14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88

Analysis

max time kernel
129s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe
Size

351KB
MD5

0e48a80ea90bc0b2493a18af347e55c0
SHA1

e3a981c17307dbe73a2f4011559d1bed29a53391
SHA256

14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88
SHA512

ad34a74f8ee903ac1b868b98b27122f8c6f28ded808bb79595ed639546eeeeffa6957eaf38870437710736dba4c652d482ec2f1c3238db507e65340f9b4282be
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCmHV5F11Z++M42bpDCw1p3vmLvsZIaVwiwDw:gDCwfG1bnxHXG+MfDCwfG1bnxHXG+MX

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XZIOFAVD = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XZIOFAVD = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XZIOFAVD = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1148	avscan.exe
1456	avscan.exe
1792	hosts.exe
372	hosts.exe
3904	avscan.exe
1068	hosts.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe
File created	\??\c:\windows\W_X_C.bat	14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe
File opened for modification	C:\Windows\hosts.exe	14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
5040	REG.exe
2416	REG.exe
4756	REG.exe
4380	REG.exe
3984	REG.exe
1488	REG.exe
3148	REG.exe
1288	REG.exe
2172	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1148	avscan.exe
1792	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5056	14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe
1148	avscan.exe
1456	avscan.exe
1792	hosts.exe
372	hosts.exe
3904	avscan.exe
1068	hosts.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 5040	5056	14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe	82
PID 5056 wrote to memory of 5040	5056	14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe	82
PID 5056 wrote to memory of 5040	5056	14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe	82
PID 5056 wrote to memory of 1148	5056	14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe	84
PID 5056 wrote to memory of 1148	5056	14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe	84
PID 5056 wrote to memory of 1148	5056	14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe	84
PID 1148 wrote to memory of 1456	1148	avscan.exe	85
PID 1148 wrote to memory of 1456	1148	avscan.exe	85
PID 1148 wrote to memory of 1456	1148	avscan.exe	85
PID 1148 wrote to memory of 3028	1148	avscan.exe	86
PID 1148 wrote to memory of 3028	1148	avscan.exe	86
PID 1148 wrote to memory of 3028	1148	avscan.exe	86
PID 5056 wrote to memory of 3048	5056	14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe	87
PID 5056 wrote to memory of 3048	5056	14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe	87
PID 5056 wrote to memory of 3048	5056	14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe	87
PID 3048 wrote to memory of 1792	3048	cmd.exe	90
PID 3048 wrote to memory of 1792	3048	cmd.exe	90
PID 3048 wrote to memory of 1792	3048	cmd.exe	90
PID 3028 wrote to memory of 372	3028	cmd.exe	91
PID 3028 wrote to memory of 372	3028	cmd.exe	91
PID 3028 wrote to memory of 372	3028	cmd.exe	91
PID 1792 wrote to memory of 3904	1792	hosts.exe	92
PID 1792 wrote to memory of 3904	1792	hosts.exe	92
PID 1792 wrote to memory of 3904	1792	hosts.exe	92
PID 1792 wrote to memory of 1260	1792	hosts.exe	93
PID 1792 wrote to memory of 1260	1792	hosts.exe	93
PID 1792 wrote to memory of 1260	1792	hosts.exe	93
PID 1260 wrote to memory of 1068	1260	cmd.exe	95
PID 1260 wrote to memory of 1068	1260	cmd.exe	95
PID 1260 wrote to memory of 1068	1260	cmd.exe	95
PID 1260 wrote to memory of 2984	1260	cmd.exe	98
PID 1260 wrote to memory of 2984	1260	cmd.exe	98
PID 1260 wrote to memory of 2984	1260	cmd.exe	98
PID 3028 wrote to memory of 3716	3028	cmd.exe	97
PID 3028 wrote to memory of 3716	3028	cmd.exe	97
PID 3028 wrote to memory of 3716	3028	cmd.exe	97
PID 3048 wrote to memory of 3120	3048	cmd.exe	96
PID 3048 wrote to memory of 3120	3048	cmd.exe	96
PID 3048 wrote to memory of 3120	3048	cmd.exe	96
PID 1148 wrote to memory of 1488	1148	avscan.exe	107
PID 1148 wrote to memory of 1488	1148	avscan.exe	107
PID 1148 wrote to memory of 1488	1148	avscan.exe	107
PID 1792 wrote to memory of 3148	1792	hosts.exe	109
PID 1792 wrote to memory of 3148	1792	hosts.exe	109
PID 1792 wrote to memory of 3148	1792	hosts.exe	109
PID 1148 wrote to memory of 1288	1148	avscan.exe	111
PID 1148 wrote to memory of 1288	1148	avscan.exe	111
PID 1148 wrote to memory of 1288	1148	avscan.exe	111
PID 1792 wrote to memory of 2416	1792	hosts.exe	113
PID 1792 wrote to memory of 2416	1792	hosts.exe	113
PID 1792 wrote to memory of 2416	1792	hosts.exe	113
PID 1148 wrote to memory of 4756	1148	avscan.exe	115
PID 1148 wrote to memory of 4756	1148	avscan.exe	115
PID 1148 wrote to memory of 4756	1148	avscan.exe	115
PID 1792 wrote to memory of 4380	1792	hosts.exe	117
PID 1792 wrote to memory of 4380	1792	hosts.exe	117
PID 1792 wrote to memory of 4380	1792	hosts.exe	117
PID 1148 wrote to memory of 2172	1148	avscan.exe	119
PID 1148 wrote to memory of 2172	1148	avscan.exe	119
PID 1148 wrote to memory of 2172	1148	avscan.exe	119
PID 1792 wrote to memory of 3984	1792	hosts.exe	121
PID 1792 wrote to memory of 3984	1792	hosts.exe	121
PID 1792 wrote to memory of 3984	1792	hosts.exe	121

C:\Users\Admin\AppData\Local\Temp\14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe
"C:\Users\Admin\AppData\Local\Temp\14d714a58c70a002a1dc790b32dcda98658d23fda260c282ce21edd014f40f88.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:5040
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:372
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:3716
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1488
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1288
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4756
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1260
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1068
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:2984
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:3148
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:2416
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:4380
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:3984
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:3120

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
5f85fc4811c43a826fa6049c572f6cb9

SHA1
3c136203267908967bb7019012def4003a063542

SHA256
9bcd2e9d4e5eb1d575e582f3229e3b1bab1e0441cbd3cddc27cfd96dd529d5ed

SHA512
371340e457542c177053c1c350b7643f6920edfad20fd838dc311987154b27e03837f42306659001b90f0bd9a2c9d3c3f1f53ded71837c6ea696e35d9ece8496

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
5f85fc4811c43a826fa6049c572f6cb9

SHA1
3c136203267908967bb7019012def4003a063542

SHA256
9bcd2e9d4e5eb1d575e582f3229e3b1bab1e0441cbd3cddc27cfd96dd529d5ed

SHA512
371340e457542c177053c1c350b7643f6920edfad20fd838dc311987154b27e03837f42306659001b90f0bd9a2c9d3c3f1f53ded71837c6ea696e35d9ece8496

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
5f85fc4811c43a826fa6049c572f6cb9

SHA1
3c136203267908967bb7019012def4003a063542

SHA256
9bcd2e9d4e5eb1d575e582f3229e3b1bab1e0441cbd3cddc27cfd96dd529d5ed

SHA512
371340e457542c177053c1c350b7643f6920edfad20fd838dc311987154b27e03837f42306659001b90f0bd9a2c9d3c3f1f53ded71837c6ea696e35d9ece8496

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
351KB

MD5
5f85fc4811c43a826fa6049c572f6cb9

SHA1
3c136203267908967bb7019012def4003a063542

SHA256
9bcd2e9d4e5eb1d575e582f3229e3b1bab1e0441cbd3cddc27cfd96dd529d5ed

SHA512
371340e457542c177053c1c350b7643f6920edfad20fd838dc311987154b27e03837f42306659001b90f0bd9a2c9d3c3f1f53ded71837c6ea696e35d9ece8496

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
7fc0db81060e343fd209dc050b401f77

SHA1
08ce8975b023bf90c21b8e64cd54fdd39debce04

SHA256
4a21d378652d4291a6b9e88a1934ac51e9eccd5c9a42aa09076219301509367f

SHA512
e0d13ba3713707f7cb9be56240930a8f47d8c302e692b49dcb01f7bdf3e3475f829e1ead60ce6a5f98bed591be96456e9c3ef67bb27f88dc70343c1412e9de57

Download Submit
C:\Windows\hosts.exe

Filesize
351KB

MD5
4c58e90a024264d91003c323beb69a98

SHA1
bb0f93497cb19722cf85c05d307b13d471156735

SHA256
75c65c8d018e7a1e8b1cdf9120bea388bdbe44e95cb62f66bdf96bf9162ef262

SHA512
814d8a669c9280e453c95576553844ece37be558af5b47a26cf6cd8364c9fec8e04630eba26314ea87d844ed2893add62ebd0ed149366c17d946d7f585df3c1b

Download Submit
C:\Windows\hosts.exe

Filesize
351KB

MD5
4c58e90a024264d91003c323beb69a98

SHA1
bb0f93497cb19722cf85c05d307b13d471156735

SHA256
75c65c8d018e7a1e8b1cdf9120bea388bdbe44e95cb62f66bdf96bf9162ef262

SHA512
814d8a669c9280e453c95576553844ece37be558af5b47a26cf6cd8364c9fec8e04630eba26314ea87d844ed2893add62ebd0ed149366c17d946d7f585df3c1b

Download Submit
C:\Windows\hosts.exe

Filesize
351KB

MD5
4c58e90a024264d91003c323beb69a98

SHA1
bb0f93497cb19722cf85c05d307b13d471156735

SHA256
75c65c8d018e7a1e8b1cdf9120bea388bdbe44e95cb62f66bdf96bf9162ef262

SHA512
814d8a669c9280e453c95576553844ece37be558af5b47a26cf6cd8364c9fec8e04630eba26314ea87d844ed2893add62ebd0ed149366c17d946d7f585df3c1b

Download Submit
C:\Windows\hosts.exe

Filesize
351KB

MD5
4c58e90a024264d91003c323beb69a98

SHA1
bb0f93497cb19722cf85c05d307b13d471156735

SHA256
75c65c8d018e7a1e8b1cdf9120bea388bdbe44e95cb62f66bdf96bf9162ef262

SHA512
814d8a669c9280e453c95576553844ece37be558af5b47a26cf6cd8364c9fec8e04630eba26314ea87d844ed2893add62ebd0ed149366c17d946d7f585df3c1b

Download Submit
C:\windows\hosts.exe

Filesize
351KB

MD5
4c58e90a024264d91003c323beb69a98

SHA1
bb0f93497cb19722cf85c05d307b13d471156735

SHA256
75c65c8d018e7a1e8b1cdf9120bea388bdbe44e95cb62f66bdf96bf9162ef262

SHA512
814d8a669c9280e453c95576553844ece37be558af5b47a26cf6cd8364c9fec8e04630eba26314ea87d844ed2893add62ebd0ed149366c17d946d7f585df3c1b

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads