9a23c61502141ca5a2be7d1649f740041e1c836fbfbb291726fbb083f8e91f34

Analysis

max time kernel
125s
max time network
123s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21/10/2023, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.702ee218cab1cca6d1c9d68681cef620.exe
Size

5.5MB
MD5

702ee218cab1cca6d1c9d68681cef620
SHA1

798ee2288f421c71062610ec89d44aa2b66c0f0c
SHA256

9a23c61502141ca5a2be7d1649f740041e1c836fbfbb291726fbb083f8e91f34
SHA512

5fdaf8a8416c359bd1d2a4b8d24ab0817145859703061ab121911147e027c0f5bb9a800aa2154ca85398fbf529216f312a0ed5755aa73dba5b7381ce07145d79
SSDEEP

98304:gm7Nm7om7Nm7om7Nm7om7Nm7om7Nm7om7Nm7om7Nm7om7Nm7om7Nm7om7Nm7om7c:gm7Nm7om7Nm7om7Nm7om7Nm7om7Nm7oM

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.702ee218cab1cca6d1c9d68681cef620.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.702ee218cab1cca6d1c9d68681cef620.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\URUOZWGF = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\URUOZWGF = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\URUOZWGF = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
2108	avscan.exe
2940	avscan.exe
2016	hosts.exe
2696	hosts.exe
2052	avscan.exe
2868	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
1980	NEAS.702ee218cab1cca6d1c9d68681cef620.exe
1980	NEAS.702ee218cab1cca6d1c9d68681cef620.exe
2108	avscan.exe
2016	hosts.exe
2016	hosts.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	NEAS.702ee218cab1cca6d1c9d68681cef620.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	NEAS.702ee218cab1cca6d1c9d68681cef620.exe
File created	\??\c:\windows\W_X_C.bat	NEAS.702ee218cab1cca6d1c9d68681cef620.exe
File opened for modification	C:\Windows\hosts.exe	NEAS.702ee218cab1cca6d1c9d68681cef620.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

T1112

pid	Process
2516	REG.exe
1248	REG.exe
1288	REG.exe
2208	REG.exe
1848	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2108	avscan.exe
2016	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1980	NEAS.702ee218cab1cca6d1c9d68681cef620.exe
2108	avscan.exe
2940	avscan.exe
2016	hosts.exe
2696	hosts.exe
2052	avscan.exe
2868	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2208	1980	NEAS.702ee218cab1cca6d1c9d68681cef620.exe	28
PID 1980 wrote to memory of 2208	1980	NEAS.702ee218cab1cca6d1c9d68681cef620.exe	28
PID 1980 wrote to memory of 2208	1980	NEAS.702ee218cab1cca6d1c9d68681cef620.exe	28
PID 1980 wrote to memory of 2208	1980	NEAS.702ee218cab1cca6d1c9d68681cef620.exe	28
PID 1980 wrote to memory of 2108	1980	NEAS.702ee218cab1cca6d1c9d68681cef620.exe	30
PID 1980 wrote to memory of 2108	1980	NEAS.702ee218cab1cca6d1c9d68681cef620.exe	30
PID 1980 wrote to memory of 2108	1980	NEAS.702ee218cab1cca6d1c9d68681cef620.exe	30
PID 1980 wrote to memory of 2108	1980	NEAS.702ee218cab1cca6d1c9d68681cef620.exe	30
PID 2108 wrote to memory of 2940	2108	avscan.exe	31
PID 2108 wrote to memory of 2940	2108	avscan.exe	31
PID 2108 wrote to memory of 2940	2108	avscan.exe	31
PID 2108 wrote to memory of 2940	2108	avscan.exe	31
PID 2108 wrote to memory of 2616	2108	avscan.exe	35
PID 2108 wrote to memory of 2616	2108	avscan.exe	35
PID 2108 wrote to memory of 2616	2108	avscan.exe	35
PID 2108 wrote to memory of 2616	2108	avscan.exe	35
PID 1980 wrote to memory of 2928	1980	NEAS.702ee218cab1cca6d1c9d68681cef620.exe	34
PID 1980 wrote to memory of 2928	1980	NEAS.702ee218cab1cca6d1c9d68681cef620.exe	34
PID 1980 wrote to memory of 2928	1980	NEAS.702ee218cab1cca6d1c9d68681cef620.exe	34
PID 1980 wrote to memory of 2928	1980	NEAS.702ee218cab1cca6d1c9d68681cef620.exe	34
PID 2616 wrote to memory of 2016	2616	cmd.exe	37
PID 2616 wrote to memory of 2016	2616	cmd.exe	37
PID 2616 wrote to memory of 2016	2616	cmd.exe	37
PID 2616 wrote to memory of 2016	2616	cmd.exe	37
PID 2928 wrote to memory of 2696	2928	cmd.exe	36
PID 2928 wrote to memory of 2696	2928	cmd.exe	36
PID 2928 wrote to memory of 2696	2928	cmd.exe	36
PID 2928 wrote to memory of 2696	2928	cmd.exe	36
PID 2016 wrote to memory of 2052	2016	hosts.exe	38
PID 2016 wrote to memory of 2052	2016	hosts.exe	38
PID 2016 wrote to memory of 2052	2016	hosts.exe	38
PID 2016 wrote to memory of 2052	2016	hosts.exe	38
PID 2016 wrote to memory of 2560	2016	hosts.exe	39
PID 2016 wrote to memory of 2560	2016	hosts.exe	39
PID 2016 wrote to memory of 2560	2016	hosts.exe	39
PID 2016 wrote to memory of 2560	2016	hosts.exe	39
PID 2560 wrote to memory of 2868	2560	cmd.exe	41
PID 2560 wrote to memory of 2868	2560	cmd.exe	41
PID 2560 wrote to memory of 2868	2560	cmd.exe	41
PID 2560 wrote to memory of 2868	2560	cmd.exe	41
PID 2616 wrote to memory of 1756	2616	cmd.exe	43
PID 2616 wrote to memory of 1756	2616	cmd.exe	43
PID 2616 wrote to memory of 1756	2616	cmd.exe	43
PID 2616 wrote to memory of 1756	2616	cmd.exe	43
PID 2928 wrote to memory of 1820	2928	cmd.exe	42
PID 2928 wrote to memory of 1820	2928	cmd.exe	42
PID 2928 wrote to memory of 1820	2928	cmd.exe	42
PID 2928 wrote to memory of 1820	2928	cmd.exe	42
PID 2108 wrote to memory of 1848	2108	avscan.exe	44
PID 2108 wrote to memory of 1848	2108	avscan.exe	44
PID 2108 wrote to memory of 1848	2108	avscan.exe	44
PID 2108 wrote to memory of 1848	2108	avscan.exe	44
PID 2016 wrote to memory of 2516	2016	hosts.exe	46
PID 2016 wrote to memory of 2516	2016	hosts.exe	46
PID 2016 wrote to memory of 2516	2016	hosts.exe	46
PID 2016 wrote to memory of 2516	2016	hosts.exe	46
PID 2108 wrote to memory of 1248	2108	avscan.exe	50
PID 2108 wrote to memory of 1248	2108	avscan.exe	50
PID 2108 wrote to memory of 1248	2108	avscan.exe	50
PID 2108 wrote to memory of 1248	2108	avscan.exe	50
PID 2016 wrote to memory of 1288	2016	hosts.exe	52
PID 2016 wrote to memory of 1288	2016	hosts.exe	52
PID 2016 wrote to memory of 1288	2016	hosts.exe	52
PID 2016 wrote to memory of 1288	2016	hosts.exe	52

C:\Users\Admin\AppData\Local\Temp\NEAS.702ee218cab1cca6d1c9d68681cef620.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.702ee218cab1cca6d1c9d68681cef620.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:2208
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2052
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2868
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:2300
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2516
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1288
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1756
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1848
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2696
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
11.1MB

MD5
99e70272ef75fa161ab90d2ff79352f2

SHA1
f635cf132b1c8eb7a67e084156612e07eb92aeb8

SHA256
15344285369949e53948f21871e2ac3482f66316797569eb53de69a0bee3f143

SHA512
8200908f2dbb3a8f1c1f9a3ea1743ab8a782431b6238aad9f9b6d38b10ec3464d6e9f4d756be90e1475132d8d3539d05643f5b296ee90fe57e2038be480693a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
16.6MB

MD5
61e1b0f49ebfc511c54034ae1db7c73a

SHA1
24cc65e4bcaa3e32e417218dac94dd0bf81408eb

SHA256
ab457460cb409be125ce96fb43f31d50915db9dcef66973448aa440b98fa1b39

SHA512
7fa98620ab8256e0fa0ba6cce83cec58ee3621c8ebf1367ff9b8a6d1ee306871f355eef2234035631e47a5b721013ba28db9bdb55a0a37b74274aa9ba9036b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
22.1MB

MD5
87ad940d9629f47f0a7ef432be29de61

SHA1
146df540518e1cf905bac24b3978a9f20ed66468

SHA256
9c3522ae80b12fb6d4046a7142ef59b6518be66ebf2f3f5499523f55b26200ab

SHA512
2717cf6bb1c7ad5750290ceb9b36034066db27732a407cfc920cdafbdb34ba79d976931eba9dcd0ff0fb390dece12fdaa8a41d9736274785a2b5269622dbbe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
5.5MB

MD5
7410591190cf5d5f0d75f09c6f665b3d

SHA1
8d85933a15527eede55a5e28befeabd54115c413

SHA256
b4c4760e0b84dc01b58d083bd94e001dc0e569fd4202157a3ea56cdbd1edc692

SHA512
ade06966bb1f3c5d7b5bac4fb898f51dffae6b96b0c6e1f8e3d6d826185711713c99c5b50e73509b412efad1f32daa2028c1b28ee7be98fe56fe7aaea9de0591

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
5.5MB

MD5
7410591190cf5d5f0d75f09c6f665b3d

SHA1
8d85933a15527eede55a5e28befeabd54115c413

SHA256
b4c4760e0b84dc01b58d083bd94e001dc0e569fd4202157a3ea56cdbd1edc692

SHA512
ade06966bb1f3c5d7b5bac4fb898f51dffae6b96b0c6e1f8e3d6d826185711713c99c5b50e73509b412efad1f32daa2028c1b28ee7be98fe56fe7aaea9de0591

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
5.5MB

MD5
7410591190cf5d5f0d75f09c6f665b3d

SHA1
8d85933a15527eede55a5e28befeabd54115c413

SHA256
b4c4760e0b84dc01b58d083bd94e001dc0e569fd4202157a3ea56cdbd1edc692

SHA512
ade06966bb1f3c5d7b5bac4fb898f51dffae6b96b0c6e1f8e3d6d826185711713c99c5b50e73509b412efad1f32daa2028c1b28ee7be98fe56fe7aaea9de0591

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
5.5MB

MD5
7410591190cf5d5f0d75f09c6f665b3d

SHA1
8d85933a15527eede55a5e28befeabd54115c413

SHA256
b4c4760e0b84dc01b58d083bd94e001dc0e569fd4202157a3ea56cdbd1edc692

SHA512
ade06966bb1f3c5d7b5bac4fb898f51dffae6b96b0c6e1f8e3d6d826185711713c99c5b50e73509b412efad1f32daa2028c1b28ee7be98fe56fe7aaea9de0591

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
5.5MB

MD5
7410591190cf5d5f0d75f09c6f665b3d

SHA1
8d85933a15527eede55a5e28befeabd54115c413

SHA256
b4c4760e0b84dc01b58d083bd94e001dc0e569fd4202157a3ea56cdbd1edc692

SHA512
ade06966bb1f3c5d7b5bac4fb898f51dffae6b96b0c6e1f8e3d6d826185711713c99c5b50e73509b412efad1f32daa2028c1b28ee7be98fe56fe7aaea9de0591

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
8efe12486864409fbae311e782e263dc

SHA1
e7fe92017451e5a228942c5181fdb2bdd2d5951c

SHA256
565ae16d0c1339864ad7edae20551bf25fff8626d0ead51f046a1fa8babd518d

SHA512
5114517d34ca3ab2114f87139b390d29e0e5a9ad9e4dfb0548df94085bda60658284cf7fed3bb437727dcdc18f7fbd8cce7605a248696ce9720a052530f59059

Download Submit
C:\Windows\hosts.exe

Filesize
5.5MB

MD5
910a94a2c9733f0fd7b3140c9cfb3d38

SHA1
4d4414dc0271acbfc0a9c57b4bc10882acaa0191

SHA256
b4f68f8b2132d2ddf874fe9accfdd18a5eec4a4640b5bcf0d028bbd66b1f41a8

SHA512
c620a58b4fcac551d75cebf8f5fd42f28e0b0147950d4af23569b085de58da42619da4ae8ebc0f7d45137a02d97b6b2de2541c48984808e820b99196da56986a

Download Submit
C:\Windows\hosts.exe

Filesize
5.5MB

MD5
910a94a2c9733f0fd7b3140c9cfb3d38

SHA1
4d4414dc0271acbfc0a9c57b4bc10882acaa0191

SHA256
b4f68f8b2132d2ddf874fe9accfdd18a5eec4a4640b5bcf0d028bbd66b1f41a8

SHA512
c620a58b4fcac551d75cebf8f5fd42f28e0b0147950d4af23569b085de58da42619da4ae8ebc0f7d45137a02d97b6b2de2541c48984808e820b99196da56986a

Download Submit
C:\Windows\hosts.exe

Filesize
5.5MB

MD5
910a94a2c9733f0fd7b3140c9cfb3d38

SHA1
4d4414dc0271acbfc0a9c57b4bc10882acaa0191

SHA256
b4f68f8b2132d2ddf874fe9accfdd18a5eec4a4640b5bcf0d028bbd66b1f41a8

SHA512
c620a58b4fcac551d75cebf8f5fd42f28e0b0147950d4af23569b085de58da42619da4ae8ebc0f7d45137a02d97b6b2de2541c48984808e820b99196da56986a

Download Submit
C:\Windows\hosts.exe

Filesize
5.5MB

MD5
910a94a2c9733f0fd7b3140c9cfb3d38

SHA1
4d4414dc0271acbfc0a9c57b4bc10882acaa0191

SHA256
b4f68f8b2132d2ddf874fe9accfdd18a5eec4a4640b5bcf0d028bbd66b1f41a8

SHA512
c620a58b4fcac551d75cebf8f5fd42f28e0b0147950d4af23569b085de58da42619da4ae8ebc0f7d45137a02d97b6b2de2541c48984808e820b99196da56986a

Download Submit
C:\windows\hosts.exe

Filesize
5.5MB

MD5
910a94a2c9733f0fd7b3140c9cfb3d38

SHA1
4d4414dc0271acbfc0a9c57b4bc10882acaa0191

SHA256
b4f68f8b2132d2ddf874fe9accfdd18a5eec4a4640b5bcf0d028bbd66b1f41a8

SHA512
c620a58b4fcac551d75cebf8f5fd42f28e0b0147950d4af23569b085de58da42619da4ae8ebc0f7d45137a02d97b6b2de2541c48984808e820b99196da56986a

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
5.5MB

MD5
7410591190cf5d5f0d75f09c6f665b3d

SHA1
8d85933a15527eede55a5e28befeabd54115c413

SHA256
b4c4760e0b84dc01b58d083bd94e001dc0e569fd4202157a3ea56cdbd1edc692

SHA512
ade06966bb1f3c5d7b5bac4fb898f51dffae6b96b0c6e1f8e3d6d826185711713c99c5b50e73509b412efad1f32daa2028c1b28ee7be98fe56fe7aaea9de0591

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
5.5MB

MD5
7410591190cf5d5f0d75f09c6f665b3d

SHA1
8d85933a15527eede55a5e28befeabd54115c413

SHA256
b4c4760e0b84dc01b58d083bd94e001dc0e569fd4202157a3ea56cdbd1edc692

SHA512
ade06966bb1f3c5d7b5bac4fb898f51dffae6b96b0c6e1f8e3d6d826185711713c99c5b50e73509b412efad1f32daa2028c1b28ee7be98fe56fe7aaea9de0591

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
5.5MB

MD5
7410591190cf5d5f0d75f09c6f665b3d

SHA1
8d85933a15527eede55a5e28befeabd54115c413

SHA256
b4c4760e0b84dc01b58d083bd94e001dc0e569fd4202157a3ea56cdbd1edc692

SHA512
ade06966bb1f3c5d7b5bac4fb898f51dffae6b96b0c6e1f8e3d6d826185711713c99c5b50e73509b412efad1f32daa2028c1b28ee7be98fe56fe7aaea9de0591

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
5.5MB

MD5
7410591190cf5d5f0d75f09c6f665b3d

SHA1
8d85933a15527eede55a5e28befeabd54115c413

SHA256
b4c4760e0b84dc01b58d083bd94e001dc0e569fd4202157a3ea56cdbd1edc692

SHA512
ade06966bb1f3c5d7b5bac4fb898f51dffae6b96b0c6e1f8e3d6d826185711713c99c5b50e73509b412efad1f32daa2028c1b28ee7be98fe56fe7aaea9de0591

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
5.5MB

MD5
7410591190cf5d5f0d75f09c6f665b3d

SHA1
8d85933a15527eede55a5e28befeabd54115c413

SHA256
b4c4760e0b84dc01b58d083bd94e001dc0e569fd4202157a3ea56cdbd1edc692

SHA512
ade06966bb1f3c5d7b5bac4fb898f51dffae6b96b0c6e1f8e3d6d826185711713c99c5b50e73509b412efad1f32daa2028c1b28ee7be98fe56fe7aaea9de0591

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads