Malware Analysis Report

2025-01-06 08:57

Sample ID 240604-bbdvjafe51
Target 1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe
SHA256 b61abca8ab973665e8282cfd611bc702ad5393bed3c2ceab70cb394f73937cb8
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b61abca8ab973665e8282cfd611bc702ad5393bed3c2ceab70cb394f73937cb8

Threat Level: Known bad

The file 1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Adds policy Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 00:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 00:57

Reported

2024-06-04 01:00

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\windows\hosts.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\windows\hosts.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\PUMARTNR = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\PUMARTNR = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\PUMARTNR = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\windows\hosts.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
File opened for modification C:\Windows\hosts.exe C:\windows\hosts.exe N/A
File created C:\windows\W_X_C.vbs C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe N/A
File created \??\c:\windows\W_X_C.bat C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
N/A N/A C:\windows\hosts.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Windows\SysWOW64\REG.exe
PID 1616 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Windows\SysWOW64\REG.exe
PID 1616 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Windows\SysWOW64\REG.exe
PID 1616 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Windows\SysWOW64\REG.exe
PID 1616 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1616 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1616 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1616 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2652 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2652 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2652 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2652 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2652 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 1636 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 1636 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 1636 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2772 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2772 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2772 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2772 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2608 wrote to memory of 2604 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2608 wrote to memory of 2604 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2608 wrote to memory of 2604 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2608 wrote to memory of 2604 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2608 wrote to memory of 2916 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2916 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2916 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2916 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2772 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2772 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2772 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1636 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1636 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1636 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1636 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2916 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2916 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2916 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2916 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2916 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2916 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2916 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2916 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2652 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2652 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2652 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2652 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2608 wrote to memory of 2532 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2608 wrote to memory of 2532 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2608 wrote to memory of 2532 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2608 wrote to memory of 2532 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2652 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2652 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2652 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2652 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe"

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\windows\W_X_C.bat

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\windows\W_X_C.bat

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\windows\W_X_C.bat

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\avscan.exe

MD5 b95293d1d7774c7e78e130ae37569884
SHA1 9e3e0fdf8cc557647e3e0d5e0cd208f86294e809
SHA256 8ef6d579353838b0d380a61f8e3207692366399c04110f987bf6deab51c4f24b
SHA512 da1621d3c3e00a8a8162dcb06753df5837f62b49fba699531e432d3c08897238c4d12d4e64b46feefe220c5786f5eee52e131adec51db562970aa790886967f9

C:\Windows\hosts.exe

MD5 c8fd87dc819d672d81edce8cd34ddb26
SHA1 5e58671579d302f7a6b7ffc6fdc3cba4ddb6ad52
SHA256 5ef6eb4d2eea80e20d297145c5e8d827232289eeaf96656d4f63ab8ef36cbfd0
SHA512 067a8ed5379e01b89b5f4f080efa0be3bb2e0d3de8f2d6854e733f75908c95ffdfd58e4104c8fb7701a70a894a7e3c4944048eedfe37473bff6acf05ff6575f5

\??\c:\windows\W_X_C.bat

MD5 4db9f8b6175722b62ececeeeba1ce307
SHA1 3b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256 d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA512 1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

memory/2432-36-0x0000000000220000-0x0000000000230000-memory.dmp

C:\Windows\W_X_C.vbs

MD5 2df57aa4500f46404a04cee9c40b1d64
SHA1 7cd4269994ddf8cc7a2de4b7ad1efcee00355501
SHA256 a65ee8d770c67855f508271036ab2d35394ce6cecd0e6d31b7be17bf8c6f0749
SHA512 eb205a059c086f048035ef6f21de8af577c482c9f6724f6ef991b44528a1a57939064d1930c72ba0a399004378671ac7c62634066240d9dfe168a1c73b51ec38

memory/1764-73-0x0000000000220000-0x0000000000230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 ef17974debd9ad1fb9cfbfed677451b2
SHA1 19bfdd81c61a690d45851272476dddca0180f522
SHA256 be1e9bdc73e91b148e15e8592e129ba39881908db216a768dea07f40e89f7021
SHA512 b1ac41436cb944b37d418f8ad9c8e4c4df6accd64ea2a55b79926769af2743f8bd5a16eee15d436e6e3be6b4159f5b91d7287a8de73e7a8f459b30a333985d40

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 617c56ac970c39e704bb80f7cb303e09
SHA1 310fbf839c98108ca64de57b73704738646fad2f
SHA256 0c65c84f1b9e6893e32a6346f0fe8742978d3038764a8e6fe9da3fd8d5f922f9
SHA512 9052d84296e86c7fe3d3b4f0762e3efbb1a1a965ad49c4ae0783e3bfea999c0a26499dc35bf654f2508974346771b675725aac4e6f77f24b2edb007cf2f74e83

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 cf3fc85ab9f515c6385cc448ed097056
SHA1 d6a4642ed3f748bf6336ee034f820c0ef4adaeae
SHA256 cf2f01f1fa2767b987d8a14877bed79461593ea1d0b236eb43a8589a1ad60770
SHA512 2961a896e49c951612a14e1a32781c5c18d2951532c492aef30cfc66c194d08ada24e05dc5160fb2393be2d999590b9150e734f48bfaca229b0c5f8a9c044f74

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 aa9a479f5ee6da10534acbbfce0824cd
SHA1 3cbf4c333703ae129a98c915f85c8821eaf0c439
SHA256 83af2acb86876cf366e81db296bb68893515a52d651c7104b7d846567e5fd02d
SHA512 491113342bb47aa38af0c16d33039e1886028e412a0fcc923704af7e6bc93341e2130ffe2838b6335b11ca822a8c6f31ac9096d4e7e4628af741ba045aa69dcd

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 5f9b8600c79a8443eaffb228cc32e26a
SHA1 07ecce28ca2306bcd4fa5328e6082b887f633c1a
SHA256 4f6b4a100d8f05824394a154b959a31bf7dd0a73270b072d170929d625ff0f0a
SHA512 675a76cac92aea5cb1b05f59f0c476b21b2a701e9c28ad9e3763f49e4f17edb445c4aee91ad482133d4b247d8ecc360540a9cecee4bc935bd19578674481a27e

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 c56942e6d162bd96be62158b1102bfff
SHA1 2874be025ff9badd218fecec4498b70e515a1922
SHA256 2199f4529e68cfa9e7b58a4609f7ee11491abfee84c3a1a58ece6382565f34be
SHA512 7142baad3bb7d33fa22008d06917b0f6709236d176403db25fdfef7a8698035aa87f4dba490fcbe3af50c46ba112bced21518c86c36d0d028cf336ac7736ac45

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 00:57

Reported

2024-06-04 01:00

Platform

win10v2004-20240508-en

Max time kernel

130s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\windows\hosts.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\windows\hosts.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BVRKIPTS = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BVRKIPTS = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BVRKIPTS = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\windows\hosts.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\W_X_C.vbs C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe N/A
File created \??\c:\windows\W_X_C.bat C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
File opened for modification C:\Windows\hosts.exe C:\windows\hosts.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
N/A N/A C:\windows\hosts.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1420 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Windows\SysWOW64\REG.exe
PID 1420 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Windows\SysWOW64\REG.exe
PID 1420 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Windows\SysWOW64\REG.exe
PID 1420 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1420 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1420 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2820 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2820 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2820 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2820 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 4568 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 4568 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2044 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2044 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2044 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2792 wrote to memory of 2240 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2792 wrote to memory of 2240 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2792 wrote to memory of 2240 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2792 wrote to memory of 2552 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2552 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2552 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2044 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2044 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 4568 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 4568 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 4568 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2552 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2552 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2552 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2552 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2552 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2552 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2820 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2820 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2820 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2792 wrote to memory of 2508 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2792 wrote to memory of 2508 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2792 wrote to memory of 2508 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2820 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2820 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2820 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2792 wrote to memory of 4312 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2792 wrote to memory of 4312 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2792 wrote to memory of 4312 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2820 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2820 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2820 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2792 wrote to memory of 3200 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2792 wrote to memory of 3200 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2792 wrote to memory of 3200 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2820 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2820 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2820 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2792 wrote to memory of 924 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2792 wrote to memory of 924 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2792 wrote to memory of 924 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1a196f68282a76a4d8a006a9e50fe670_NeikiAnalytics.exe"

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\avscan.exe

MD5 d103f94288af253dc47336a73f8232df
SHA1 c812f63e5c7222d1f469dc8479ccfaca6d0b5897
SHA256 c27d02e05ad717f1a53cc1d90cf44b29ad5ec9a29b3e5ef99a89f146a82d194a
SHA512 3d89ef31607d6841cfde06b03afa7bcee3836be97153dd9af3a72e0c365e7d18226e9a2f50d754c44554c06d7d2c88c5942d153aa092eac9542c44a5d6d093a8

C:\Windows\hosts.exe

MD5 62300468fc105b36041cdb8c158acee3
SHA1 381dd395445c523ad56935ca9f627ba54963163c
SHA256 9f83fabba6fa4d292980bbd2424f6deb98c328963bbbb30bc21ac32c3b0df4f0
SHA512 ce6d443d670f50e0d7531c9ade4eaaeafb7e3ace958f12a79350182733c7198af0083cce69104aa15efcae23140098559f23c2965727c2e193f077bbe0a9acb2

\??\c:\windows\W_X_C.bat

MD5 4db9f8b6175722b62ececeeeba1ce307
SHA1 3b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256 d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA512 1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

C:\Windows\W_X_C.vbs

MD5 2bf5a187f48b0e3c967d35345b39cf75
SHA1 5dc7cfa3b9818baa039314fd49d38825a88f30f2
SHA256 9676e777e8eec50aa91525d3c0ed7c17047ddf363cb28a83a474c2840cd4c7b1
SHA512 1f0c2d5fadc2304f910caf7569a968b1824687cb57dd8f470dc67b8262cb009809c83ea626f2f99d9ce4e8113efb46c53b979f6dc3113433f7503ca4d119e16c