6978cca5313d7108e115c9c31bc11b0649ab159b8c6dbf48790bf0e9221dfd5f

Analysis

max time kernel
123s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

522180e84817741a0c25656cf714d660_NeikiAnalytics.exe
Size

7.4MB
MD5

522180e84817741a0c25656cf714d660
SHA1

45a74571ac938fcb21b38d786d7bfb8294f91de7
SHA256

6978cca5313d7108e115c9c31bc11b0649ab159b8c6dbf48790bf0e9221dfd5f
SHA512

47b5c70650ea79f5b8fff095a47256afbe1fe3ed44e33d63cafbb3eac02db3391c85e690176804cfe69211713edf93a89adec85ee1b087bbe5e3bb4127478119
SSDEEP

196608:gMmD2mDc2mDMmD2mDe2mDMmD2mDc2mDMmD2mDe2mDMmD2mDc2mDMmD2mDe2mDMmA:5

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

hosts.exe522180e84817741a0c25656cf714d660_NeikiAnalytics.exeavscan.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	522180e84817741a0c25656cf714d660_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

522180e84817741a0c25656cf714d660_NeikiAnalytics.exeavscan.exehosts.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	522180e84817741a0c25656cf714d660_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\PUMARTNR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\PUMARTNR = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\PUMARTNR = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

Processes:

avscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid process

2440 avscan.exe
2608 avscan.exe
1280 hosts.exe
2632 hosts.exe
2540 avscan.exe
2240 hosts.exe

pid	process
2440	avscan.exe
2608	avscan.exe
1280	hosts.exe
2632	hosts.exe
2540	avscan.exe
2240	hosts.exe

Loads dropped DLL 5 IoCs

Processes:

522180e84817741a0c25656cf714d660_NeikiAnalytics.exeavscan.exehosts.exe

pid	process
2416	522180e84817741a0c25656cf714d660_NeikiAnalytics.exe
2416	522180e84817741a0c25656cf714d660_NeikiAnalytics.exe
2440	avscan.exe
1280	hosts.exe
1280	hosts.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

522180e84817741a0c25656cf714d660_NeikiAnalytics.exeavscan.exehosts.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	522180e84817741a0c25656cf714d660_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

Processes:

avscan.exehosts.exe522180e84817741a0c25656cf714d660_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	522180e84817741a0c25656cf714d660_NeikiAnalytics.exe
File created	\??\c:\windows\W_X_C.bat	522180e84817741a0c25656cf714d660_NeikiAnalytics.exe
File opened for modification	C:\Windows\hosts.exe	522180e84817741a0c25656cf714d660_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exe

pid process

2496 REG.exe
1660 REG.exe
2880 REG.exe
1288 REG.exe
1672 REG.exe
988 REG.exe
1484 REG.exe
2832 REG.exe
936 REG.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

avscan.exehosts.exe

pid process

2440 avscan.exe
1280 hosts.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

522180e84817741a0c25656cf714d660_NeikiAnalytics.exeavscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid process

2416 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe
2440 avscan.exe
2608 avscan.exe
1280 hosts.exe
2632 hosts.exe
2540 avscan.exe
2240 hosts.exe

pid	process
2496	REG.exe
1660	REG.exe
2880	REG.exe
1288	REG.exe
1672	REG.exe
988	REG.exe
1484	REG.exe
2832	REG.exe
936	REG.exe

pid	process
2440	avscan.exe
1280	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

522180e84817741a0c25656cf714d660_NeikiAnalytics.exeavscan.execmd.execmd.exehosts.execmd.exe

description	pid	process	target process
PID 2416 wrote to memory of 1288	2416	522180e84817741a0c25656cf714d660_NeikiAnalytics.exe	REG.exe
PID 2416 wrote to memory of 1288	2416	522180e84817741a0c25656cf714d660_NeikiAnalytics.exe	REG.exe
PID 2416 wrote to memory of 1288	2416	522180e84817741a0c25656cf714d660_NeikiAnalytics.exe	REG.exe
PID 2416 wrote to memory of 1288	2416	522180e84817741a0c25656cf714d660_NeikiAnalytics.exe	REG.exe
PID 2416 wrote to memory of 2440	2416	522180e84817741a0c25656cf714d660_NeikiAnalytics.exe	avscan.exe
PID 2416 wrote to memory of 2440	2416	522180e84817741a0c25656cf714d660_NeikiAnalytics.exe	avscan.exe
PID 2416 wrote to memory of 2440	2416	522180e84817741a0c25656cf714d660_NeikiAnalytics.exe	avscan.exe
PID 2416 wrote to memory of 2440	2416	522180e84817741a0c25656cf714d660_NeikiAnalytics.exe	avscan.exe
PID 2440 wrote to memory of 2608	2440	avscan.exe	avscan.exe
PID 2440 wrote to memory of 2608	2440	avscan.exe	avscan.exe
PID 2440 wrote to memory of 2608	2440	avscan.exe	avscan.exe
PID 2440 wrote to memory of 2608	2440	avscan.exe	avscan.exe
PID 2440 wrote to memory of 2740	2440	avscan.exe	cmd.exe
PID 2440 wrote to memory of 2740	2440	avscan.exe	cmd.exe
PID 2440 wrote to memory of 2740	2440	avscan.exe	cmd.exe
PID 2440 wrote to memory of 2740	2440	avscan.exe	cmd.exe
PID 2416 wrote to memory of 2876	2416	522180e84817741a0c25656cf714d660_NeikiAnalytics.exe	cmd.exe
PID 2416 wrote to memory of 2876	2416	522180e84817741a0c25656cf714d660_NeikiAnalytics.exe	cmd.exe
PID 2416 wrote to memory of 2876	2416	522180e84817741a0c25656cf714d660_NeikiAnalytics.exe	cmd.exe
PID 2416 wrote to memory of 2876	2416	522180e84817741a0c25656cf714d660_NeikiAnalytics.exe	cmd.exe
PID 2876 wrote to memory of 1280	2876	cmd.exe	hosts.exe
PID 2876 wrote to memory of 1280	2876	cmd.exe	hosts.exe
PID 2876 wrote to memory of 1280	2876	cmd.exe	hosts.exe
PID 2876 wrote to memory of 1280	2876	cmd.exe	hosts.exe
PID 2740 wrote to memory of 2632	2740	cmd.exe	hosts.exe
PID 2740 wrote to memory of 2632	2740	cmd.exe	hosts.exe
PID 2740 wrote to memory of 2632	2740	cmd.exe	hosts.exe
PID 2740 wrote to memory of 2632	2740	cmd.exe	hosts.exe
PID 1280 wrote to memory of 2540	1280	hosts.exe	avscan.exe
PID 1280 wrote to memory of 2540	1280	hosts.exe	avscan.exe
PID 1280 wrote to memory of 2540	1280	hosts.exe	avscan.exe
PID 1280 wrote to memory of 2540	1280	hosts.exe	avscan.exe
PID 1280 wrote to memory of 2572	1280	hosts.exe	cmd.exe
PID 1280 wrote to memory of 2572	1280	hosts.exe	cmd.exe
PID 1280 wrote to memory of 2572	1280	hosts.exe	cmd.exe
PID 1280 wrote to memory of 2572	1280	hosts.exe	cmd.exe
PID 2572 wrote to memory of 2240	2572	cmd.exe	hosts.exe
PID 2572 wrote to memory of 2240	2572	cmd.exe	hosts.exe
PID 2572 wrote to memory of 2240	2572	cmd.exe	hosts.exe
PID 2572 wrote to memory of 2240	2572	cmd.exe	hosts.exe
PID 2572 wrote to memory of 1796	2572	cmd.exe	WScript.exe
PID 2572 wrote to memory of 1796	2572	cmd.exe	WScript.exe
PID 2572 wrote to memory of 1796	2572	cmd.exe	WScript.exe
PID 2572 wrote to memory of 1796	2572	cmd.exe	WScript.exe
PID 2876 wrote to memory of 1696	2876	cmd.exe	WScript.exe
PID 2876 wrote to memory of 1696	2876	cmd.exe	WScript.exe
PID 2876 wrote to memory of 1696	2876	cmd.exe	WScript.exe
PID 2876 wrote to memory of 1696	2876	cmd.exe	WScript.exe
PID 2740 wrote to memory of 1972	2740	cmd.exe	WScript.exe
PID 2740 wrote to memory of 1972	2740	cmd.exe	WScript.exe
PID 2740 wrote to memory of 1972	2740	cmd.exe	WScript.exe
PID 2740 wrote to memory of 1972	2740	cmd.exe	WScript.exe
PID 2440 wrote to memory of 1672	2440	avscan.exe	REG.exe
PID 2440 wrote to memory of 1672	2440	avscan.exe	REG.exe
PID 2440 wrote to memory of 1672	2440	avscan.exe	REG.exe
PID 2440 wrote to memory of 1672	2440	avscan.exe	REG.exe
PID 1280 wrote to memory of 2832	1280	hosts.exe	REG.exe
PID 1280 wrote to memory of 2832	1280	hosts.exe	REG.exe
PID 1280 wrote to memory of 2832	1280	hosts.exe	REG.exe
PID 1280 wrote to memory of 2832	1280	hosts.exe	REG.exe
PID 2440 wrote to memory of 988	2440	avscan.exe	REG.exe
PID 2440 wrote to memory of 988	2440	avscan.exe	REG.exe
PID 2440 wrote to memory of 988	2440	avscan.exe	REG.exe
PID 2440 wrote to memory of 988	2440	avscan.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\522180e84817741a0c25656cf714d660_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\522180e84817741a0c25656cf714d660_NeikiAnalytics.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
2⤵
- Modifies registry key
PID:1288

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2608

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\windows\hosts.exe
C:\windows\hosts.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2632

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
4⤵
- Adds policy Run key to start application
PID:1972

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:1672

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:988

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:2496

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\windows\hosts.exe
C:\windows\hosts.exe
3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:2572

C:\windows\hosts.exe
C:\windows\hosts.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2240

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
5⤵
- Adds policy Run key to start application
PID:1796

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
4⤵
- Modifies registry key
PID:2832

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
4⤵
- Modifies registry key
PID:1484

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
4⤵
- Modifies registry key
PID:1660

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
4⤵
- Modifies registry key
PID:2880

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
3⤵
- Adds policy Run key to start application
PID:1696

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
14.8MB

MD5
e0d45e215d52cfee1789563a18f03f25

SHA1
598fd3748c38285729e016264f7d892664c40e3e

SHA256
e594185f99fc97cc74480ca0493722b1c2b6b9a79ea7c13f5d5031579688e856

SHA512
57c5c2fb31a71ab1fd418cd3db1491651cf700a0000b68d89eaa0388ce6d52852c1c2a6f8cd0292b494e2b007ee5a9d635fd33d0e7ab3d10da214d5927b6606e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
22.2MB

MD5
fe286700fbdf815922f710bc0f874e75

SHA1
fc72cdf46e42c9276be28ed2e67e71e703cf6418

SHA256
923e8af3dc6406c31e96b1fdef9fff7d0c4d35d6efe7d43e1fd319d4cedc26b9

SHA512
b5d9606fbd9ed04d26d59fbedb97ee4a9788e647ccfc1aa80bb9df4c48f99b0e254557e30c5a2f43e43355b5b1bb13a5ffbccf97c3653105929d18d6b54b87de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
29.6MB

MD5
67c572605b07260aca3d55170b8b0622

SHA1
5e609a9e8113f880fae4dba5d9c7ee156c0f71ef

SHA256
3f8af11db1a71be1a316bea3766a95ef4a2eb061d5327ace39e85c9340a540fa

SHA512
0529a2dae3dd1cb9d15eac4996832d8c7571f0e57616527b83010dabe1c50e7fe9f134b5b97727c01416b2570639f4a5f321de42952c46aab502c32609bd0960

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
37.0MB

MD5
d280cb88478dde1fc1f85ad94d122e53

SHA1
6ae369782fa20d02d3984b618e9c77ebdc11cc40

SHA256
088dc1ce607b6743bdac253aa4fcee1c46902422e0dd5f7c84f83b44ab0a2006

SHA512
fc79c4b5f971d1198691a257f57e0e112f6f3dcc8e531442763fc9ba4f69701ab11bc41fd89a3d0935c1d1ae59258613c38b11124296fd9f40ce97091a22dcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
44.4MB

MD5
e328c8439852f22f06cf95091d920791

SHA1
fcd8c774292f9675caa434dae3a2a54706b7bb63

SHA256
5ed162e4ea531ff9cf11d85dc00865fdd96ce4c8f9d81c84756f2890eabed2b1

SHA512
d2669ff37a2ff87839fd806cc96df91a094a9c7d4da90f5703d0359ed1e1844a53f99b788c2349487bf9f85dcaae1a932196fd92b171c77feaa5a2b146148a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
51.8MB

MD5
135393370e55a53ee5ff80ee9452aa9f

SHA1
c036cdc2df762e69ea41b3fbcd7c8bd5c4025867

SHA256
40e99073e1071782702acd137d406d0e874953f79a37d51033d16c480f2052e8

SHA512
35afd76fb50924e72ce6bb5f2d9ac53167a985a5159116d547254ac0b2e5078a0b1b199017d99e0acdcfc1123aebeb9661f9e8beb86279023a5ebac0d9a90259

Download Submit
C:\Windows\W_X_C.vbs
Filesize
195B

MD5
2df57aa4500f46404a04cee9c40b1d64

SHA1
7cd4269994ddf8cc7a2de4b7ad1efcee00355501

SHA256
a65ee8d770c67855f508271036ab2d35394ce6cecd0e6d31b7be17bf8c6f0749

SHA512
eb205a059c086f048035ef6f21de8af577c482c9f6724f6ef991b44528a1a57939064d1930c72ba0a399004378671ac7c62634066240d9dfe168a1c73b51ec38

Download Submit
C:\Windows\hosts.exe
Filesize
7.4MB

MD5
2dc04e94078c9c513fb3d3c1ff6902b7

SHA1
b1925ea099a021df43380dd39bbaebc0c8b429a9

SHA256
ed46c3b93e0f162a361a8e2b1317037f327d1c839a0fad180852336a2bb3a222

SHA512
ef97c2fd164c9d8ea5c25a15d044f2683d5742a3607c0607bd964a5a35bc24b11f67ff7165476c673d5f402a8f02bd4e8e7828ec42b527ae0371fc2f02756393

Download Submit
\??\c:\windows\W_X_C.bat
Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe
Filesize
7.4MB

MD5
13742e91b0756b3745aa52cbc4e536d5

SHA1
8d97d2aa0a817ea3391a91af4bc957b2f9b6b745

SHA256
7bd3486cb637eccb29d01ebc65774465c220769ba91ea3efdf67c3f217d05919

SHA512
d2f7fb05de642906a280b3e7cad8da33fd505dc049fcc9b486d9916a282cfe8ab78edd9e7d45243943eebab6b5479ac901381651c7fcf9c95d0373a6f72bb239

Download Submit
memory/2240-75-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2240-74-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads