75252465fd562d56fe07990cd992a5f32bfaabeaa21f29c763762ddf3898d603

Analysis

max time kernel
158s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe
Size

4.3MB
MD5

9f8d90381cce6d6efa9e5d1bc5835ab0
SHA1

e92fbaac46051b28d1e751da21a68b875284bedf
SHA256

75252465fd562d56fe07990cd992a5f32bfaabeaa21f29c763762ddf3898d603
SHA512

94b1e774cb4a17ccd724cc037612fc5609261f894988afaf21cd00e0d27f4a3af34cca81244fde5503e7e67895ec34ce90f3735af7ec30c7c9d9ab79a4afd78e
SSDEEP

98304:gm7um7om7Vm7om7um7om7Vm7om7um7om7Vm7om7um7om7Vm7om7um7om7Vm7om77:gm7um7om7Vm7om7um7om7Vm7om7um7ot

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\FEUTZCII = "W_X_C.bat"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\FEUTZCII = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\FEUTZCII = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 6 IoCs

pid	Process
2812	avscan.exe
2168	avscan.exe
4864	hosts.exe
3708	hosts.exe
1640	avscan.exe
1768	hosts.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe
File created	\??\c:\windows\W_X_C.bat	NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe
File opened for modification	C:\Windows\hosts.exe	NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
1664	REG.exe
2316	REG.exe
4540	REG.exe
700	REG.exe
1716	REG.exe
4272	REG.exe
4684	REG.exe
316	REG.exe
3584	REG.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1776	NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe
2812	avscan.exe
3708	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1776	NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe
2812	avscan.exe
2168	avscan.exe
4864	hosts.exe
3708	hosts.exe
1640	avscan.exe
1768	hosts.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 4540	1776	NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe	89
PID 1776 wrote to memory of 4540	1776	NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe	89
PID 1776 wrote to memory of 4540	1776	NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe	89
PID 1776 wrote to memory of 2812	1776	NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe	93
PID 1776 wrote to memory of 2812	1776	NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe	93
PID 1776 wrote to memory of 2812	1776	NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe	93
PID 2812 wrote to memory of 2168	2812	avscan.exe	94
PID 2812 wrote to memory of 2168	2812	avscan.exe	94
PID 2812 wrote to memory of 2168	2812	avscan.exe	94
PID 2812 wrote to memory of 5112	2812	avscan.exe	95
PID 2812 wrote to memory of 5112	2812	avscan.exe	95
PID 2812 wrote to memory of 5112	2812	avscan.exe	95
PID 1776 wrote to memory of 4168	1776	NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe	96
PID 1776 wrote to memory of 4168	1776	NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe	96
PID 1776 wrote to memory of 4168	1776	NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe	96
PID 4168 wrote to memory of 3708	4168	cmd.exe	100
PID 4168 wrote to memory of 3708	4168	cmd.exe	100
PID 4168 wrote to memory of 3708	4168	cmd.exe	100
PID 5112 wrote to memory of 4864	5112	cmd.exe	99
PID 5112 wrote to memory of 4864	5112	cmd.exe	99
PID 5112 wrote to memory of 4864	5112	cmd.exe	99
PID 3708 wrote to memory of 1640	3708	hosts.exe	101
PID 3708 wrote to memory of 1640	3708	hosts.exe	101
PID 3708 wrote to memory of 1640	3708	hosts.exe	101
PID 3708 wrote to memory of 2916	3708	hosts.exe	102
PID 3708 wrote to memory of 2916	3708	hosts.exe	102
PID 3708 wrote to memory of 2916	3708	hosts.exe	102
PID 2916 wrote to memory of 1768	2916	cmd.exe	104
PID 2916 wrote to memory of 1768	2916	cmd.exe	104
PID 2916 wrote to memory of 1768	2916	cmd.exe	104
PID 2916 wrote to memory of 2816	2916	cmd.exe	106
PID 5112 wrote to memory of 2472	5112	cmd.exe	107
PID 5112 wrote to memory of 2472	5112	cmd.exe	107
PID 2916 wrote to memory of 2816	2916	cmd.exe	106
PID 5112 wrote to memory of 2472	5112	cmd.exe	107
PID 2916 wrote to memory of 2816	2916	cmd.exe	106
PID 4168 wrote to memory of 3028	4168	cmd.exe	108
PID 4168 wrote to memory of 3028	4168	cmd.exe	108
PID 4168 wrote to memory of 3028	4168	cmd.exe	108
PID 2812 wrote to memory of 4684	2812	avscan.exe	111
PID 2812 wrote to memory of 4684	2812	avscan.exe	111
PID 2812 wrote to memory of 4684	2812	avscan.exe	111
PID 3708 wrote to memory of 700	3708	hosts.exe	113
PID 3708 wrote to memory of 700	3708	hosts.exe	113
PID 3708 wrote to memory of 700	3708	hosts.exe	113
PID 2812 wrote to memory of 316	2812	avscan.exe	116
PID 2812 wrote to memory of 316	2812	avscan.exe	116
PID 2812 wrote to memory of 316	2812	avscan.exe	116
PID 3708 wrote to memory of 3584	3708	hosts.exe	118
PID 3708 wrote to memory of 3584	3708	hosts.exe	118
PID 3708 wrote to memory of 3584	3708	hosts.exe	118
PID 2812 wrote to memory of 1716	2812	avscan.exe	119
PID 2812 wrote to memory of 1716	2812	avscan.exe	119
PID 2812 wrote to memory of 1716	2812	avscan.exe	119
PID 3708 wrote to memory of 1664	3708	hosts.exe	121
PID 3708 wrote to memory of 1664	3708	hosts.exe	121
PID 3708 wrote to memory of 1664	3708	hosts.exe	121
PID 2812 wrote to memory of 2316	2812	avscan.exe	123
PID 2812 wrote to memory of 2316	2812	avscan.exe	123
PID 2812 wrote to memory of 2316	2812	avscan.exe	123
PID 3708 wrote to memory of 4272	3708	hosts.exe	125
PID 3708 wrote to memory of 4272	3708	hosts.exe	125
PID 3708 wrote to memory of 4272	3708	hosts.exe	125

C:\Users\Admin\AppData\Local\Temp\NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9f8d90381cce6d6efa9e5d1bc5835ab0.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:4540
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4864
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:2472
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4684
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:316
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1716
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1768
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:2816
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:700
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:3584
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1664
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:4272
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:3028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
4.3MB

MD5
03abd4c70c3036eb9d47877ec151cffb

SHA1
375e0192606acd0a6483441eeedcedc866b1bda3

SHA256
ff698a0b4e783df3c25c7047482be4f901cec9839203cc2f0f7069f935e33b70

SHA512
324b6236939adef7ab1472d764ca38326a9a612249ad8243140f9b002799b632a80d815133d73dcbd5a8cf80982c1f1c33efa8bd1584e6ebe42d97571473e77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
4.3MB

MD5
03abd4c70c3036eb9d47877ec151cffb

SHA1
375e0192606acd0a6483441eeedcedc866b1bda3

SHA256
ff698a0b4e783df3c25c7047482be4f901cec9839203cc2f0f7069f935e33b70

SHA512
324b6236939adef7ab1472d764ca38326a9a612249ad8243140f9b002799b632a80d815133d73dcbd5a8cf80982c1f1c33efa8bd1584e6ebe42d97571473e77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
4.3MB

MD5
03abd4c70c3036eb9d47877ec151cffb

SHA1
375e0192606acd0a6483441eeedcedc866b1bda3

SHA256
ff698a0b4e783df3c25c7047482be4f901cec9839203cc2f0f7069f935e33b70

SHA512
324b6236939adef7ab1472d764ca38326a9a612249ad8243140f9b002799b632a80d815133d73dcbd5a8cf80982c1f1c33efa8bd1584e6ebe42d97571473e77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
4.3MB

MD5
03abd4c70c3036eb9d47877ec151cffb

SHA1
375e0192606acd0a6483441eeedcedc866b1bda3

SHA256
ff698a0b4e783df3c25c7047482be4f901cec9839203cc2f0f7069f935e33b70

SHA512
324b6236939adef7ab1472d764ca38326a9a612249ad8243140f9b002799b632a80d815133d73dcbd5a8cf80982c1f1c33efa8bd1584e6ebe42d97571473e77c

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
8dc761a5bd70aa8de0e69df734cc1b5d

SHA1
141b753bb62edf7c09bcae744b837fe6cbd54b87

SHA256
6ba885c570d52ea2e9385e0d91b5a9235813e450798ea73815853e6941212682

SHA512
3c03d3f6a865f04bfcbc69deec00db554e9a6e84c8375e4d0a509cb5a72e6c0cbd35dd75d53e2edce63bcd7b6ff63d6c33be6203332fa34d4f6643c138ab8437

Download Submit
C:\Windows\hosts.exe

Filesize
4.3MB

MD5
775ab9b300bb2058c409a537710c8227

SHA1
9a20bf108c534b00c97cb08038c1a52279da858f

SHA256
235a8147d720c16a119bd6188b30896635a5e8265158129af72383e29c1986f8

SHA512
1e2d7cccba8943ff561a1097088d616f70cb7aee9728707814be13c944e5b335304ce66088423d5811c07ddc002e39bf5572d1e9e03f8701c7856770825338a4

Download Submit
C:\Windows\hosts.exe

Filesize
4.3MB

MD5
775ab9b300bb2058c409a537710c8227

SHA1
9a20bf108c534b00c97cb08038c1a52279da858f

SHA256
235a8147d720c16a119bd6188b30896635a5e8265158129af72383e29c1986f8

SHA512
1e2d7cccba8943ff561a1097088d616f70cb7aee9728707814be13c944e5b335304ce66088423d5811c07ddc002e39bf5572d1e9e03f8701c7856770825338a4

Download Submit
C:\Windows\hosts.exe

Filesize
4.3MB

MD5
775ab9b300bb2058c409a537710c8227

SHA1
9a20bf108c534b00c97cb08038c1a52279da858f

SHA256
235a8147d720c16a119bd6188b30896635a5e8265158129af72383e29c1986f8

SHA512
1e2d7cccba8943ff561a1097088d616f70cb7aee9728707814be13c944e5b335304ce66088423d5811c07ddc002e39bf5572d1e9e03f8701c7856770825338a4

Download Submit
C:\Windows\hosts.exe

Filesize
4.3MB

MD5
775ab9b300bb2058c409a537710c8227

SHA1
9a20bf108c534b00c97cb08038c1a52279da858f

SHA256
235a8147d720c16a119bd6188b30896635a5e8265158129af72383e29c1986f8

SHA512
1e2d7cccba8943ff561a1097088d616f70cb7aee9728707814be13c944e5b335304ce66088423d5811c07ddc002e39bf5572d1e9e03f8701c7856770825338a4

Download Submit
C:\Windows\hosts.exe

Filesize
4.3MB

MD5
775ab9b300bb2058c409a537710c8227

SHA1
9a20bf108c534b00c97cb08038c1a52279da858f

SHA256
235a8147d720c16a119bd6188b30896635a5e8265158129af72383e29c1986f8

SHA512
1e2d7cccba8943ff561a1097088d616f70cb7aee9728707814be13c944e5b335304ce66088423d5811c07ddc002e39bf5572d1e9e03f8701c7856770825338a4

Download Submit
C:\windows\hosts.exe

Filesize
4.3MB

MD5
775ab9b300bb2058c409a537710c8227

SHA1
9a20bf108c534b00c97cb08038c1a52279da858f

SHA256
235a8147d720c16a119bd6188b30896635a5e8265158129af72383e29c1986f8

SHA512
1e2d7cccba8943ff561a1097088d616f70cb7aee9728707814be13c944e5b335304ce66088423d5811c07ddc002e39bf5572d1e9e03f8701c7856770825338a4

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads