89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f

Analysis

max time kernel
129s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe
Size

334KB
MD5

0efd3a0125f336e49c14d2a87dc22802
SHA1

05339ba9a1c955e176ae52deb35f72df10b7803f
SHA256

89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f
SHA512

879ad312a299123556f5b6e254223c85b6e321f52c08aed4c9a1f9470314d22e25a68c983d57fa4019f4f78350ad194569bdf39dfa76f1779751d1b5d9f1810d
SSDEEP

6144:gDCwfG1bnxG8M58+DCwfG1bnxG8M58FqvA:g72bnI55X72bnI55cqvA

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IYMUGYHL = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IYMUGYHL = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IYMUGYHL = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
2160	avscan.exe
4588	avscan.exe
4244	hosts.exe
5068	hosts.exe
5048	avscan.exe
1272	hosts.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe
File created	\??\c:\windows\W_X_C.bat	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe
File opened for modification	C:\Windows\hosts.exe	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
4400	REG.exe
4192	REG.exe
2124	REG.exe
3672	REG.exe
4484	REG.exe
4172	REG.exe
4904	REG.exe
1264	REG.exe
1308	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2160	avscan.exe
4244	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4812	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe
2160	avscan.exe
4588	avscan.exe
4244	hosts.exe
5068	hosts.exe
5048	avscan.exe
1272	hosts.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 4904	4812	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	80
PID 4812 wrote to memory of 4904	4812	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	80
PID 4812 wrote to memory of 4904	4812	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	80
PID 4812 wrote to memory of 2160	4812	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	82
PID 4812 wrote to memory of 2160	4812	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	82
PID 4812 wrote to memory of 2160	4812	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	82
PID 2160 wrote to memory of 4588	2160	avscan.exe	83
PID 2160 wrote to memory of 4588	2160	avscan.exe	83
PID 2160 wrote to memory of 4588	2160	avscan.exe	83
PID 2160 wrote to memory of 2156	2160	avscan.exe	84
PID 2160 wrote to memory of 2156	2160	avscan.exe	84
PID 2160 wrote to memory of 2156	2160	avscan.exe	84
PID 4812 wrote to memory of 3808	4812	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	85
PID 4812 wrote to memory of 3808	4812	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	85
PID 4812 wrote to memory of 3808	4812	89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe	85
PID 2156 wrote to memory of 4244	2156	cmd.exe	88
PID 2156 wrote to memory of 4244	2156	cmd.exe	88
PID 2156 wrote to memory of 4244	2156	cmd.exe	88
PID 3808 wrote to memory of 5068	3808	cmd.exe	90
PID 3808 wrote to memory of 5068	3808	cmd.exe	90
PID 3808 wrote to memory of 5068	3808	cmd.exe	90
PID 4244 wrote to memory of 5048	4244	hosts.exe	91
PID 4244 wrote to memory of 5048	4244	hosts.exe	91
PID 4244 wrote to memory of 5048	4244	hosts.exe	91
PID 4244 wrote to memory of 740	4244	hosts.exe	92
PID 4244 wrote to memory of 740	4244	hosts.exe	92
PID 4244 wrote to memory of 740	4244	hosts.exe	92
PID 740 wrote to memory of 1272	740	cmd.exe	94
PID 740 wrote to memory of 1272	740	cmd.exe	94
PID 740 wrote to memory of 1272	740	cmd.exe	94
PID 3808 wrote to memory of 2372	3808	cmd.exe	95
PID 3808 wrote to memory of 2372	3808	cmd.exe	95
PID 3808 wrote to memory of 2372	3808	cmd.exe	95
PID 2156 wrote to memory of 1344	2156	cmd.exe	96
PID 2156 wrote to memory of 1344	2156	cmd.exe	96
PID 2156 wrote to memory of 1344	2156	cmd.exe	96
PID 740 wrote to memory of 1832	740	cmd.exe	97
PID 740 wrote to memory of 1832	740	cmd.exe	97
PID 740 wrote to memory of 1832	740	cmd.exe	97
PID 2160 wrote to memory of 1264	2160	avscan.exe	105
PID 2160 wrote to memory of 1264	2160	avscan.exe	105
PID 2160 wrote to memory of 1264	2160	avscan.exe	105
PID 4244 wrote to memory of 1308	4244	hosts.exe	107
PID 4244 wrote to memory of 1308	4244	hosts.exe	107
PID 4244 wrote to memory of 1308	4244	hosts.exe	107
PID 2160 wrote to memory of 3672	2160	avscan.exe	109
PID 2160 wrote to memory of 3672	2160	avscan.exe	109
PID 2160 wrote to memory of 3672	2160	avscan.exe	109
PID 4244 wrote to memory of 4484	4244	hosts.exe	112
PID 4244 wrote to memory of 4484	4244	hosts.exe	112
PID 4244 wrote to memory of 4484	4244	hosts.exe	112
PID 2160 wrote to memory of 4400	2160	avscan.exe	113
PID 2160 wrote to memory of 4400	2160	avscan.exe	113
PID 2160 wrote to memory of 4400	2160	avscan.exe	113
PID 4244 wrote to memory of 4172	4244	hosts.exe	115
PID 4244 wrote to memory of 4172	4244	hosts.exe	115
PID 4244 wrote to memory of 4172	4244	hosts.exe	115
PID 2160 wrote to memory of 4192	2160	avscan.exe	117
PID 2160 wrote to memory of 4192	2160	avscan.exe	117
PID 2160 wrote to memory of 4192	2160	avscan.exe	117
PID 4244 wrote to memory of 2124	4244	hosts.exe	119
PID 4244 wrote to memory of 2124	4244	hosts.exe	119
PID 4244 wrote to memory of 2124	4244	hosts.exe	119

C:\Users\Admin\AppData\Local\Temp\89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe
"C:\Users\Admin\AppData\Local\Temp\89caaf48d98052efd16194c60017beac31946b906aa29a564a96b9af5b5b189f.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:4904
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4244
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:740
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1272
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:1832
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1308
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:4484
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:4172
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2124
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1344
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1264
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:3672
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4400
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5068
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:2372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
334KB

MD5
6b33e617d0f070b0ed4c14bd19ce0b35

SHA1
bf16b4be0fc0f28123cd54093e62c5f7e75ea555

SHA256
fe58c806cfed24c69dc334c8a2c4feb3548d0e9ba297f962f2780081e8ad669c

SHA512
c414d74b86e5d2de155ba37568542ae9c3115e0f9658aafa59324b70a27a9eb1689ca791b5f0bd5f25d90cd78ef908279dbdffa4478674a8139a8713f0b26802

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
334KB

MD5
6b33e617d0f070b0ed4c14bd19ce0b35

SHA1
bf16b4be0fc0f28123cd54093e62c5f7e75ea555

SHA256
fe58c806cfed24c69dc334c8a2c4feb3548d0e9ba297f962f2780081e8ad669c

SHA512
c414d74b86e5d2de155ba37568542ae9c3115e0f9658aafa59324b70a27a9eb1689ca791b5f0bd5f25d90cd78ef908279dbdffa4478674a8139a8713f0b26802

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
334KB

MD5
6b33e617d0f070b0ed4c14bd19ce0b35

SHA1
bf16b4be0fc0f28123cd54093e62c5f7e75ea555

SHA256
fe58c806cfed24c69dc334c8a2c4feb3548d0e9ba297f962f2780081e8ad669c

SHA512
c414d74b86e5d2de155ba37568542ae9c3115e0f9658aafa59324b70a27a9eb1689ca791b5f0bd5f25d90cd78ef908279dbdffa4478674a8139a8713f0b26802

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
334KB

MD5
6b33e617d0f070b0ed4c14bd19ce0b35

SHA1
bf16b4be0fc0f28123cd54093e62c5f7e75ea555

SHA256
fe58c806cfed24c69dc334c8a2c4feb3548d0e9ba297f962f2780081e8ad669c

SHA512
c414d74b86e5d2de155ba37568542ae9c3115e0f9658aafa59324b70a27a9eb1689ca791b5f0bd5f25d90cd78ef908279dbdffa4478674a8139a8713f0b26802

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
0e0483d4802632100b6bfe8bc2e5d661

SHA1
767e0deb7dcaa7676004e6053957c36cecfeeefa

SHA256
81bbebb8d0e77ffffbc7b7d24afdcdce4089f4b04d1a12284eda861c25e03f9f

SHA512
8279b0559ca30a0adc6c8614870c3e445866c20f0617a7153cab41982b451dfe9ea44478f37b884465235714623ef26a56f5ea3d1cb81767487c494d3703ab29

Download Submit
C:\Windows\hosts.exe

Filesize
334KB

MD5
fb19f25ec4cbfb430588bd3e32e06b86

SHA1
22d57aa7cff5c6b14819bd912ac57d020bc51701

SHA256
d8c943d0f1212af80f9251f11947155a040d18d6f6f9c6bbf440574e0588c9b4

SHA512
7e376a6d3aba77b9874f1679d89efa15afbaf43471374811b8e8b92740d17076c51cd7fa872bafd6f83e3b6fb28cb6cc6e03ff2a58b9431e69a0cb681cab5395

Download Submit
C:\Windows\hosts.exe

Filesize
334KB

MD5
fb19f25ec4cbfb430588bd3e32e06b86

SHA1
22d57aa7cff5c6b14819bd912ac57d020bc51701

SHA256
d8c943d0f1212af80f9251f11947155a040d18d6f6f9c6bbf440574e0588c9b4

SHA512
7e376a6d3aba77b9874f1679d89efa15afbaf43471374811b8e8b92740d17076c51cd7fa872bafd6f83e3b6fb28cb6cc6e03ff2a58b9431e69a0cb681cab5395

Download Submit
C:\Windows\hosts.exe

Filesize
334KB

MD5
fb19f25ec4cbfb430588bd3e32e06b86

SHA1
22d57aa7cff5c6b14819bd912ac57d020bc51701

SHA256
d8c943d0f1212af80f9251f11947155a040d18d6f6f9c6bbf440574e0588c9b4

SHA512
7e376a6d3aba77b9874f1679d89efa15afbaf43471374811b8e8b92740d17076c51cd7fa872bafd6f83e3b6fb28cb6cc6e03ff2a58b9431e69a0cb681cab5395

Download Submit
C:\Windows\hosts.exe

Filesize
334KB

MD5
fb19f25ec4cbfb430588bd3e32e06b86

SHA1
22d57aa7cff5c6b14819bd912ac57d020bc51701

SHA256
d8c943d0f1212af80f9251f11947155a040d18d6f6f9c6bbf440574e0588c9b4

SHA512
7e376a6d3aba77b9874f1679d89efa15afbaf43471374811b8e8b92740d17076c51cd7fa872bafd6f83e3b6fb28cb6cc6e03ff2a58b9431e69a0cb681cab5395

Download Submit
C:\windows\hosts.exe

Filesize
334KB

MD5
fb19f25ec4cbfb430588bd3e32e06b86

SHA1
22d57aa7cff5c6b14819bd912ac57d020bc51701

SHA256
d8c943d0f1212af80f9251f11947155a040d18d6f6f9c6bbf440574e0588c9b4

SHA512
7e376a6d3aba77b9874f1679d89efa15afbaf43471374811b8e8b92740d17076c51cd7fa872bafd6f83e3b6fb28cb6cc6e03ff2a58b9431e69a0cb681cab5395

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads