Malware Analysis Report

2025-01-06 11:41

Sample ID 240603-e7rcaach37
Target dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a
SHA256 dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a

Threat Level: Known bad

The file dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Adds policy Run key to start application

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:35

Reported

2024-06-03 04:37

Platform

win7-20231129-en

Max time kernel

122s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\windows\hosts.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\windows\hosts.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SCFGBRBT = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SCFGBRBT = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SCFGBRBT = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\windows\hosts.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe N/A
File opened for modification C:\Windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
File opened for modification C:\Windows\hosts.exe C:\windows\hosts.exe N/A
File created C:\windows\W_X_C.vbs C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe N/A
File created \??\c:\windows\W_X_C.bat C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
N/A N/A C:\windows\hosts.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Windows\SysWOW64\REG.exe
PID 2884 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Windows\SysWOW64\REG.exe
PID 2884 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Windows\SysWOW64\REG.exe
PID 2884 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Windows\SysWOW64\REG.exe
PID 2884 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2884 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2884 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2884 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2408 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2408 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2408 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2408 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2408 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2600 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2600 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2600 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2832 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2832 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2832 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2832 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2832 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2832 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2832 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2832 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2764 wrote to memory of 1992 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2764 wrote to memory of 1992 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2764 wrote to memory of 1992 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2764 wrote to memory of 1992 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2764 wrote to memory of 1848 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 1848 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 1848 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 1848 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2600 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2600 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2600 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1848 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 1848 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 1848 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 1848 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 1848 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1848 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1848 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1848 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2408 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2408 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2408 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2408 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2764 wrote to memory of 2100 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2764 wrote to memory of 2100 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2764 wrote to memory of 2100 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2764 wrote to memory of 2100 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2408 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2408 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2408 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2408 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe

"C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe"

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\windows\W_X_C.bat

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\windows\W_X_C.bat

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\windows\W_X_C.bat

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\avscan.exe

MD5 7327f388ffe118b9f908c3b44314a1cc
SHA1 713ed394a281e6ca3d8ed1826054d496ec920768
SHA256 49f50552e65479d5d9a056aa84833d041790e488774a75bfa8806184e3fa7732
SHA512 5b74b61aa86d30bf9246be9a4a312750cb31615d908c347de07104261c0a1867a7d98d33203d8825290551f7c4daf87ab600688e92c0b0b5bdf018362a12ccd3

C:\Windows\hosts.exe

MD5 5517d55b88f889a1c9d55ee4363d96b7
SHA1 055f572d8fde915e93704ce7929a290232daed98
SHA256 3bf25ae961bc64a2ce28f90edcc1c7177ea360ace9ae1e7d3259787c97c3a94e
SHA512 7d21cdc3ec1940b081b6a4a5408fe67c234a44242097adb0fbb49bf82cd81a916f7f4cc1e3628abc0c86792259a409c9478ef9753d8ffbd25d3ab186f8b242a6

\??\c:\windows\W_X_C.bat

MD5 4db9f8b6175722b62ececeeeba1ce307
SHA1 3b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256 d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA512 1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

C:\Windows\W_X_C.vbs

MD5 213eeee0bf55b5002060609a41f54dda
SHA1 e4dcd3878c2ac69345e22c405dfe1035b6817dcd
SHA256 84e5623c8426cf9f7501e1fb0f83c4c3b1d55b56ea0502ef304fb711c84d42f2
SHA512 5ce9e9e476998b84805d76f45fcc1422f777061f7338c01b4f4cae71c0d0265b6fa55dfffe2eb5c37bc796b9ae6455bcb6a992e43add400bbb75f5056e311c44

memory/2832-48-0x0000000002690000-0x0000000002790000-memory.dmp

memory/1992-63-0x00000000001C0000-0x00000000001D0000-memory.dmp

memory/1992-62-0x00000000001C0000-0x00000000001D0000-memory.dmp

memory/2832-47-0x0000000002690000-0x0000000002790000-memory.dmp

memory/1676-68-0x0000000000220000-0x0000000000230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 06d5047bc30b686a66232085b7816357
SHA1 6af37b4d99751ab5a024b47367f0998a30cef303
SHA256 bde10e02444e3b0b061752493905ae5debf4dd98149eef86d2284a9dbfac9127
SHA512 c6a853055970981ea10a724151c3ed32d54d5ddecbd6933cf928f7d68ef3e8a9a617872b53637d0e8c3ba1504d5bdf4dd945623c3b7f6d2ef0290f15353163b6

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 ee5be41facbfe2e705a2da407ba9a685
SHA1 c50d4fdf1dbaa906c0043469956fafdef8208d16
SHA256 8057735a5721ca2b32e664597467a6559f96d1eb716c7bb655388dc93cf6e00c
SHA512 e71099efc26d8548a19b8d5d5b8701dd5f3523cc5092cfce64fe12882640ead5a6d06d924d933fc2f282d6b5c124dd3bc78252a21c1990acbfd71f39f0a813e2

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 7dbf5c4f111915c016b3db33d6630bd8
SHA1 6469039ff8b18f46be5cdc04f6785b11315a4c77
SHA256 74797690646c6265fd39559fdbf2849c7bf89dff7ba073fd8a8672cad5e4a422
SHA512 d46b0557bdc6b56da6c9e26d01c7fa8ee49650896cee509c5b2f703270298671b37743660690444442f80af961cb5762aae28bfdcd9ef66ca59c5177937618d9

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 d576c84d2187113850502698128c176a
SHA1 d4840063a2afc1fac456505ed8ded0878d41766d
SHA256 a29976aec5646cc4d2f45b9ca2cfa0a61afbc9e77ffc65dc0fb8837abcc345e5
SHA512 cbee6e945225e1f5a059a094be668ccf6ee82b7d92d1c217018263e8182f837bc528ff3c9d0dfe1892ac6872f61ee8eda4c96d53391a96e12e59be53fe881915

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 58b8cbe9523f7ccea1ecdee436fbac06
SHA1 0399c76963db9cf3d520b28a5cd51788197a8264
SHA256 d6bd9bbebd3ec956c83e2aca650f2cfb2e3e0965eecca25a0b5f7e8a73ca2c2e
SHA512 b3f452ed1cfd281f08298fe3c11a3212a41887c7488fa5081a9dd1986f57db2ca39ef335693531438c0bb6343bdd66e67dea0228637592d33b313f136dcca96d

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 c3a830b85ef4d0d8366a81731f0897fd
SHA1 7a1815a46c4bdcec58f90aabb38c25bdf32fe449
SHA256 c9bb41cb432f9d7b4aa268e063d12856b17853cfc21a182f11af195ea33f5b48
SHA512 392816dfaf6a79aaf5ea8d7643bd1ea440e52c1889754bbf1f4c131c15c5478df983022373c752d2ddc7e42a2948a56fe0cafa1c0a19d7e8d614f6302c634401

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 427531d7365706a51fe8115655583b53
SHA1 ba697ae967ab3412007f1abb4c4668a9823441e9
SHA256 23c6e8b5a8011ac76ef94e404170fb0cd08f82fe9b984472425f68b0c0b8dfdf
SHA512 91f01de3cfd3dc34acf0e060b969dbc1933cb912ecece41f0f2ec347412e6af73dab1cb4947ccfd5ddda394e052e072db3f923a5ee5716d6a0a1f916f72084e4

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:35

Reported

2024-06-03 04:37

Platform

win10v2004-20240508-en

Max time kernel

138s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\windows\hosts.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\windows\hosts.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OBJIYUIE = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OBJIYUIE = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OBJIYUIE = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\windows\hosts.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\windows\W_X_C.bat C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe N/A
File opened for modification C:\Windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe N/A
File opened for modification C:\Windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
File opened for modification C:\Windows\hosts.exe C:\windows\hosts.exe N/A
File created C:\windows\W_X_C.vbs C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
N/A N/A C:\windows\hosts.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4436 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Windows\SysWOW64\REG.exe
PID 4436 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Windows\SysWOW64\REG.exe
PID 4436 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Windows\SysWOW64\REG.exe
PID 4436 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 4436 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 4436 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 3916 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 3916 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 3916 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 3916 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 3916 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 3916 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 1628 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 1628 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 3172 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 3172 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 3172 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 3312 wrote to memory of 2464 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 3312 wrote to memory of 2464 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 3312 wrote to memory of 2464 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1628 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1628 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1628 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3172 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3172 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3172 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3312 wrote to memory of 2188 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 2188 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 2188 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2188 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2188 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2188 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2188 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2188 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3916 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 3916 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 3916 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 3312 wrote to memory of 3316 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 3312 wrote to memory of 3316 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 3312 wrote to memory of 3316 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 3916 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 3916 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 3916 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 3312 wrote to memory of 1252 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 3312 wrote to memory of 1252 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 3312 wrote to memory of 1252 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 3916 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 3916 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 3916 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 3312 wrote to memory of 388 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 3312 wrote to memory of 388 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 3312 wrote to memory of 388 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 3916 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 3916 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 3916 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 3312 wrote to memory of 4728 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 3312 wrote to memory of 4728 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 3312 wrote to memory of 4728 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe

"C:\Users\Admin\AppData\Local\Temp\dd82f8530d5f56e978b8d95b06207ab2fb7510c48e563325519786fdc435581a.exe"

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\avscan.exe

MD5 7327f388ffe118b9f908c3b44314a1cc
SHA1 713ed394a281e6ca3d8ed1826054d496ec920768
SHA256 49f50552e65479d5d9a056aa84833d041790e488774a75bfa8806184e3fa7732
SHA512 5b74b61aa86d30bf9246be9a4a312750cb31615d908c347de07104261c0a1867a7d98d33203d8825290551f7c4daf87ab600688e92c0b0b5bdf018362a12ccd3

C:\Windows\hosts.exe

MD5 5517d55b88f889a1c9d55ee4363d96b7
SHA1 055f572d8fde915e93704ce7929a290232daed98
SHA256 3bf25ae961bc64a2ce28f90edcc1c7177ea360ace9ae1e7d3259787c97c3a94e
SHA512 7d21cdc3ec1940b081b6a4a5408fe67c234a44242097adb0fbb49bf82cd81a916f7f4cc1e3628abc0c86792259a409c9478ef9753d8ffbd25d3ab186f8b242a6

\??\c:\windows\W_X_C.bat

MD5 4db9f8b6175722b62ececeeeba1ce307
SHA1 3b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256 d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA512 1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

C:\Windows\W_X_C.vbs

MD5 1b97fc0bf80f44c04514817b1c7449e7
SHA1 1b32070bd87946ce42e7c3e49a47e282b2622852
SHA256 e756c1e489a198dd4dd1536efb045f4a14054e7902931f6af0cf13343f60cb4c
SHA512 be89f25cf5ba8635dda55c20c249233c68a488d9a76f73f4a259dc994c26938b58a57b67f16d6ce477213b27f19bdc3ca6e43443925fa218f58418e128eb7fc2