80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e

Analysis

max time kernel
192s
max time network
65s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe
Size

216KB
MD5

015435ee3a8334a45aa49a66520a5c29
SHA1

5fa847516c7e78ed8a3ec79a5f17da151008ddbc
SHA256

80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e
SHA512

f099c33534209485aedc212efa171db4d97bb17f64807e4bb6cf070c7b271d705b7dbd9d4e23d6554856d9dac3e5cbedb1b274528cd670b64954692ff156f5de
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQfOK3Xrz9o3Te8TxyMSL0:gDCwfG1bnxLERRwrSaAxyhQ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exeavscan.exehosts.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exeavscan.exehosts.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VUIIVLGQ = "W_X_C.bat"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VUIIVLGQ = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VUIIVLGQ = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

Processes:

avscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid process

1304 avscan.exe
1104 avscan.exe
1552 hosts.exe
608 hosts.exe
1968 avscan.exe
1388 hosts.exe

pid	process
1304	avscan.exe
1104	avscan.exe
1552	hosts.exe
608	hosts.exe
1968	avscan.exe
1388	hosts.exe

Loads dropped DLL 5 IoCs

Processes:

80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exeavscan.exehosts.exe

pid	process
1740	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe
1740	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe
1304	avscan.exe
608	hosts.exe
608	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hosts.exe80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exeavscan.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe

Drops file in Windows directory 5 IoCs

Processes:

avscan.exehosts.exe80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe

description	ioc	process
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe
File created	\??\c:\windows\W_X_C.bat	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe
File opened for modification	C:\Windows\hosts.exe	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exe

pid process

848 REG.exe
112 REG.exe
1496 REG.exe
1916 REG.exe
1708 REG.exe
2028 REG.exe
1696 REG.exe
1556 REG.exe
1712 REG.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

avscan.exehosts.exe

pid process

1304 avscan.exe
608 hosts.exe

pid	process
848	REG.exe
112	REG.exe
1496	REG.exe
1916	REG.exe
1708	REG.exe
2028	REG.exe
1696	REG.exe
1556	REG.exe
1712	REG.exe

pid	process
1304	avscan.exe
608	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exeavscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid	process
1740	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe
1304	avscan.exe
1104	avscan.exe
608	hosts.exe
1552	hosts.exe
1968	avscan.exe
1388	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exeavscan.execmd.execmd.exehosts.execmd.exe

description	pid	process	target process
PID 1740 wrote to memory of 848	1740	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe	REG.exe
PID 1740 wrote to memory of 848	1740	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe	REG.exe
PID 1740 wrote to memory of 848	1740	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe	REG.exe
PID 1740 wrote to memory of 848	1740	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe	REG.exe
PID 1740 wrote to memory of 1304	1740	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe	avscan.exe
PID 1740 wrote to memory of 1304	1740	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe	avscan.exe
PID 1740 wrote to memory of 1304	1740	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe	avscan.exe
PID 1740 wrote to memory of 1304	1740	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe	avscan.exe
PID 1304 wrote to memory of 1104	1304	avscan.exe	avscan.exe
PID 1304 wrote to memory of 1104	1304	avscan.exe	avscan.exe
PID 1304 wrote to memory of 1104	1304	avscan.exe	avscan.exe
PID 1304 wrote to memory of 1104	1304	avscan.exe	avscan.exe
PID 1304 wrote to memory of 1636	1304	avscan.exe	cmd.exe
PID 1304 wrote to memory of 1636	1304	avscan.exe	cmd.exe
PID 1304 wrote to memory of 1636	1304	avscan.exe	cmd.exe
PID 1304 wrote to memory of 1636	1304	avscan.exe	cmd.exe
PID 1740 wrote to memory of 1412	1740	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe	cmd.exe
PID 1740 wrote to memory of 1412	1740	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe	cmd.exe
PID 1740 wrote to memory of 1412	1740	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe	cmd.exe
PID 1740 wrote to memory of 1412	1740	80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe	cmd.exe
PID 1636 wrote to memory of 1552	1636	cmd.exe	hosts.exe
PID 1636 wrote to memory of 1552	1636	cmd.exe	hosts.exe
PID 1636 wrote to memory of 1552	1636	cmd.exe	hosts.exe
PID 1636 wrote to memory of 1552	1636	cmd.exe	hosts.exe
PID 1412 wrote to memory of 608	1412	cmd.exe	hosts.exe
PID 1412 wrote to memory of 608	1412	cmd.exe	hosts.exe
PID 1412 wrote to memory of 608	1412	cmd.exe	hosts.exe
PID 1412 wrote to memory of 608	1412	cmd.exe	hosts.exe
PID 608 wrote to memory of 1968	608	hosts.exe	avscan.exe
PID 608 wrote to memory of 1968	608	hosts.exe	avscan.exe
PID 608 wrote to memory of 1968	608	hosts.exe	avscan.exe
PID 608 wrote to memory of 1968	608	hosts.exe	avscan.exe
PID 608 wrote to memory of 1592	608	hosts.exe	cmd.exe
PID 608 wrote to memory of 1592	608	hosts.exe	cmd.exe
PID 608 wrote to memory of 1592	608	hosts.exe	cmd.exe
PID 608 wrote to memory of 1592	608	hosts.exe	cmd.exe
PID 1592 wrote to memory of 1388	1592	cmd.exe	hosts.exe
PID 1592 wrote to memory of 1388	1592	cmd.exe	hosts.exe
PID 1592 wrote to memory of 1388	1592	cmd.exe	hosts.exe
PID 1592 wrote to memory of 1388	1592	cmd.exe	hosts.exe
PID 1412 wrote to memory of 852	1412	cmd.exe	WScript.exe
PID 1412 wrote to memory of 852	1412	cmd.exe	WScript.exe
PID 1412 wrote to memory of 852	1412	cmd.exe	WScript.exe
PID 1412 wrote to memory of 852	1412	cmd.exe	WScript.exe
PID 1636 wrote to memory of 1756	1636	cmd.exe	WScript.exe
PID 1636 wrote to memory of 1756	1636	cmd.exe	WScript.exe
PID 1636 wrote to memory of 1756	1636	cmd.exe	WScript.exe
PID 1636 wrote to memory of 1756	1636	cmd.exe	WScript.exe
PID 1592 wrote to memory of 1732	1592	cmd.exe	WScript.exe
PID 1592 wrote to memory of 1732	1592	cmd.exe	WScript.exe
PID 1592 wrote to memory of 1732	1592	cmd.exe	WScript.exe
PID 1592 wrote to memory of 1732	1592	cmd.exe	WScript.exe
PID 1304 wrote to memory of 1708	1304	avscan.exe	REG.exe
PID 1304 wrote to memory of 1708	1304	avscan.exe	REG.exe
PID 1304 wrote to memory of 1708	1304	avscan.exe	REG.exe
PID 1304 wrote to memory of 1708	1304	avscan.exe	REG.exe
PID 608 wrote to memory of 2028	608	hosts.exe	REG.exe
PID 608 wrote to memory of 2028	608	hosts.exe	REG.exe
PID 608 wrote to memory of 2028	608	hosts.exe	REG.exe
PID 608 wrote to memory of 2028	608	hosts.exe	REG.exe
PID 608 wrote to memory of 112	608	hosts.exe	REG.exe
PID 608 wrote to memory of 112	608	hosts.exe	REG.exe
PID 608 wrote to memory of 112	608	hosts.exe	REG.exe
PID 608 wrote to memory of 112	608	hosts.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe
"C:\Users\Admin\AppData\Local\Temp\80d684e8bd7a97bb4d3edd28854be51e45cfe73fa680ef5405b57b2f9187c42e.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:848
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1552
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:1756
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1708
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1696
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1556
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:608
  - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1968
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1388
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        5⤵
        Adds policy Run key to start application
        
        PID:1732
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:2028
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:112
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1496
  - - C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      Modifies registry key
      PID:1916
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
482KB

MD5
48a1ef95801fee1c384a2cca8c5c101a

SHA1
160b3ccbe9b311065caee0591b4e25742417615e

SHA256
0850d1e6b917059559fd15cf67fbae7961d854a938023b2dc89d45ea1dc4dffd

SHA512
89f9e5f3ab8c45ece4c5d79e7d29506e24f604b9667d4d93ef3b2928e3740d6730de02d327fa9a85d4221e0b6ac52375df68af0074bd17b60daea1360c73c673

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
915KB

MD5
e63fa71668324279e3c9888057734700

SHA1
aede123ae91b3b98a959d786150b0f1a12991510

SHA256
b0727fc776bfdea4d8f3d0168f1d435e228df202c300b52be5bc76aac592f586

SHA512
44377c299f3554e4d94ad4c0e5de81bb299e1ec6bf781620c89900224fd9a2cd4f9710f157183500b2ac092b0e606b401df423eff7dff6ff66e8754d6361b4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
915KB

MD5
e63fa71668324279e3c9888057734700

SHA1
aede123ae91b3b98a959d786150b0f1a12991510

SHA256
b0727fc776bfdea4d8f3d0168f1d435e228df202c300b52be5bc76aac592f586

SHA512
44377c299f3554e4d94ad4c0e5de81bb299e1ec6bf781620c89900224fd9a2cd4f9710f157183500b2ac092b0e606b401df423eff7dff6ff66e8754d6361b4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
cd9e23ee9aaca6b97ff412c2286b2052

SHA1
0bd3e71c2b0578a02fe2d2fdf7fef6c052c217c4

SHA256
a87aebe25e8b2129db261a42713e222e97290497b94f2e39544bda765d4b52dd

SHA512
80a4edd603727fcc6db04d4f3140c1eed3270c6b8d112f5932b0972cc2df32e245eadef5cbd37656460c38662f514018fe2453149e5f4086d25419583a66b9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
cd9e23ee9aaca6b97ff412c2286b2052

SHA1
0bd3e71c2b0578a02fe2d2fdf7fef6c052c217c4

SHA256
a87aebe25e8b2129db261a42713e222e97290497b94f2e39544bda765d4b52dd

SHA512
80a4edd603727fcc6db04d4f3140c1eed3270c6b8d112f5932b0972cc2df32e245eadef5cbd37656460c38662f514018fe2453149e5f4086d25419583a66b9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.3MB

MD5
a8edabce0c8b7f2edea33b711bdd3d88

SHA1
6c691a949056ab85de00e354e9cdbd9effdfbeed

SHA256
86f0a2d582b1d542c057aede2469e66365de434ca4f1c6ab734b72d49f6e199a

SHA512
0abc3af153daf8ff5f21e22190e6b373ce175da2f20435143a6ab57dc65d3e9c4b9f8365de456283fbb7339768ab6999421ac5b6c6f1190af424bb0fcc438dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.5MB

MD5
45753b05d8b16722688724f56f0735a8

SHA1
d4de9d697a16c4497e379bb28ee6bb09f0cf42f5

SHA256
a85e6b6c5823459b88dc1f02d4370e967b5dda0061efe6af1e84a0ecf54a7563

SHA512
d14b6ce87ea0cf8a9a9d742f3f45f134d49d09f338f7675e8d6867ecd8d57a3d8bf136ba5b45ca6eb2a8a3f82e3614c582a4607833fcfe35283131279d088f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
216KB

MD5
d29e6aeadf3145dc212c251ff6950457

SHA1
4129f78ac3f3f868957830b7bb7c08b302ade142

SHA256
2e36924ccce28b5cd3ea79ec15d22543cda77ccc81fdf1fd7874ec0310ea36eb

SHA512
dad9d50403f062b4fcf6bef46d2a87ad47f7571e9c913d28ac61d15e96accfd6a07db28846925360c4e78f83d77da4551a6fbeacb598ad98ebf21f9dfc9870fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
216KB

MD5
d29e6aeadf3145dc212c251ff6950457

SHA1
4129f78ac3f3f868957830b7bb7c08b302ade142

SHA256
2e36924ccce28b5cd3ea79ec15d22543cda77ccc81fdf1fd7874ec0310ea36eb

SHA512
dad9d50403f062b4fcf6bef46d2a87ad47f7571e9c913d28ac61d15e96accfd6a07db28846925360c4e78f83d77da4551a6fbeacb598ad98ebf21f9dfc9870fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
216KB

MD5
d29e6aeadf3145dc212c251ff6950457

SHA1
4129f78ac3f3f868957830b7bb7c08b302ade142

SHA256
2e36924ccce28b5cd3ea79ec15d22543cda77ccc81fdf1fd7874ec0310ea36eb

SHA512
dad9d50403f062b4fcf6bef46d2a87ad47f7571e9c913d28ac61d15e96accfd6a07db28846925360c4e78f83d77da4551a6fbeacb598ad98ebf21f9dfc9870fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
216KB

MD5
d29e6aeadf3145dc212c251ff6950457

SHA1
4129f78ac3f3f868957830b7bb7c08b302ade142

SHA256
2e36924ccce28b5cd3ea79ec15d22543cda77ccc81fdf1fd7874ec0310ea36eb

SHA512
dad9d50403f062b4fcf6bef46d2a87ad47f7571e9c913d28ac61d15e96accfd6a07db28846925360c4e78f83d77da4551a6fbeacb598ad98ebf21f9dfc9870fa

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
bb5f0d81909924d647dc29f49c1ab135

SHA1
3f69821597fc6e1bf95639ed73729d5b28d30571

SHA256
71a89829e758fce2196f5ae1fce0af4110c85b65f1cacbd9d34394843a0e9563

SHA512
e4459b6d398a439a6c086e1fbec0ce713c530f8c6ff9237fa080eb3fed35fcb938d88eb70bef32fe5d7853435c3cca5a25c207473239c460633ac30e302765ab

Download Submit
C:\Windows\hosts.exe

Filesize
217KB

MD5
5853327da1e28b7371d40d2e03ed3f0c

SHA1
cd0adab0582049576a4284920fa2f200a82c616e

SHA256
148e4e9925b3abf59590a61d0beeee01e342db5e4b251f11bd3aa0e30981c98a

SHA512
3d2f517240e3ea4bdca6fedefb34edafa4e749ac3701f9cc0719127fa02a14ec81c8f07c7c14b4dd13376bb13237dff270b91666bd03a3be9e9fb032c97458d6

Download Submit
C:\Windows\hosts.exe

Filesize
217KB

MD5
5853327da1e28b7371d40d2e03ed3f0c

SHA1
cd0adab0582049576a4284920fa2f200a82c616e

SHA256
148e4e9925b3abf59590a61d0beeee01e342db5e4b251f11bd3aa0e30981c98a

SHA512
3d2f517240e3ea4bdca6fedefb34edafa4e749ac3701f9cc0719127fa02a14ec81c8f07c7c14b4dd13376bb13237dff270b91666bd03a3be9e9fb032c97458d6

Download Submit
C:\Windows\hosts.exe

Filesize
217KB

MD5
5853327da1e28b7371d40d2e03ed3f0c

SHA1
cd0adab0582049576a4284920fa2f200a82c616e

SHA256
148e4e9925b3abf59590a61d0beeee01e342db5e4b251f11bd3aa0e30981c98a

SHA512
3d2f517240e3ea4bdca6fedefb34edafa4e749ac3701f9cc0719127fa02a14ec81c8f07c7c14b4dd13376bb13237dff270b91666bd03a3be9e9fb032c97458d6

Download Submit
C:\Windows\hosts.exe

Filesize
217KB

MD5
5853327da1e28b7371d40d2e03ed3f0c

SHA1
cd0adab0582049576a4284920fa2f200a82c616e

SHA256
148e4e9925b3abf59590a61d0beeee01e342db5e4b251f11bd3aa0e30981c98a

SHA512
3d2f517240e3ea4bdca6fedefb34edafa4e749ac3701f9cc0719127fa02a14ec81c8f07c7c14b4dd13376bb13237dff270b91666bd03a3be9e9fb032c97458d6

Download Submit
C:\windows\hosts.exe

Filesize
217KB

MD5
5853327da1e28b7371d40d2e03ed3f0c

SHA1
cd0adab0582049576a4284920fa2f200a82c616e

SHA256
148e4e9925b3abf59590a61d0beeee01e342db5e4b251f11bd3aa0e30981c98a

SHA512
3d2f517240e3ea4bdca6fedefb34edafa4e749ac3701f9cc0719127fa02a14ec81c8f07c7c14b4dd13376bb13237dff270b91666bd03a3be9e9fb032c97458d6

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
216KB

MD5
d29e6aeadf3145dc212c251ff6950457

SHA1
4129f78ac3f3f868957830b7bb7c08b302ade142

SHA256
2e36924ccce28b5cd3ea79ec15d22543cda77ccc81fdf1fd7874ec0310ea36eb

SHA512
dad9d50403f062b4fcf6bef46d2a87ad47f7571e9c913d28ac61d15e96accfd6a07db28846925360c4e78f83d77da4551a6fbeacb598ad98ebf21f9dfc9870fa

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
216KB

MD5
d29e6aeadf3145dc212c251ff6950457

SHA1
4129f78ac3f3f868957830b7bb7c08b302ade142

SHA256
2e36924ccce28b5cd3ea79ec15d22543cda77ccc81fdf1fd7874ec0310ea36eb

SHA512
dad9d50403f062b4fcf6bef46d2a87ad47f7571e9c913d28ac61d15e96accfd6a07db28846925360c4e78f83d77da4551a6fbeacb598ad98ebf21f9dfc9870fa

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
216KB

MD5
d29e6aeadf3145dc212c251ff6950457

SHA1
4129f78ac3f3f868957830b7bb7c08b302ade142

SHA256
2e36924ccce28b5cd3ea79ec15d22543cda77ccc81fdf1fd7874ec0310ea36eb

SHA512
dad9d50403f062b4fcf6bef46d2a87ad47f7571e9c913d28ac61d15e96accfd6a07db28846925360c4e78f83d77da4551a6fbeacb598ad98ebf21f9dfc9870fa

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
216KB

MD5
d29e6aeadf3145dc212c251ff6950457

SHA1
4129f78ac3f3f868957830b7bb7c08b302ade142

SHA256
2e36924ccce28b5cd3ea79ec15d22543cda77ccc81fdf1fd7874ec0310ea36eb

SHA512
dad9d50403f062b4fcf6bef46d2a87ad47f7571e9c913d28ac61d15e96accfd6a07db28846925360c4e78f83d77da4551a6fbeacb598ad98ebf21f9dfc9870fa

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
216KB

MD5
d29e6aeadf3145dc212c251ff6950457

SHA1
4129f78ac3f3f868957830b7bb7c08b302ade142

SHA256
2e36924ccce28b5cd3ea79ec15d22543cda77ccc81fdf1fd7874ec0310ea36eb

SHA512
dad9d50403f062b4fcf6bef46d2a87ad47f7571e9c913d28ac61d15e96accfd6a07db28846925360c4e78f83d77da4551a6fbeacb598ad98ebf21f9dfc9870fa

Download Submit
memory/112-110-0x0000000000000000-mapping.dmp

Download
memory/608-77-0x0000000000000000-mapping.dmp

Download
memory/848-57-0x0000000000000000-mapping.dmp

Download
memory/852-100-0x0000000000000000-mapping.dmp

Download
memory/1104-68-0x0000000000000000-mapping.dmp

Download
memory/1304-61-0x0000000000000000-mapping.dmp

Download
memory/1388-94-0x0000000000000000-mapping.dmp

Download
memory/1412-74-0x0000000000000000-mapping.dmp

Download
memory/1496-115-0x0000000000000000-mapping.dmp

Download
memory/1552-76-0x0000000000000000-mapping.dmp

Download
memory/1556-114-0x0000000000000000-mapping.dmp

Download
memory/1592-92-0x0000000000000000-mapping.dmp

Download
memory/1636-73-0x0000000000000000-mapping.dmp

Download
memory/1696-111-0x0000000000000000-mapping.dmp

Download
memory/1708-106-0x0000000000000000-mapping.dmp

Download
memory/1712-122-0x0000000000000000-mapping.dmp

Download
memory/1732-101-0x0000000000000000-mapping.dmp

Download
memory/1740-58-0x0000000074BD1000-0x0000000074BD3000-memory.dmp

Filesize
8KB

Download
memory/1740-56-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1756-99-0x0000000000000000-mapping.dmp

Download
memory/1916-119-0x0000000000000000-mapping.dmp

Download
memory/1968-88-0x0000000000000000-mapping.dmp

Download
memory/2028-108-0x0000000000000000-mapping.dmp

Download