1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065

Analysis

max time kernel
143s
max time network
58s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe
Size

181KB
MD5

068ed81b7b7a3426f0f6292e4f41acd2
SHA1

031cca397819188b38482717d254dcd09dbcc9e6
SHA256

1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065
SHA512

a14e0036ee722b72ad4db3c84e0d06328ced0fecb3c883a735df8ab1bcc68ee2ec825351a46815b5ddcf12aa7439d8a892dabb7a5d7c637718fb6c03c263bcde
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQKhsaR2:gDCwfG1bnxLERR9saR2

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exeavscan.exehosts.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exeavscan.exehosts.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exeWScript.exeWScript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SABDUHNY = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SABDUHNY = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SABDUHNY = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

Processes:

avscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid process

1744 avscan.exe
1736 avscan.exe
768 hosts.exe
964 hosts.exe
1660 avscan.exe
1968 hosts.exe

pid	process
1744	avscan.exe
1736	avscan.exe
768	hosts.exe
964	hosts.exe
1660	avscan.exe
1968	hosts.exe

Loads dropped DLL 5 IoCs

Processes:

1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exeavscan.exehosts.exe

pid	process
832	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe
832	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe
1744	avscan.exe
768	hosts.exe
768	hosts.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exeavscan.exehosts.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe

Drops file in Windows directory 5 IoCs

Processes:

1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exeavscan.exehosts.exe

description	ioc	process
File created	C:\windows\W_X_C.vbs	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe
File created	\??\c:\windows\W_X_C.bat	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe
File opened for modification	C:\Windows\hosts.exe	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exe

pid process

1524 REG.exe
2036 REG.exe
860 REG.exe
660 REG.exe
1648 REG.exe
2032 REG.exe
1612 REG.exe
1092 REG.exe
1620 REG.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

avscan.exehosts.exe

pid process

1744 avscan.exe
768 hosts.exe

pid	process
1524	REG.exe
2036	REG.exe
860	REG.exe
660	REG.exe
1648	REG.exe
2032	REG.exe
1612	REG.exe
1092	REG.exe
1620	REG.exe

pid	process
1744	avscan.exe
768	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exeavscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid	process
832	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe
1744	avscan.exe
1736	avscan.exe
768	hosts.exe
964	hosts.exe
1660	avscan.exe
1968	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exeavscan.execmd.execmd.exehosts.execmd.exe

description	pid	process	target process
PID 832 wrote to memory of 2032	832	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe	REG.exe
PID 832 wrote to memory of 2032	832	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe	REG.exe
PID 832 wrote to memory of 2032	832	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe	REG.exe
PID 832 wrote to memory of 2032	832	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe	REG.exe
PID 832 wrote to memory of 1744	832	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe	avscan.exe
PID 832 wrote to memory of 1744	832	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe	avscan.exe
PID 832 wrote to memory of 1744	832	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe	avscan.exe
PID 832 wrote to memory of 1744	832	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe	avscan.exe
PID 1744 wrote to memory of 1736	1744	avscan.exe	avscan.exe
PID 1744 wrote to memory of 1736	1744	avscan.exe	avscan.exe
PID 1744 wrote to memory of 1736	1744	avscan.exe	avscan.exe
PID 1744 wrote to memory of 1736	1744	avscan.exe	avscan.exe
PID 1744 wrote to memory of 916	1744	avscan.exe	cmd.exe
PID 1744 wrote to memory of 916	1744	avscan.exe	cmd.exe
PID 1744 wrote to memory of 916	1744	avscan.exe	cmd.exe
PID 1744 wrote to memory of 916	1744	avscan.exe	cmd.exe
PID 832 wrote to memory of 796	832	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe	cmd.exe
PID 832 wrote to memory of 796	832	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe	cmd.exe
PID 832 wrote to memory of 796	832	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe	cmd.exe
PID 832 wrote to memory of 796	832	1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe	cmd.exe
PID 796 wrote to memory of 768	796	cmd.exe	hosts.exe
PID 796 wrote to memory of 768	796	cmd.exe	hosts.exe
PID 796 wrote to memory of 768	796	cmd.exe	hosts.exe
PID 796 wrote to memory of 768	796	cmd.exe	hosts.exe
PID 916 wrote to memory of 964	916	cmd.exe	hosts.exe
PID 916 wrote to memory of 964	916	cmd.exe	hosts.exe
PID 916 wrote to memory of 964	916	cmd.exe	hosts.exe
PID 916 wrote to memory of 964	916	cmd.exe	hosts.exe
PID 916 wrote to memory of 1468	916	cmd.exe	WScript.exe
PID 916 wrote to memory of 1468	916	cmd.exe	WScript.exe
PID 916 wrote to memory of 1468	916	cmd.exe	WScript.exe
PID 916 wrote to memory of 1468	916	cmd.exe	WScript.exe
PID 768 wrote to memory of 1660	768	hosts.exe	avscan.exe
PID 768 wrote to memory of 1660	768	hosts.exe	avscan.exe
PID 768 wrote to memory of 1660	768	hosts.exe	avscan.exe
PID 768 wrote to memory of 1660	768	hosts.exe	avscan.exe
PID 768 wrote to memory of 1324	768	hosts.exe	cmd.exe
PID 768 wrote to memory of 1324	768	hosts.exe	cmd.exe
PID 768 wrote to memory of 1324	768	hosts.exe	cmd.exe
PID 768 wrote to memory of 1324	768	hosts.exe	cmd.exe
PID 1324 wrote to memory of 1968	1324	cmd.exe	hosts.exe
PID 1324 wrote to memory of 1968	1324	cmd.exe	hosts.exe
PID 1324 wrote to memory of 1968	1324	cmd.exe	hosts.exe
PID 1324 wrote to memory of 1968	1324	cmd.exe	hosts.exe
PID 796 wrote to memory of 1556	796	cmd.exe	WScript.exe
PID 796 wrote to memory of 1556	796	cmd.exe	WScript.exe
PID 796 wrote to memory of 1556	796	cmd.exe	WScript.exe
PID 796 wrote to memory of 1556	796	cmd.exe	WScript.exe
PID 1324 wrote to memory of 1836	1324	cmd.exe	WScript.exe
PID 1324 wrote to memory of 1836	1324	cmd.exe	WScript.exe
PID 1324 wrote to memory of 1836	1324	cmd.exe	WScript.exe
PID 1324 wrote to memory of 1836	1324	cmd.exe	WScript.exe
PID 1744 wrote to memory of 1524	1744	avscan.exe	REG.exe
PID 1744 wrote to memory of 1524	1744	avscan.exe	REG.exe
PID 1744 wrote to memory of 1524	1744	avscan.exe	REG.exe
PID 1744 wrote to memory of 1524	1744	avscan.exe	REG.exe
PID 768 wrote to memory of 1612	768	hosts.exe	REG.exe
PID 768 wrote to memory of 1612	768	hosts.exe	REG.exe
PID 768 wrote to memory of 1612	768	hosts.exe	REG.exe
PID 768 wrote to memory of 1612	768	hosts.exe	REG.exe
PID 1744 wrote to memory of 2036	1744	avscan.exe	REG.exe
PID 1744 wrote to memory of 2036	1744	avscan.exe	REG.exe
PID 1744 wrote to memory of 2036	1744	avscan.exe	REG.exe
PID 1744 wrote to memory of 2036	1744	avscan.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe
"C:\Users\Admin\AppData\Local\Temp\1122507cbf55f5e6cc356367c9a49aea506b8ff711978936a2f0431859fd6065.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
2⤵
- Modifies registry key
PID:2032

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:916

C:\windows\hosts.exe
C:\windows\hosts.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:964

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
4⤵
- Adds policy Run key to start application
PID:1468

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:1524

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:2036

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:860

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:1620

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:796

C:\windows\hosts.exe
C:\windows\hosts.exe
3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1660

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\windows\hosts.exe
C:\windows\hosts.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
5⤵
- Adds policy Run key to start application
PID:1836

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
4⤵
- Modifies registry key
PID:1612

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
4⤵
- Modifies registry key
PID:1092

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
4⤵
- Modifies registry key
PID:660

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
4⤵
- Modifies registry key
PID:1648

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
3⤵
- Adds policy Run key to start application
PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
412KB

MD5
18c6a052bc89d43c0a511a15aa21fb35

SHA1
b3018c82b972ec96e8b6e79b2187e4bbdedcfc82

SHA256
b37a38b8adc8e56c5db083401bc6c73de8a9e01ad9e1b76ea0e83128061bc2db

SHA512
40df672c9b4888b26f24fe98f517286a5c2a223cfdf74d3b2ea85d9c79fcd6c32e5fd29947c8ed990dcfaa1f0e4c692bc2780c731a3feb81ae37f0978c7add2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
594KB

MD5
8078ae2fd68b53796221145e3574e6cf

SHA1
72be27a2c73586dd7edf74e52e35428e5b69d720

SHA256
f3eabe09d150a376b4572cb2aa22df329deb82c123a7fdc68013f5ffb3f4ce09

SHA512
f433400fb67edd1e7a6a65f9f30421dbf8c423836c74d7a7c9f9395698b9a31b0e5cd344070591b8f136752dddb994c0c27fd6eec195f57bb11d4729980fcc77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
776KB

MD5
182ed6bc229bf986e85ef2d3a1835f65

SHA1
32630e6395d4789466bed9e925752bd0fb43df6e

SHA256
3ed3c2104add4b618f9dbc9a0c58b2fc24653ef5a7e355d1772ed219697b06cc

SHA512
e5fef486880d18bd7302fd484428b12c993dd5fe26b9e6e9f59ebaa9d2068925531bdeb3c22a279caf1514d5a15bb9ce8e37a6782e3288a126f4b1f7be25b9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
958KB

MD5
910a62d829d06a9f07ca16742677123a

SHA1
1010e850150589a93ac16e3e7b02cd4da62a41ea

SHA256
7fef7ebcd78d7538732ba00e64ce92a484cdaf7a729666c5c481c52d4a3d91b2

SHA512
6b3f6d14d0fc3883c71c40790b7d56a869ab0067ab35e15dbbe26f952c59d68687ba8d742988582fd818024f056f01146206d965c9b8f2175973e011b12dc955

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.1MB

MD5
310d69212e366d1fb21bc985ef153436

SHA1
49f47a67b5183afbf27ad5d311bf3283c35a1a08

SHA256
fcf4061d609b2f63beb3c0f5cec18e50b515a963d34e9386866a10e1bdc24d14

SHA512
dac21f8940a2e74f2573b89136d24d7dc876b08dbe638dea6b7e5dd0a63a6766d03da5a6beaa4f7921cbb2eed7beb16d663ba51793bad4a894e4f9e97d761754

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.3MB

MD5
9e0dc559bf5cd0bc1c8b6ae04a4bbb6e

SHA1
77bbb6c1af40b2df749d7ef6edab1a400b09798f

SHA256
a5632d74bc17ae305460ee22159c776f1bde375904b68524315fb211393d7dd8

SHA512
6bc11dac35e746e2309bbd3a7d8d24e503f5672ebcda7c786a62cd40b426fa3669ff27c7284054582bedcf4b6d5c6a21399e179daf39e8f90f0dd324c72019da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
1.5MB

MD5
c95690b4c7eea8bb91bb570a968d3aea

SHA1
b801be8e761f481b8b0df154ae1b4c243343207f

SHA256
96f791ebf8cabd778695647a750ef27895efbe39bdcd3b205d03d02ce6052007

SHA512
81a0260ee478d5bdca2127426f22445652f9aa498a7a27ffabcb3e59e34eda6e8cabef6e7cf54f000697f4ab2d82aae672671a8a97a1d292506e5435bb9ec8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
182KB

MD5
dead2ffac3b4658408e794edf03b25ed

SHA1
e3db322b1a8f7f511dc3883b311247fc93be8835

SHA256
cc7ea5165e632daedc30e8024ff2eba8d08729da5b71e7b7e46163f60b8f7d80

SHA512
1273304e7d0ab0737612a249a9ccfa329af594205ec18cf7d5bc413aaea4f086bc3b5b2003c7391b84a25ee161272b16cc3a60e48a113ce012fbdbd663cc7adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
182KB

MD5
dead2ffac3b4658408e794edf03b25ed

SHA1
e3db322b1a8f7f511dc3883b311247fc93be8835

SHA256
cc7ea5165e632daedc30e8024ff2eba8d08729da5b71e7b7e46163f60b8f7d80

SHA512
1273304e7d0ab0737612a249a9ccfa329af594205ec18cf7d5bc413aaea4f086bc3b5b2003c7391b84a25ee161272b16cc3a60e48a113ce012fbdbd663cc7adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
182KB

MD5
dead2ffac3b4658408e794edf03b25ed

SHA1
e3db322b1a8f7f511dc3883b311247fc93be8835

SHA256
cc7ea5165e632daedc30e8024ff2eba8d08729da5b71e7b7e46163f60b8f7d80

SHA512
1273304e7d0ab0737612a249a9ccfa329af594205ec18cf7d5bc413aaea4f086bc3b5b2003c7391b84a25ee161272b16cc3a60e48a113ce012fbdbd663cc7adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
182KB

MD5
dead2ffac3b4658408e794edf03b25ed

SHA1
e3db322b1a8f7f511dc3883b311247fc93be8835

SHA256
cc7ea5165e632daedc30e8024ff2eba8d08729da5b71e7b7e46163f60b8f7d80

SHA512
1273304e7d0ab0737612a249a9ccfa329af594205ec18cf7d5bc413aaea4f086bc3b5b2003c7391b84a25ee161272b16cc3a60e48a113ce012fbdbd663cc7adb

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
6d7a78ec09068987a6bec39d91fa2997

SHA1
e74ad929b10ad126cab230e0ea5ec239cbeaf12b

SHA256
d87abc4daf79735e1afda9ba17e27ca3e8c8775af50c18e67579da6384da53c6

SHA512
e912df74b128cb69c204fe6395f2237f7b2f240642312a66ff4e89004ac7736125155078e47591b26e686ec4f09d25bc4cf1575cc590bffe587962c02fa8e395

Download Submit
C:\Windows\hosts.exe

Filesize
182KB

MD5
d0f7934f1df02d097d2a7ca9413dec89

SHA1
277b61f912cbec6b8cb110567b9cf01b7aef8810

SHA256
47d8cf5ebd983d5978991871a411cab0e11676059aee2362708b389843ffa8d6

SHA512
7869fc0bd2c31f0058e7c3519c7dc8a0938470a475280bd6d874a388075599f5e5439e363a3c4893278dadd3218adfed18f03abff98ea52cf19cd015e6140fa7

Download Submit
C:\Windows\hosts.exe

Filesize
182KB

MD5
d0f7934f1df02d097d2a7ca9413dec89

SHA1
277b61f912cbec6b8cb110567b9cf01b7aef8810

SHA256
47d8cf5ebd983d5978991871a411cab0e11676059aee2362708b389843ffa8d6

SHA512
7869fc0bd2c31f0058e7c3519c7dc8a0938470a475280bd6d874a388075599f5e5439e363a3c4893278dadd3218adfed18f03abff98ea52cf19cd015e6140fa7

Download Submit
C:\Windows\hosts.exe

Filesize
182KB

MD5
d0f7934f1df02d097d2a7ca9413dec89

SHA1
277b61f912cbec6b8cb110567b9cf01b7aef8810

SHA256
47d8cf5ebd983d5978991871a411cab0e11676059aee2362708b389843ffa8d6

SHA512
7869fc0bd2c31f0058e7c3519c7dc8a0938470a475280bd6d874a388075599f5e5439e363a3c4893278dadd3218adfed18f03abff98ea52cf19cd015e6140fa7

Download Submit
C:\Windows\hosts.exe

Filesize
182KB

MD5
d0f7934f1df02d097d2a7ca9413dec89

SHA1
277b61f912cbec6b8cb110567b9cf01b7aef8810

SHA256
47d8cf5ebd983d5978991871a411cab0e11676059aee2362708b389843ffa8d6

SHA512
7869fc0bd2c31f0058e7c3519c7dc8a0938470a475280bd6d874a388075599f5e5439e363a3c4893278dadd3218adfed18f03abff98ea52cf19cd015e6140fa7

Download Submit
C:\windows\hosts.exe

Filesize
182KB

MD5
d0f7934f1df02d097d2a7ca9413dec89

SHA1
277b61f912cbec6b8cb110567b9cf01b7aef8810

SHA256
47d8cf5ebd983d5978991871a411cab0e11676059aee2362708b389843ffa8d6

SHA512
7869fc0bd2c31f0058e7c3519c7dc8a0938470a475280bd6d874a388075599f5e5439e363a3c4893278dadd3218adfed18f03abff98ea52cf19cd015e6140fa7

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
182KB

MD5
dead2ffac3b4658408e794edf03b25ed

SHA1
e3db322b1a8f7f511dc3883b311247fc93be8835

SHA256
cc7ea5165e632daedc30e8024ff2eba8d08729da5b71e7b7e46163f60b8f7d80

SHA512
1273304e7d0ab0737612a249a9ccfa329af594205ec18cf7d5bc413aaea4f086bc3b5b2003c7391b84a25ee161272b16cc3a60e48a113ce012fbdbd663cc7adb

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
182KB

MD5
dead2ffac3b4658408e794edf03b25ed

SHA1
e3db322b1a8f7f511dc3883b311247fc93be8835

SHA256
cc7ea5165e632daedc30e8024ff2eba8d08729da5b71e7b7e46163f60b8f7d80

SHA512
1273304e7d0ab0737612a249a9ccfa329af594205ec18cf7d5bc413aaea4f086bc3b5b2003c7391b84a25ee161272b16cc3a60e48a113ce012fbdbd663cc7adb

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
182KB

MD5
dead2ffac3b4658408e794edf03b25ed

SHA1
e3db322b1a8f7f511dc3883b311247fc93be8835

SHA256
cc7ea5165e632daedc30e8024ff2eba8d08729da5b71e7b7e46163f60b8f7d80

SHA512
1273304e7d0ab0737612a249a9ccfa329af594205ec18cf7d5bc413aaea4f086bc3b5b2003c7391b84a25ee161272b16cc3a60e48a113ce012fbdbd663cc7adb

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
182KB

MD5
dead2ffac3b4658408e794edf03b25ed

SHA1
e3db322b1a8f7f511dc3883b311247fc93be8835

SHA256
cc7ea5165e632daedc30e8024ff2eba8d08729da5b71e7b7e46163f60b8f7d80

SHA512
1273304e7d0ab0737612a249a9ccfa329af594205ec18cf7d5bc413aaea4f086bc3b5b2003c7391b84a25ee161272b16cc3a60e48a113ce012fbdbd663cc7adb

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
182KB

MD5
dead2ffac3b4658408e794edf03b25ed

SHA1
e3db322b1a8f7f511dc3883b311247fc93be8835

SHA256
cc7ea5165e632daedc30e8024ff2eba8d08729da5b71e7b7e46163f60b8f7d80

SHA512
1273304e7d0ab0737612a249a9ccfa329af594205ec18cf7d5bc413aaea4f086bc3b5b2003c7391b84a25ee161272b16cc3a60e48a113ce012fbdbd663cc7adb

Download Submit
memory/660-116-0x0000000000000000-mapping.dmp

Download
memory/768-76-0x0000000000000000-mapping.dmp

Download
memory/796-74-0x0000000000000000-mapping.dmp

Download
memory/832-58-0x00000000742A1000-0x00000000742A3000-memory.dmp

Filesize
8KB

Download
memory/832-56-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/860-114-0x0000000000000000-mapping.dmp

Download
memory/916-73-0x0000000000000000-mapping.dmp

Download
memory/964-78-0x0000000000000000-mapping.dmp

Download
memory/1092-112-0x0000000000000000-mapping.dmp

Download
memory/1324-95-0x0000000000000000-mapping.dmp

Download
memory/1468-87-0x0000000000000000-mapping.dmp

Download
memory/1524-106-0x0000000000000000-mapping.dmp

Download
memory/1556-101-0x0000000000000000-mapping.dmp

Download
memory/1612-108-0x0000000000000000-mapping.dmp

Download
memory/1620-118-0x0000000000000000-mapping.dmp

Download
memory/1648-121-0x0000000000000000-mapping.dmp

Download
memory/1660-90-0x0000000000000000-mapping.dmp

Download
memory/1736-68-0x0000000000000000-mapping.dmp

Download
memory/1744-61-0x0000000000000000-mapping.dmp

Download
memory/1836-102-0x0000000000000000-mapping.dmp

Download
memory/1968-96-0x0000000000000000-mapping.dmp

Download
memory/2032-57-0x0000000000000000-mapping.dmp

Download
memory/2036-110-0x0000000000000000-mapping.dmp

Download