9adde015996141199f100d4601cc5be9765997170b9fcbb95a23e4b474a6ac30

Analysis

max time kernel
122s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe
Size

4.8MB
MD5

154fdd8d7a5ead17e65368304bef4670
SHA1

599d2f53163ea8aa76f48dffb34691f44a0c4608
SHA256

9adde015996141199f100d4601cc5be9765997170b9fcbb95a23e4b474a6ac30
SHA512

f88c55f9a4b98a46c15b25726f583c050f04dcd20ae9efb3589f82957f0360f3503130491c336480fdb32ef3d4507debe8881ca8e3a71b5376cdd49bd4290c9a
SSDEEP

98304:g2mDMmD2mDe2mDMmD2mDc2mDMmD2mDe2mDMmD2mDc2mDMmD2mDX:g2mDMmD2mDe2mDMmD2mDc2mDMmD2mDeW

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

avscan.exehosts.exe154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

hosts.exe154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exeavscan.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exeWScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\UOTHCPHQ = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\UOTHCPHQ = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\UOTHCPHQ = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

Processes:

avscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid process

2304 avscan.exe
2840 avscan.exe
2264 hosts.exe
2596 hosts.exe
1668 avscan.exe
2956 hosts.exe

pid	process
2304	avscan.exe
2840	avscan.exe
2264	hosts.exe
2596	hosts.exe
1668	avscan.exe
2956	hosts.exe

Loads dropped DLL 5 IoCs

Processes:

154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exeavscan.exehosts.exe

pid	process
2240	154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe
2240	154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe
2304	avscan.exe
2264	hosts.exe
2264	hosts.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

avscan.exehosts.exe154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe

Drops file in Windows directory 5 IoCs

Processes:

154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exeavscan.exehosts.exe

description	ioc	process
File created	C:\windows\W_X_C.vbs	154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe
File created	\??\c:\windows\W_X_C.bat	154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe
File opened for modification	C:\Windows\hosts.exe	154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exe

pid process

1084 REG.exe
884 REG.exe
2420 REG.exe
1812 REG.exe
1616 REG.exe
304 REG.exe
300 REG.exe
1488 REG.exe
2300 REG.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

avscan.exehosts.exe

pid process

2304 avscan.exe
2264 hosts.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exeavscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid process

2240 154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe
2304 avscan.exe
2840 avscan.exe
2264 hosts.exe
2596 hosts.exe
1668 avscan.exe
2956 hosts.exe

pid	process
1084	REG.exe
884	REG.exe
2420	REG.exe
1812	REG.exe
1616	REG.exe
304	REG.exe
300	REG.exe
1488	REG.exe
2300	REG.exe

pid	process
2304	avscan.exe
2264	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exeavscan.execmd.execmd.exehosts.execmd.exe

description	pid	process	target process
PID 2240 wrote to memory of 1084	2240	154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe	REG.exe
PID 2240 wrote to memory of 1084	2240	154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe	REG.exe
PID 2240 wrote to memory of 1084	2240	154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe	REG.exe
PID 2240 wrote to memory of 1084	2240	154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe	REG.exe
PID 2240 wrote to memory of 2304	2240	154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe	avscan.exe
PID 2240 wrote to memory of 2304	2240	154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe	avscan.exe
PID 2240 wrote to memory of 2304	2240	154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe	avscan.exe
PID 2240 wrote to memory of 2304	2240	154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe	avscan.exe
PID 2304 wrote to memory of 2840	2304	avscan.exe	avscan.exe
PID 2304 wrote to memory of 2840	2304	avscan.exe	avscan.exe
PID 2304 wrote to memory of 2840	2304	avscan.exe	avscan.exe
PID 2304 wrote to memory of 2840	2304	avscan.exe	avscan.exe
PID 2304 wrote to memory of 2708	2304	avscan.exe	cmd.exe
PID 2304 wrote to memory of 2708	2304	avscan.exe	cmd.exe
PID 2304 wrote to memory of 2708	2304	avscan.exe	cmd.exe
PID 2304 wrote to memory of 2708	2304	avscan.exe	cmd.exe
PID 2240 wrote to memory of 2676	2240	154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe	cmd.exe
PID 2240 wrote to memory of 2676	2240	154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe	cmd.exe
PID 2240 wrote to memory of 2676	2240	154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe	cmd.exe
PID 2240 wrote to memory of 2676	2240	154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe	cmd.exe
PID 2676 wrote to memory of 2596	2676	cmd.exe	hosts.exe
PID 2676 wrote to memory of 2596	2676	cmd.exe	hosts.exe
PID 2676 wrote to memory of 2596	2676	cmd.exe	hosts.exe
PID 2676 wrote to memory of 2596	2676	cmd.exe	hosts.exe
PID 2708 wrote to memory of 2264	2708	cmd.exe	hosts.exe
PID 2708 wrote to memory of 2264	2708	cmd.exe	hosts.exe
PID 2708 wrote to memory of 2264	2708	cmd.exe	hosts.exe
PID 2708 wrote to memory of 2264	2708	cmd.exe	hosts.exe
PID 2264 wrote to memory of 1668	2264	hosts.exe	avscan.exe
PID 2264 wrote to memory of 1668	2264	hosts.exe	avscan.exe
PID 2264 wrote to memory of 1668	2264	hosts.exe	avscan.exe
PID 2264 wrote to memory of 1668	2264	hosts.exe	avscan.exe
PID 2708 wrote to memory of 2800	2708	cmd.exe	WScript.exe
PID 2708 wrote to memory of 2800	2708	cmd.exe	WScript.exe
PID 2708 wrote to memory of 2800	2708	cmd.exe	WScript.exe
PID 2708 wrote to memory of 2800	2708	cmd.exe	WScript.exe
PID 2676 wrote to memory of 2832	2676	cmd.exe	WScript.exe
PID 2676 wrote to memory of 2832	2676	cmd.exe	WScript.exe
PID 2676 wrote to memory of 2832	2676	cmd.exe	WScript.exe
PID 2676 wrote to memory of 2832	2676	cmd.exe	WScript.exe
PID 2264 wrote to memory of 2804	2264	hosts.exe	cmd.exe
PID 2264 wrote to memory of 2804	2264	hosts.exe	cmd.exe
PID 2264 wrote to memory of 2804	2264	hosts.exe	cmd.exe
PID 2264 wrote to memory of 2804	2264	hosts.exe	cmd.exe
PID 2804 wrote to memory of 2956	2804	cmd.exe	hosts.exe
PID 2804 wrote to memory of 2956	2804	cmd.exe	hosts.exe
PID 2804 wrote to memory of 2956	2804	cmd.exe	hosts.exe
PID 2804 wrote to memory of 2956	2804	cmd.exe	hosts.exe
PID 2804 wrote to memory of 1040	2804	cmd.exe	WScript.exe
PID 2804 wrote to memory of 1040	2804	cmd.exe	WScript.exe
PID 2804 wrote to memory of 1040	2804	cmd.exe	WScript.exe
PID 2804 wrote to memory of 1040	2804	cmd.exe	WScript.exe
PID 2304 wrote to memory of 304	2304	avscan.exe	REG.exe
PID 2304 wrote to memory of 304	2304	avscan.exe	REG.exe
PID 2304 wrote to memory of 304	2304	avscan.exe	REG.exe
PID 2304 wrote to memory of 304	2304	avscan.exe	REG.exe
PID 2264 wrote to memory of 884	2264	hosts.exe	REG.exe
PID 2264 wrote to memory of 884	2264	hosts.exe	REG.exe
PID 2264 wrote to memory of 884	2264	hosts.exe	REG.exe
PID 2264 wrote to memory of 884	2264	hosts.exe	REG.exe
PID 2304 wrote to memory of 300	2304	avscan.exe	REG.exe
PID 2304 wrote to memory of 300	2304	avscan.exe	REG.exe
PID 2304 wrote to memory of 300	2304	avscan.exe	REG.exe
PID 2304 wrote to memory of 300	2304	avscan.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
2⤵
- Modifies registry key
PID:1084

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\windows\hosts.exe
C:\windows\hosts.exe
4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
5⤵
- Suspicious use of WriteProcessMemory
PID:2804

C:\windows\hosts.exe
C:\windows\hosts.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2956

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
6⤵
- Adds policy Run key to start application
PID:1040

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
5⤵
- Modifies registry key
PID:884

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
5⤵
- Modifies registry key
PID:1488

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
5⤵
- Modifies registry key
PID:1812

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
5⤵
- Modifies registry key
PID:1616

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
4⤵
- Adds policy Run key to start application
PID:2800

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:304

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:300

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:2420

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:2300

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\windows\hosts.exe
C:\windows\hosts.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2596

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
3⤵
- Adds policy Run key to start application
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
9.6MB

MD5
9066d24600ccb1e3d45fc4a866732b71

SHA1
721e4b5c5ae4edcefef1404b291075cea906daf5

SHA256
00f248c26f048ed71769e8adb8c2a63bb2fc453c67c6acbf30757f990fab883f

SHA512
82a094c5a48b53de9225cc2debecc390f0ad854f1b4b16bb47546f2beac149e1778b6ee34df6ceff1dbd988d733f235dca12c669c2910ae83a00cf13d483e05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
19.2MB

MD5
1542b2699a5f35f27731750512fafd97

SHA1
40407d60ca48bf7511df00f73b66345c09da4377

SHA256
5039636e9ed9e36ac688ce5b0e49fbcebdb9f429e18c7c89ad077b69ad2e8a11

SHA512
77173d906ec7b8dda33b9335566c7ff69a847b1d9a08b756b6e65a755d5ce2f1f331068d743002c030a52ebe893fbe78975f17f77228d6a969de9fb57a175755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
19.2MB

MD5
598616dfc3c71d95e3725c4a3702e84b

SHA1
4165b73f47c3c8ac813fed2a63833ec1c323e426

SHA256
8bf7ac14aaf0dc56146f41afb00d22a5c26dd59fa289cc95e0f5e5bf0a3aa755

SHA512
54e9aba60ae14d7cb57b0402a862f3615740676acd4a61e4c46eab43899fd5b9b1482ef9f0e2d8f9f99e49627e95e3d0e2475a3b0bcbb869d8f72383fd3edb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
28.7MB

MD5
9689ea57b7f8045a40b5f8dd66a19d99

SHA1
7560fb2a501e00c99c5d6328484b2df249dcb20d

SHA256
57238be7c0cdc0d1617e322a16d84fb6714370fbaed2f13e24a5289270cd0bb6

SHA512
9608514073b9e4f0dcde7dadb6c8b86f5dee678d17901395853aebf2f7568e41be96fdbceaf67632edafd80a8731b5a0d8e64a486dd4054c0aab94f7c8288291

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
28.7MB

MD5
a944851501536cbda669ba57b06d4b9e

SHA1
29cf91dd965d494d3aaab4cbd95facaedc2d228e

SHA256
31e57fd8173c55cfc84ab22083a352952f1dabcf673b34f9e4b61005fd1fe57f

SHA512
cc3c2e9a3a228f5f19a0c3effca2d205ef36d6ae69f8b7547ff100c01cc1813e79ad7ddb1379a39aad3aebb11347d333b1d4257c2e7e1f9d9a8db5ad9b500b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
38.3MB

MD5
402e3490d68a0ffc81baa177a48956f1

SHA1
a85409063cf1168357c3e4b16683ed13069d9323

SHA256
f093bb5f22c141c3ac8d26604e77261e2e5bace3b1f6237f506b6390aa013c4e

SHA512
02be5980eddb9f3b78b3434212bbafeac70a975b86fea6db2f379b79534f2cf53dce5f21078dde4b8af1f40aec3b38e1a942d31e9cbabd4bd73e65957bc92e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
38.3MB

MD5
b4522c007895739d28707924e919dc1f

SHA1
6e5fae17597a5eea92ba7144937fc2874068494a

SHA256
b7aca429546a57cb0ba2cfe459602ed2245e70d8ba88acac6a12b9f81c6fecad

SHA512
7a330405e6a5878711b46d71a4526de2acea5b3ab5c70bf066ce05cddd96762c9bdc14ee99b24555bd7d20e484d592e3a8c7d0cad5d0e24a315019cb3968e21a

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
26afee130b7e5762857fc2c5fa925db0

SHA1
998f3b2499194065b3eb35048c7fd41cf02ab14f

SHA256
82382dd1b61b383e2e5cd0ec8a8801d86681373a9f93de9baa7cd0eeb7e1baf5

SHA512
53874f40fe51ad7f47db52b1032cf0ef7713a608a3df6ffdc8dcf82219795222bf56fd5b6686d453452e91e852692ed3497d50a146a8287975d38470745733e5

Download Submit
C:\Windows\hosts.exe

Filesize
4.8MB

MD5
72402a625f6905519a2e0f9cd2972703

SHA1
c7014fff5d379e0cee66fe8a99902c19835b0824

SHA256
bac434e326b42223337406f96df1945ae2db3328280688211ff59ecdfa70d8a4

SHA512
62f81955bfe672cc6980dcfb7353f912d6e3b347b81fbbbf81478716bd78488e371fa8b798b6d6e629168a4a899a54785db106cd404dc2dbb8bb3002ba32089f

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
4.8MB

MD5
fa350a020e8dd3bf5c592f47eb3cc9ad

SHA1
61394ef778b25a2de6d2e2c9a37ffd2c51363da2

SHA256
0997700c4c7178adefb08070a374f6725f41969433bb199b077796b5716dc8a3

SHA512
0bb848c364eab87b4d6dad01b6abc8b3b773d35f278d8730af9b162711044c586963373e1566ebd2e668d706c6791175b302201cc0c258e82db2d18e1d015db7

Download Submit
memory/1668-65-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1668-64-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download