44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36

Analysis

max time kernel
134s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe
Size

195KB
MD5

9468c8093437fcb3e5a83662398990a4
SHA1

883a0c3cfc7302255124420f2fa763665e1a08f4
SHA256

44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36
SHA512

98b35ad9b4815f7dcbeb1e9d348ded8b91054fdfc95c5db37ac76e0b27ba591e9d65a803a1ce4af20215e829e8912d3810b5e169eaa35c4963abef4cae456838
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DEeoUsDnukbDktLgr7E:gDCwfG1bnxLE3bDnu3tZ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XZIOFAVD = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XZIOFAVD = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XZIOFAVD = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
440	avscan.exe
5020	avscan.exe
4784	hosts.exe
2284	hosts.exe
1648	avscan.exe
3992	hosts.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe
File created	\??\c:\windows\W_X_C.bat	44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe
File opened for modification	C:\Windows\hosts.exe	44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
3020	REG.exe
4000	REG.exe
4452	REG.exe
4080	REG.exe
2444	REG.exe
3360	REG.exe
4532	REG.exe
4812	REG.exe
4500	REG.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1508	44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe
440	avscan.exe
4784	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1508	44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe
440	avscan.exe
5020	avscan.exe
4784	hosts.exe
2284	hosts.exe
1648	avscan.exe
3992	hosts.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 3020	1508	44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe	81
PID 1508 wrote to memory of 3020	1508	44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe	81
PID 1508 wrote to memory of 3020	1508	44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe	81
PID 1508 wrote to memory of 440	1508	44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe	83
PID 1508 wrote to memory of 440	1508	44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe	83
PID 1508 wrote to memory of 440	1508	44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe	83
PID 440 wrote to memory of 5020	440	avscan.exe	84
PID 440 wrote to memory of 5020	440	avscan.exe	84
PID 440 wrote to memory of 5020	440	avscan.exe	84
PID 440 wrote to memory of 3440	440	avscan.exe	85
PID 440 wrote to memory of 3440	440	avscan.exe	85
PID 440 wrote to memory of 3440	440	avscan.exe	85
PID 1508 wrote to memory of 3040	1508	44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe	86
PID 1508 wrote to memory of 3040	1508	44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe	86
PID 1508 wrote to memory of 3040	1508	44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe	86
PID 3040 wrote to memory of 4784	3040	cmd.exe	89
PID 3040 wrote to memory of 4784	3040	cmd.exe	89
PID 3040 wrote to memory of 4784	3040	cmd.exe	89
PID 3440 wrote to memory of 2284	3440	cmd.exe	90
PID 3440 wrote to memory of 2284	3440	cmd.exe	90
PID 3440 wrote to memory of 2284	3440	cmd.exe	90
PID 4784 wrote to memory of 1648	4784	hosts.exe	91
PID 4784 wrote to memory of 1648	4784	hosts.exe	91
PID 4784 wrote to memory of 1648	4784	hosts.exe	91
PID 3440 wrote to memory of 3428	3440	cmd.exe	94
PID 3440 wrote to memory of 3428	3440	cmd.exe	94
PID 3440 wrote to memory of 3428	3440	cmd.exe	94
PID 3040 wrote to memory of 1856	3040	cmd.exe	93
PID 3040 wrote to memory of 1856	3040	cmd.exe	93
PID 3040 wrote to memory of 1856	3040	cmd.exe	93
PID 4784 wrote to memory of 3524	4784	hosts.exe	95
PID 4784 wrote to memory of 3524	4784	hosts.exe	95
PID 4784 wrote to memory of 3524	4784	hosts.exe	95
PID 3524 wrote to memory of 3992	3524	cmd.exe	97
PID 3524 wrote to memory of 3992	3524	cmd.exe	97
PID 3524 wrote to memory of 3992	3524	cmd.exe	97
PID 3524 wrote to memory of 3120	3524	cmd.exe	98
PID 3524 wrote to memory of 3120	3524	cmd.exe	98
PID 3524 wrote to memory of 3120	3524	cmd.exe	98
PID 440 wrote to memory of 4000	440	avscan.exe	100
PID 440 wrote to memory of 4000	440	avscan.exe	100
PID 440 wrote to memory of 4000	440	avscan.exe	100
PID 4784 wrote to memory of 2444	4784	hosts.exe	102
PID 4784 wrote to memory of 2444	4784	hosts.exe	102
PID 4784 wrote to memory of 2444	4784	hosts.exe	102
PID 440 wrote to memory of 4452	440	avscan.exe	110
PID 440 wrote to memory of 4452	440	avscan.exe	110
PID 440 wrote to memory of 4452	440	avscan.exe	110
PID 4784 wrote to memory of 3360	4784	hosts.exe	112
PID 4784 wrote to memory of 3360	4784	hosts.exe	112
PID 4784 wrote to memory of 3360	4784	hosts.exe	112
PID 440 wrote to memory of 4532	440	avscan.exe	114
PID 440 wrote to memory of 4532	440	avscan.exe	114
PID 440 wrote to memory of 4532	440	avscan.exe	114
PID 4784 wrote to memory of 4812	4784	hosts.exe	116
PID 4784 wrote to memory of 4812	4784	hosts.exe	116
PID 4784 wrote to memory of 4812	4784	hosts.exe	116
PID 440 wrote to memory of 4080	440	avscan.exe	118
PID 440 wrote to memory of 4080	440	avscan.exe	118
PID 440 wrote to memory of 4080	440	avscan.exe	118
PID 4784 wrote to memory of 4500	4784	hosts.exe	120
PID 4784 wrote to memory of 4500	4784	hosts.exe	120
PID 4784 wrote to memory of 4500	4784	hosts.exe	120

C:\Users\Admin\AppData\Local\Temp\44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe
"C:\Users\Admin\AppData\Local\Temp\44da43b39e86d7d67da9b05feb586f7077f935c23c780a1033774702c76f8c36.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:3020
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2284
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:3428
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4000
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4452
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4532
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3524
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3992
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:3120
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:2444
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:3360
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:4812
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:4500
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:1856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
195KB

MD5
0cca37822b0b3abfbbf39dee4822c775

SHA1
c01fe9c8e7c0d445b861611d83bbc4de1c4492d3

SHA256
62fa718f3e1249b44ca790dd8066b0a19a52ad1a9343bbdba2d45d9ba645fb4a

SHA512
6e78ec731601d74a37ee762f0f79c241475996401dcf7e4ba66e193635a70de2f3d47518d15dac900e5de66b28a64230e6a5f21add42cbdb61bcf00883ff1859

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
195KB

MD5
0cca37822b0b3abfbbf39dee4822c775

SHA1
c01fe9c8e7c0d445b861611d83bbc4de1c4492d3

SHA256
62fa718f3e1249b44ca790dd8066b0a19a52ad1a9343bbdba2d45d9ba645fb4a

SHA512
6e78ec731601d74a37ee762f0f79c241475996401dcf7e4ba66e193635a70de2f3d47518d15dac900e5de66b28a64230e6a5f21add42cbdb61bcf00883ff1859

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
195KB

MD5
0cca37822b0b3abfbbf39dee4822c775

SHA1
c01fe9c8e7c0d445b861611d83bbc4de1c4492d3

SHA256
62fa718f3e1249b44ca790dd8066b0a19a52ad1a9343bbdba2d45d9ba645fb4a

SHA512
6e78ec731601d74a37ee762f0f79c241475996401dcf7e4ba66e193635a70de2f3d47518d15dac900e5de66b28a64230e6a5f21add42cbdb61bcf00883ff1859

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
195KB

MD5
0cca37822b0b3abfbbf39dee4822c775

SHA1
c01fe9c8e7c0d445b861611d83bbc4de1c4492d3

SHA256
62fa718f3e1249b44ca790dd8066b0a19a52ad1a9343bbdba2d45d9ba645fb4a

SHA512
6e78ec731601d74a37ee762f0f79c241475996401dcf7e4ba66e193635a70de2f3d47518d15dac900e5de66b28a64230e6a5f21add42cbdb61bcf00883ff1859

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
7fc0db81060e343fd209dc050b401f77

SHA1
08ce8975b023bf90c21b8e64cd54fdd39debce04

SHA256
4a21d378652d4291a6b9e88a1934ac51e9eccd5c9a42aa09076219301509367f

SHA512
e0d13ba3713707f7cb9be56240930a8f47d8c302e692b49dcb01f7bdf3e3475f829e1ead60ce6a5f98bed591be96456e9c3ef67bb27f88dc70343c1412e9de57

Download Submit
C:\Windows\hosts.exe

Filesize
195KB

MD5
7b93ea405954796acad484f9513b9268

SHA1
19578d765566904f02992118707eac72c9695b50

SHA256
963410ffbdc648c00eefab97f622b8922ac3cfcef298b8ade78cbfe730689c20

SHA512
76beba9b4db25af2cc8ae7e8cd43deb8574c2a45d9cffef0a7f0bb15878ddc9d59916c7666a47001f42a11ef76cb530dedd3b575745ed393a45ebcdadece2728

Download Submit
C:\Windows\hosts.exe

Filesize
195KB

MD5
7b93ea405954796acad484f9513b9268

SHA1
19578d765566904f02992118707eac72c9695b50

SHA256
963410ffbdc648c00eefab97f622b8922ac3cfcef298b8ade78cbfe730689c20

SHA512
76beba9b4db25af2cc8ae7e8cd43deb8574c2a45d9cffef0a7f0bb15878ddc9d59916c7666a47001f42a11ef76cb530dedd3b575745ed393a45ebcdadece2728

Download Submit
C:\Windows\hosts.exe

Filesize
195KB

MD5
7b93ea405954796acad484f9513b9268

SHA1
19578d765566904f02992118707eac72c9695b50

SHA256
963410ffbdc648c00eefab97f622b8922ac3cfcef298b8ade78cbfe730689c20

SHA512
76beba9b4db25af2cc8ae7e8cd43deb8574c2a45d9cffef0a7f0bb15878ddc9d59916c7666a47001f42a11ef76cb530dedd3b575745ed393a45ebcdadece2728

Download Submit
C:\Windows\hosts.exe

Filesize
195KB

MD5
7b93ea405954796acad484f9513b9268

SHA1
19578d765566904f02992118707eac72c9695b50

SHA256
963410ffbdc648c00eefab97f622b8922ac3cfcef298b8ade78cbfe730689c20

SHA512
76beba9b4db25af2cc8ae7e8cd43deb8574c2a45d9cffef0a7f0bb15878ddc9d59916c7666a47001f42a11ef76cb530dedd3b575745ed393a45ebcdadece2728

Download Submit
C:\windows\hosts.exe

Filesize
195KB

MD5
7b93ea405954796acad484f9513b9268

SHA1
19578d765566904f02992118707eac72c9695b50

SHA256
963410ffbdc648c00eefab97f622b8922ac3cfcef298b8ade78cbfe730689c20

SHA512
76beba9b4db25af2cc8ae7e8cd43deb8574c2a45d9cffef0a7f0bb15878ddc9d59916c7666a47001f42a11ef76cb530dedd3b575745ed393a45ebcdadece2728

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads