86ee7e63999c135c0477f22f1bf2724dae3f6389393c8c5ebe1a26417bb3990b

Analysis

max time kernel
121s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe
Size

3.6MB
MD5

71b55f0558d85976a5293764cfd69b90
SHA1

5151e2091b8c9f628449ba0fc8aee7efc95b2e10
SHA256

86ee7e63999c135c0477f22f1bf2724dae3f6389393c8c5ebe1a26417bb3990b
SHA512

25c91287f1d8cd558be11a36d516270eff10c5866b26353677ca4ce30651cd04b58ba6f3796ab268154e91c39932d1cd3ff2b08039d4a94d0b735a3c1c193bdf
SSDEEP

98304:gMmD2mDc2mDMmD2mDe2mDMmD2mDc2mDMmD2mDZ:gMmD2mDc2mDMmD2mDe2mDMmD2mDc2mDr

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exeavscan.exehosts.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exeavscan.exehosts.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exeWScript.exeWScript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BISMIZHX = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BISMIZHX = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BISMIZHX = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Executes dropped EXE 6 IoCs

Processes:

avscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exe

pid process

2588 avscan.exe
2504 avscan.exe
2544 hosts.exe
2552 hosts.exe
2392 avscan.exe
2664 hosts.exe

pid	process
2588	avscan.exe
2504	avscan.exe
2544	hosts.exe
2552	hosts.exe
2392	avscan.exe
2664	hosts.exe

Loads dropped DLL 5 IoCs

Processes:

71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exeavscan.exehosts.exe

pid	process
1620	71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe
1620	71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe
2588	avscan.exe
2544	hosts.exe
2544	hosts.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hosts.exe71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exeavscan.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe

Drops file in Windows directory 5 IoCs

Processes:

hosts.exe71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exeavscan.exe

description	ioc	process
File opened for modification	C:\Windows\hosts.exe	hosts.exe
File created	C:\windows\W_X_C.vbs	71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe
File created	\??\c:\windows\W_X_C.bat	71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\hosts.exe	71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exe

pid process

2172 REG.exe
2200 REG.exe
2004 REG.exe
3068 REG.exe
668 REG.exe
1292 REG.exe
1884 REG.exe
600 REG.exe
2036 REG.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

avscan.exehosts.exe

pid process

2588 avscan.exe
2544 hosts.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exeavscan.exeavscan.exehosts.exeavscan.exehosts.exehosts.exe

pid process

1620 71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe
2588 avscan.exe
2504 avscan.exe
2544 hosts.exe
2392 avscan.exe
2552 hosts.exe
2664 hosts.exe

pid	process
2172	REG.exe
2200	REG.exe
2004	REG.exe
3068	REG.exe
668	REG.exe
1292	REG.exe
1884	REG.exe
600	REG.exe
2036	REG.exe

pid	process
2588	avscan.exe
2544	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exeavscan.execmd.execmd.exehosts.execmd.exe

description	pid	process	target process
PID 1620 wrote to memory of 2172	1620	71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe	REG.exe
PID 1620 wrote to memory of 2172	1620	71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe	REG.exe
PID 1620 wrote to memory of 2172	1620	71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe	REG.exe
PID 1620 wrote to memory of 2172	1620	71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe	REG.exe
PID 1620 wrote to memory of 2588	1620	71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe	avscan.exe
PID 1620 wrote to memory of 2588	1620	71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe	avscan.exe
PID 1620 wrote to memory of 2588	1620	71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe	avscan.exe
PID 1620 wrote to memory of 2588	1620	71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe	avscan.exe
PID 2588 wrote to memory of 2504	2588	avscan.exe	avscan.exe
PID 2588 wrote to memory of 2504	2588	avscan.exe	avscan.exe
PID 2588 wrote to memory of 2504	2588	avscan.exe	avscan.exe
PID 2588 wrote to memory of 2504	2588	avscan.exe	avscan.exe
PID 2588 wrote to memory of 2700	2588	avscan.exe	cmd.exe
PID 2588 wrote to memory of 2700	2588	avscan.exe	cmd.exe
PID 2588 wrote to memory of 2700	2588	avscan.exe	cmd.exe
PID 2588 wrote to memory of 2700	2588	avscan.exe	cmd.exe
PID 1620 wrote to memory of 2676	1620	71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe	cmd.exe
PID 1620 wrote to memory of 2676	1620	71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe	cmd.exe
PID 1620 wrote to memory of 2676	1620	71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe	cmd.exe
PID 1620 wrote to memory of 2676	1620	71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe	cmd.exe
PID 2700 wrote to memory of 2544	2700	cmd.exe	hosts.exe
PID 2700 wrote to memory of 2544	2700	cmd.exe	hosts.exe
PID 2700 wrote to memory of 2544	2700	cmd.exe	hosts.exe
PID 2700 wrote to memory of 2544	2700	cmd.exe	hosts.exe
PID 2676 wrote to memory of 2552	2676	cmd.exe	hosts.exe
PID 2676 wrote to memory of 2552	2676	cmd.exe	hosts.exe
PID 2676 wrote to memory of 2552	2676	cmd.exe	hosts.exe
PID 2676 wrote to memory of 2552	2676	cmd.exe	hosts.exe
PID 2544 wrote to memory of 2392	2544	hosts.exe	avscan.exe
PID 2544 wrote to memory of 2392	2544	hosts.exe	avscan.exe
PID 2544 wrote to memory of 2392	2544	hosts.exe	avscan.exe
PID 2544 wrote to memory of 2392	2544	hosts.exe	avscan.exe
PID 2544 wrote to memory of 2548	2544	hosts.exe	cmd.exe
PID 2544 wrote to memory of 2548	2544	hosts.exe	cmd.exe
PID 2544 wrote to memory of 2548	2544	hosts.exe	cmd.exe
PID 2544 wrote to memory of 2548	2544	hosts.exe	cmd.exe
PID 2548 wrote to memory of 2664	2548	cmd.exe	hosts.exe
PID 2548 wrote to memory of 2664	2548	cmd.exe	hosts.exe
PID 2548 wrote to memory of 2664	2548	cmd.exe	hosts.exe
PID 2548 wrote to memory of 2664	2548	cmd.exe	hosts.exe
PID 2700 wrote to memory of 2648	2700	cmd.exe	WScript.exe
PID 2700 wrote to memory of 2648	2700	cmd.exe	WScript.exe
PID 2700 wrote to memory of 2648	2700	cmd.exe	WScript.exe
PID 2700 wrote to memory of 2648	2700	cmd.exe	WScript.exe
PID 2548 wrote to memory of 2156	2548	cmd.exe	WScript.exe
PID 2548 wrote to memory of 2156	2548	cmd.exe	WScript.exe
PID 2548 wrote to memory of 2156	2548	cmd.exe	WScript.exe
PID 2548 wrote to memory of 2156	2548	cmd.exe	WScript.exe
PID 2676 wrote to memory of 1556	2676	cmd.exe	WScript.exe
PID 2676 wrote to memory of 1556	2676	cmd.exe	WScript.exe
PID 2676 wrote to memory of 1556	2676	cmd.exe	WScript.exe
PID 2676 wrote to memory of 1556	2676	cmd.exe	WScript.exe
PID 2588 wrote to memory of 2036	2588	avscan.exe	REG.exe
PID 2588 wrote to memory of 2036	2588	avscan.exe	REG.exe
PID 2588 wrote to memory of 2036	2588	avscan.exe	REG.exe
PID 2588 wrote to memory of 2036	2588	avscan.exe	REG.exe
PID 2544 wrote to memory of 2200	2544	hosts.exe	REG.exe
PID 2544 wrote to memory of 2200	2544	hosts.exe	REG.exe
PID 2544 wrote to memory of 2200	2544	hosts.exe	REG.exe
PID 2544 wrote to memory of 2200	2544	hosts.exe	REG.exe
PID 2588 wrote to memory of 2004	2588	avscan.exe	REG.exe
PID 2588 wrote to memory of 2004	2588	avscan.exe	REG.exe
PID 2588 wrote to memory of 2004	2588	avscan.exe	REG.exe
PID 2588 wrote to memory of 2004	2588	avscan.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\71b55f0558d85976a5293764cfd69b90_NeikiAnalytics.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
2⤵
- Modifies registry key
PID:2172

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2504

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2700

C:\windows\hosts.exe
C:\windows\hosts.exe
4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544

C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
5⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\windows\hosts.exe
C:\windows\hosts.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2664

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
6⤵
- Adds policy Run key to start application
PID:2156

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
5⤵
- Modifies registry key
PID:2200

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
5⤵
- Modifies registry key
PID:3068

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
5⤵
- Modifies registry key
PID:1292

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
5⤵
- Modifies registry key
PID:600

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
4⤵
- Adds policy Run key to start application
PID:2648

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:2036

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:2004

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:668

C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
3⤵
- Modifies registry key
PID:1884

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\windows\hosts.exe
C:\windows\hosts.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
3⤵
- Adds policy Run key to start application
PID:1556

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
7.2MB

MD5
13b36aba4a9b255db762e81776962870

SHA1
0013b6ad85a5c3f978f437fd376e65e838a9d87d

SHA256
d5345c487b032fd936a9358433bb12b24f4d2a660771d51979a281c5b20d601a

SHA512
0d7cb080b020617655bd3bc06ee24274d165bda3cfdbb72dce4886f3e23e715e860c38a3bbbdececd0c5490a7b696c60bc6c410a4e88f97aa54d3f5a31d2bd78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
14.3MB

MD5
a5c44a9159e3db1425d74eda5bf8e699

SHA1
9a0ed3ca7df7120276a5d77db2e92ab43e338e90

SHA256
acba59d909b08c0cc40e07067508130d4f2fc7171236ca9db5fce5e2357e09a6

SHA512
628a0232dbd8aea7b465af7e54385c21744d02d385224cbb7cdf0e1a75e5a9529d7b1c95f04717e3de0f03b88b47424fe1748b5d62b8d97f8a9cbb8738a20dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
14.3MB

MD5
3e2331584a6971d7d386a29f822a13b7

SHA1
2976351395f1e4293024f800140fda307977bada

SHA256
8441af8f024349e7b9295d1aaa0ef40f45895329486847c951a7e61acc7cf491

SHA512
515206e761cf6a7a43bb8ced117816a97c70856e82630aadfe9b29b3ed9806e716988ae6657bbccf98270c20d9b82fdc8fbde1c7fb40470c36a7d4baf6b826cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
21.4MB

MD5
79e0bd9c4e13614fb094eda9fe6d5d12

SHA1
4789eba178016d77304fb95220b186b7b2f54766

SHA256
d5e55c6e74c8ba373ee1023d120e87090210cc7a8650719a3cc32757a391cae6

SHA512
589c4de0bd687fda64adda2342e3664d65cbdff29aedf14cc19c541ae8b79e2eff6bd76812fbbc9629d32537488644a9fe5b8efeaf7028cd8d429ca2da80792d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
Filesize
28.6MB

MD5
dbed84c994cb731c5141ec15843d5911

SHA1
cfe7a8181d9b55783033e3344d61ba5ed8613974

SHA256
04fd10a386717b5e680b480f4f0af0395c05731d78ffcd9d93c656bc7416f186

SHA512
50cbfc69a08e55015003e8d9e4f5c5f0a57f1ac54ae23520b540b8e6a70756dd5801c98b6c55f4f5727bd9d90426c1f2859fdf9b89da077d75a23e0fc9bdde86

Download Submit
C:\Windows\W_X_C.vbs
Filesize
195B

MD5
7fd017e8c0f6e808ab92dd24fc015f50

SHA1
917f0c6f8588a70a1044dfd2b0dd94d2738ac705

SHA256
009ab8b53bde4a5b671cddc837eeab5e1023557db347ed33f355d75d230d0ae1

SHA512
91f7dc20c39ddb47221416ec3ffd8b91e1ccdfe2cb8b60294380df08c6e4edef19387da198107eedb47a75e7ad311cc5933095eeddfcb47d7d45d5a8b0a40ae3

Download Submit
C:\Windows\hosts.exe
Filesize
3.6MB

MD5
6d932672bf4bb4a3ec1e242805ff0ccb

SHA1
d27f1ef2cc52d334f35bef430bb5656267a90a55

SHA256
b983d08687b44fa7421a913ba0de202c8455007eb55122db5d60740e4d7373d3

SHA512
5866adbdf1eabcb36f0c5513e3d44ae8cf2c7cef4bb4f8767f591b199af26ffd8d348365242575a7cd7f178b6c52f003d4acb6c3f8771c41e374a9085edfdf37

Download Submit
\??\c:\windows\W_X_C.bat
Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe
Filesize
3.6MB

MD5
ae34f27c2a220a067e4e71940f752b16

SHA1
e69df01fb042aa4fed5d43e92169d295f6e3800e

SHA256
5080306f281bd5c12df4442e02cc71ce922176b0aee8c88b5b274f5e5f3ff0ca

SHA512
0ba500169e054d4c126bffaf9bc8719720ecd1be962b7d92afcc5b15b2350b4184b42825c640eae10233eb8640b98aa895bf0615e30a8713f2a31ee1b8a72f74

Download Submit
memory/2552-48-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads