1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe
Size

339KB
MD5

539c64d71bc9395464850b6183ef641a
SHA1

c09da93b232d660f3d7554a257fefdc8be4678de
SHA256

1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21
SHA512

b3158d308916e4dbbeeb9019faff7790c2630a95e69f898d5f3ff0ef021750130e681f26c5acd29914abf9b06732785d3f8518e42623d137b707e5c21cbd2005
SSDEEP

3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQwbpDCw1p3vmLvsZIaVwiwDcIbDO:gDCwfG1bnxLERR7DCwfG1bnxLERR3

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exeavscan.exehosts.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

hosts.exe1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exeavscan.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GBQHURCC = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GBQHURCC = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\GBQHURCC = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

Processes:

avscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid process

4600 avscan.exe
4500 avscan.exe
4380 hosts.exe
1460 hosts.exe
5088 avscan.exe
2188 hosts.exe

pid	process
4600	avscan.exe
4500	avscan.exe
4380	hosts.exe
1460	hosts.exe
5088	avscan.exe
2188	hosts.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.execmd.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exeavscan.exehosts.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

Processes:

avscan.exehosts.exe1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe

description	ioc	process
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe
File created	\??\c:\windows\W_X_C.bat	1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe
File opened for modification	C:\Windows\hosts.exe	1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

Processes:

cmd.execmd.execmd.exe1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exe

pid process

2348 REG.exe
2056 REG.exe
1964 REG.exe
3016 REG.exe
1824 REG.exe
4220 REG.exe
2692 REG.exe
3436 REG.exe
4500 REG.exe
Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exeavscan.exehosts.exe

pid process

4320 1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe
4600 avscan.exe
4380 hosts.exe

pid	process
2348	REG.exe
2056	REG.exe
1964	REG.exe
3016	REG.exe
1824	REG.exe
4220	REG.exe
2692	REG.exe
3436	REG.exe
4500	REG.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exeavscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid	process
4320	1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe
4600	avscan.exe
4500	avscan.exe
4380	hosts.exe
1460	hosts.exe
5088	avscan.exe
2188	hosts.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exeavscan.execmd.execmd.exehosts.execmd.exe

description	pid	process	target process
PID 4320 wrote to memory of 2056	4320	1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe	REG.exe
PID 4320 wrote to memory of 2056	4320	1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe	REG.exe
PID 4320 wrote to memory of 2056	4320	1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe	REG.exe
PID 4320 wrote to memory of 4600	4320	1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe	avscan.exe
PID 4320 wrote to memory of 4600	4320	1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe	avscan.exe
PID 4320 wrote to memory of 4600	4320	1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe	avscan.exe
PID 4600 wrote to memory of 4500	4600	avscan.exe	avscan.exe
PID 4600 wrote to memory of 4500	4600	avscan.exe	avscan.exe
PID 4600 wrote to memory of 4500	4600	avscan.exe	avscan.exe
PID 4600 wrote to memory of 3144	4600	avscan.exe	cmd.exe
PID 4600 wrote to memory of 3144	4600	avscan.exe	cmd.exe
PID 4600 wrote to memory of 3144	4600	avscan.exe	cmd.exe
PID 4320 wrote to memory of 4300	4320	1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe	cmd.exe
PID 4320 wrote to memory of 4300	4320	1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe	cmd.exe
PID 4320 wrote to memory of 4300	4320	1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe	cmd.exe
PID 3144 wrote to memory of 4380	3144	cmd.exe	hosts.exe
PID 3144 wrote to memory of 4380	3144	cmd.exe	hosts.exe
PID 3144 wrote to memory of 4380	3144	cmd.exe	hosts.exe
PID 4300 wrote to memory of 1460	4300	cmd.exe	hosts.exe
PID 4300 wrote to memory of 1460	4300	cmd.exe	hosts.exe
PID 4300 wrote to memory of 1460	4300	cmd.exe	hosts.exe
PID 4380 wrote to memory of 5088	4380	hosts.exe	avscan.exe
PID 4380 wrote to memory of 5088	4380	hosts.exe	avscan.exe
PID 4380 wrote to memory of 5088	4380	hosts.exe	avscan.exe
PID 4380 wrote to memory of 2588	4380	hosts.exe	cmd.exe
PID 4380 wrote to memory of 2588	4380	hosts.exe	cmd.exe
PID 4380 wrote to memory of 2588	4380	hosts.exe	cmd.exe
PID 4300 wrote to memory of 4732	4300	cmd.exe	WScript.exe
PID 4300 wrote to memory of 4732	4300	cmd.exe	WScript.exe
PID 4300 wrote to memory of 4732	4300	cmd.exe	WScript.exe
PID 3144 wrote to memory of 2640	3144	cmd.exe	WScript.exe
PID 3144 wrote to memory of 2640	3144	cmd.exe	WScript.exe
PID 3144 wrote to memory of 2640	3144	cmd.exe	WScript.exe
PID 2588 wrote to memory of 2188	2588	cmd.exe	hosts.exe
PID 2588 wrote to memory of 2188	2588	cmd.exe	hosts.exe
PID 2588 wrote to memory of 2188	2588	cmd.exe	hosts.exe
PID 2588 wrote to memory of 3728	2588	cmd.exe	WScript.exe
PID 2588 wrote to memory of 3728	2588	cmd.exe	WScript.exe
PID 2588 wrote to memory of 3728	2588	cmd.exe	WScript.exe
PID 4600 wrote to memory of 4220	4600	avscan.exe	REG.exe
PID 4600 wrote to memory of 4220	4600	avscan.exe	REG.exe
PID 4600 wrote to memory of 4220	4600	avscan.exe	REG.exe
PID 4380 wrote to memory of 1964	4380	hosts.exe	REG.exe
PID 4380 wrote to memory of 1964	4380	hosts.exe	REG.exe
PID 4380 wrote to memory of 1964	4380	hosts.exe	REG.exe
PID 4600 wrote to memory of 3016	4600	avscan.exe	REG.exe
PID 4600 wrote to memory of 3016	4600	avscan.exe	REG.exe
PID 4600 wrote to memory of 3016	4600	avscan.exe	REG.exe
PID 4380 wrote to memory of 2692	4380	hosts.exe	REG.exe
PID 4380 wrote to memory of 2692	4380	hosts.exe	REG.exe
PID 4380 wrote to memory of 2692	4380	hosts.exe	REG.exe
PID 4600 wrote to memory of 3436	4600	avscan.exe	REG.exe
PID 4600 wrote to memory of 3436	4600	avscan.exe	REG.exe
PID 4600 wrote to memory of 3436	4600	avscan.exe	REG.exe
PID 4380 wrote to memory of 1824	4380	hosts.exe	REG.exe
PID 4380 wrote to memory of 1824	4380	hosts.exe	REG.exe
PID 4380 wrote to memory of 1824	4380	hosts.exe	REG.exe
PID 4600 wrote to memory of 2348	4600	avscan.exe	REG.exe
PID 4600 wrote to memory of 2348	4600	avscan.exe	REG.exe
PID 4600 wrote to memory of 2348	4600	avscan.exe	REG.exe
PID 4380 wrote to memory of 4500	4380	hosts.exe	REG.exe
PID 4380 wrote to memory of 4500	4380	hosts.exe	REG.exe
PID 4380 wrote to memory of 4500	4380	hosts.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe
"C:\Users\Admin\AppData\Local\Temp\1d0f660959abdd07b7f4002a77e2c33424513fb47fbad7be27f24ee689644c21.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
2⤵
- Modifies registry key
PID:2056

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4600

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3144

C:\windows\hosts.exe
C:\windows\hosts.exe
4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4380

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
5⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588

C:\windows\hosts.exe
C:\windows\hosts.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2188

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
6⤵
- Adds policy Run key to start application
PID:3728

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
5⤵
- Modifies registry key
PID:1964

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
5⤵
- Modifies registry key
PID:2692

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
5⤵
- Modifies registry key
PID:1824

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
5⤵
- Modifies registry key
PID:4500

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
4⤵
- Adds policy Run key to start application
PID:2640

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:4220

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:3016

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:3436

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4300

C:\windows\hosts.exe
C:\windows\hosts.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1460

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
3⤵
- Adds policy Run key to start application
PID:4732

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe
Filesize
339KB

MD5
1fa155084cf1b751f102836e6a00f9bf

SHA1
b7868f35063ed6becdf80521026560e4b7309848

SHA256
af322b11ae42a6d32009012ffcaa2ff573d9e18bed56a18c5f58d14d5506e602

SHA512
3bdbcf01596856fb44ef2c3b38462cb870217cbb481a35d9173083c6380d826b33087c519eff251ed41c024c91d2a5a3054c6095100b3902732eb0c5496fd73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe
Filesize
339KB

MD5
1fa155084cf1b751f102836e6a00f9bf

SHA1
b7868f35063ed6becdf80521026560e4b7309848

SHA256
af322b11ae42a6d32009012ffcaa2ff573d9e18bed56a18c5f58d14d5506e602

SHA512
3bdbcf01596856fb44ef2c3b38462cb870217cbb481a35d9173083c6380d826b33087c519eff251ed41c024c91d2a5a3054c6095100b3902732eb0c5496fd73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe
Filesize
339KB

MD5
1fa155084cf1b751f102836e6a00f9bf

SHA1
b7868f35063ed6becdf80521026560e4b7309848

SHA256
af322b11ae42a6d32009012ffcaa2ff573d9e18bed56a18c5f58d14d5506e602

SHA512
3bdbcf01596856fb44ef2c3b38462cb870217cbb481a35d9173083c6380d826b33087c519eff251ed41c024c91d2a5a3054c6095100b3902732eb0c5496fd73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\avscan.exe
Filesize
339KB

MD5
1fa155084cf1b751f102836e6a00f9bf

SHA1
b7868f35063ed6becdf80521026560e4b7309848

SHA256
af322b11ae42a6d32009012ffcaa2ff573d9e18bed56a18c5f58d14d5506e602

SHA512
3bdbcf01596856fb44ef2c3b38462cb870217cbb481a35d9173083c6380d826b33087c519eff251ed41c024c91d2a5a3054c6095100b3902732eb0c5496fd73f

Download Submit
C:\Windows\W_X_C.vbs
Filesize
195B

MD5
5b87381bf407d7c6018a8b11c3e20f92

SHA1
bb61b28d9c8fd7dfeb13a397c49a1be3abc06ca2

SHA256
4785d6a229d0872fe90c75ab620de9a680d7f07ccd27a134da2afc4ee88f34f3

SHA512
05db1178f671e9d6c3a1c601349093447b04ebddcd071a06f7cc92cbaf7efb53027bc92523a19372a08ca5af715cc9955649255f8be1909b5e594385b3dcbe3d

Download Submit
C:\Windows\hosts.exe
Filesize
339KB

MD5
7f0b5f5d0bea561c3bea108980e3b799

SHA1
14247ee6d9bf71de2457025c05920105d61314b1

SHA256
b64889edc7d55fb49e49f3c678e97114d922c0d0948a6af30c064b92003a98e7

SHA512
1e57cd6ef780b4052a8f8439130bee64778f74b3cd64882d56f3be765f474eb6ff23010430a372cad4df93d5b93cda35afad05c8c0d5735451011f2e992e1113

Download Submit
C:\Windows\hosts.exe
Filesize
339KB

MD5
7f0b5f5d0bea561c3bea108980e3b799

SHA1
14247ee6d9bf71de2457025c05920105d61314b1

SHA256
b64889edc7d55fb49e49f3c678e97114d922c0d0948a6af30c064b92003a98e7

SHA512
1e57cd6ef780b4052a8f8439130bee64778f74b3cd64882d56f3be765f474eb6ff23010430a372cad4df93d5b93cda35afad05c8c0d5735451011f2e992e1113

Download Submit
C:\Windows\hosts.exe
Filesize
339KB

MD5
7f0b5f5d0bea561c3bea108980e3b799

SHA1
14247ee6d9bf71de2457025c05920105d61314b1

SHA256
b64889edc7d55fb49e49f3c678e97114d922c0d0948a6af30c064b92003a98e7

SHA512
1e57cd6ef780b4052a8f8439130bee64778f74b3cd64882d56f3be765f474eb6ff23010430a372cad4df93d5b93cda35afad05c8c0d5735451011f2e992e1113

Download Submit
C:\Windows\hosts.exe
Filesize
339KB

MD5
7f0b5f5d0bea561c3bea108980e3b799

SHA1
14247ee6d9bf71de2457025c05920105d61314b1

SHA256
b64889edc7d55fb49e49f3c678e97114d922c0d0948a6af30c064b92003a98e7

SHA512
1e57cd6ef780b4052a8f8439130bee64778f74b3cd64882d56f3be765f474eb6ff23010430a372cad4df93d5b93cda35afad05c8c0d5735451011f2e992e1113

Download Submit
C:\windows\hosts.exe
Filesize
339KB

MD5
7f0b5f5d0bea561c3bea108980e3b799

SHA1
14247ee6d9bf71de2457025c05920105d61314b1

SHA256
b64889edc7d55fb49e49f3c678e97114d922c0d0948a6af30c064b92003a98e7

SHA512
1e57cd6ef780b4052a8f8439130bee64778f74b3cd64882d56f3be765f474eb6ff23010430a372cad4df93d5b93cda35afad05c8c0d5735451011f2e992e1113

Download Submit
\??\c:\windows\W_X_C.bat
Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
memory/1460-151-0x0000000000000000-mapping.dmp

Download
memory/1824-175-0x0000000000000000-mapping.dmp

Download
memory/1964-171-0x0000000000000000-mapping.dmp

Download
memory/2056-134-0x0000000000000000-mapping.dmp

Download
memory/2188-164-0x0000000000000000-mapping.dmp

Download
memory/2348-176-0x0000000000000000-mapping.dmp

Download
memory/2588-162-0x0000000000000000-mapping.dmp

Download
memory/2640-165-0x0000000000000000-mapping.dmp

Download
memory/2692-173-0x0000000000000000-mapping.dmp

Download
memory/3016-172-0x0000000000000000-mapping.dmp

Download
memory/3144-145-0x0000000000000000-mapping.dmp

Download
memory/3436-174-0x0000000000000000-mapping.dmp

Download
memory/3728-169-0x0000000000000000-mapping.dmp

Download
memory/4220-170-0x0000000000000000-mapping.dmp

Download
memory/4300-146-0x0000000000000000-mapping.dmp

Download
memory/4380-148-0x0000000000000000-mapping.dmp

Download
memory/4500-141-0x0000000000000000-mapping.dmp

Download
memory/4500-177-0x0000000000000000-mapping.dmp

Download
memory/4600-135-0x0000000000000000-mapping.dmp

Download
memory/4732-163-0x0000000000000000-mapping.dmp

Download
memory/5088-156-0x0000000000000000-mapping.dmp

Download