1
dcad56ddadc962875e2b54e30bfde8b670a4985a

SHA256
175c56fe4e5294bfbbb9d9a3a36579caf86613c81a70ed997eae251231f5ddd5

SHA512
4a60960e9b8e6b3653f00920aa2e526b62b31c2bf5b143b6bd06cb77511cab761774ecebb99ddb319e419aa02bae1f0bb73dce74322684c34cc37f6735457e62

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
80a52bd4f75f3f3c8eb93cf1a1c69ad7

SHA1
ec1a392b471c5b2638490b6bf77786892860c56d

SHA256
aecdad2f87e4274dda58f2ac7dc2b07fe2ea55ba2a55293350f613f93f047fcb

SHA512
b76d8c3fc70f80a994e4b8f7b74892185280e28681e1a5e4909bb880ac74fb18d2e34856663f8693985e9f45bb5c885c1dc174e4fd249348a2dfa602e7a3c504

Download Submit
C:\Windows\hosts.exe

Filesize
424KB

MD5
a6331afec6e8281328701395b152e70a

SHA1
0dfcc62f4fd75e3ceaa2629b61aeace12074815d

SHA256
086a249cd953a796457bd4b1439432a4ce68006f1a8bd6570db7ebad72c5b25c

SHA512
5707cd5bb925399391eb2f5f7e0740e5be6eee81fcbf1af4a4fdbc386b86f40a45cba2cbd6587d6127c1894bfcc4d4cec52232462e6e3acadb8edd5715fe63d0

Download Submit
C:\Windows\hosts.exe

Filesize
424KB

MD5
a6331afec6e8281328701395b152e70a

SHA1
0dfcc62f4fd75e3ceaa2629b61aeace12074815d

SHA256
086a249cd953a796457bd4b1439432a4ce68006f1a8bd6570db7ebad72c5b25c

SHA512
5707cd5bb925399391eb2f5f7e0740e5be6eee81fcbf1af4a4fdbc386b86f40a45cba2cbd6587d6127c1894bfcc4d4cec52232462e6e3acadb8edd5715fe63d0

Download Submit
C:\Windows\hosts.exe

Filesize
424KB

MD5
a6331afec6e8281328701395b152e70a

SHA1
0dfcc62f4fd75e3ceaa2629b61aeace12074815d

SHA256
086a249cd953a796457bd4b1439432a4ce68006f1a8bd6570db7ebad72c5b25c

SHA512
5707cd5bb925399391eb2f5f7e0740e5be6eee81fcbf1af4a4fdbc386b86f40a45cba2cbd6587d6127c1894bfcc4d4cec52232462e6e3acadb8edd5715fe63d0

Download Submit
C:\Windows\hosts.exe

Filesize
424KB

MD5
a6331afec6e8281328701395b152e70a

SHA1
0dfcc62f4fd75e3ceaa2629b61aeace12074815d

SHA256
086a249cd953a796457bd4b1439432a4ce68006f1a8bd6570db7ebad72c5b25c

SHA512
5707cd5bb925399391eb2f5f7e0740e5be6eee81fcbf1af4a4fdbc386b86f40a45cba2cbd6587d6127c1894bfcc4d4cec52232462e6e3acadb8edd5715fe63d0

Download Submit
C:\Windows\hosts.exe

Filesize
424KB

MD5
a6331afec6e8281328701395b152e70a

SHA1
0dfcc62f4fd75e3ceaa2629b61aeace12074815d

SHA256
086a249cd953a796457bd4b1439432a4ce68006f1a8bd6570db7ebad72c5b25c

SHA512
5707cd5bb925399391eb2f5f7e0740e5be6eee81fcbf1af4a4fdbc386b86f40a45cba2cbd6587d6127c1894bfcc4d4cec52232462e6e3acadb8edd5715fe63d0

Download Submit
C:\windows\hosts.exe

Filesize
424KB

MD5
a6331afec6e8281328701395b152e70a

SHA1
0dfcc62f4fd75e3ceaa2629b61aeace12074815d

SHA256
086a249cd953a796457bd4b1439432a4ce68006f1a8bd6570db7ebad72c5b25c

SHA512
5707cd5bb925399391eb2f5f7e0740e5be6eee81fcbf1af4a4fdbc386b86f40a45cba2cbd6587d6127c1894bfcc4d4cec52232462e6e3acadb8edd5715fe63d0

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads