Malware Analysis Report

2025-03-15 00:52

Sample ID 240627-bgp5rathkf
Target 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe
SHA256 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891
Tags
defense_evasion evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891

Threat Level: Known bad

The file 32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

defense_evasion evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Adds policy Run key to start application

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Impair Defenses: Safe Mode Boot

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 01:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 01:07

Reported

2024-06-27 01:09

Platform

win7-20240611-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\windows\hosts.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\windows\hosts.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\EILATWEW = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\EILATWEW = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\EILATWEW = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Windows\SysWOW64\REG.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\windows\hosts.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\W_X_C.vbs C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe N/A
File created \??\c:\windows\W_X_C.bat C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
File opened for modification C:\Windows\hosts.exe C:\windows\hosts.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
N/A N/A C:\windows\hosts.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Windows\SysWOW64\REG.exe
PID 1688 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Windows\SysWOW64\REG.exe
PID 1688 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Windows\SysWOW64\REG.exe
PID 1688 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Windows\SysWOW64\REG.exe
PID 1688 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1688 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1688 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1688 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2780 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2780 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2780 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2780 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2780 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2784 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2784 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2784 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2848 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2848 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2848 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2848 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2848 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2848 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2848 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2848 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2784 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2784 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2784 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2784 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2564 wrote to memory of 784 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2564 wrote to memory of 784 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2564 wrote to memory of 784 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2564 wrote to memory of 784 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 2564 wrote to memory of 2940 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2940 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2940 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2940 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2940 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2940 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2940 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 2940 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2940 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2940 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2940 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2780 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2780 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2780 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2780 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2564 wrote to memory of 2972 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2564 wrote to memory of 2972 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2564 wrote to memory of 2972 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2564 wrote to memory of 2972 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 2780 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2780 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2780 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 2780 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe"

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\windows\W_X_C.bat

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\windows\W_X_C.bat

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\windows\W_X_C.bat

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\avscan.exe

MD5 a93007fde3976ec7e44c525bacc7069c
SHA1 fc33a8700145f93d0ce54f310cf3b8c355125238
SHA256 6acfa6368c62f8fc318462b013cd9fcec781be03386dc2f5bef41cb2ba3fa6d8
SHA512 73e807f44cd9d8c588951a20ab56bb0c3efd3932b363517bafa69a7c28d4b0aafd08afd445c4bf75478c57065ae0614f75d0b767405a8d758aad1db6c33375f6

C:\Windows\hosts.exe

MD5 73158f7a6a769b4e715e5b24de075299
SHA1 e469af2d1d21dfebfb1662bfb5fbdfa164e3e581
SHA256 4165eb28aa94d3c28279a07e1d8fc1b83a40d5393b1ff3fe69ae8ba52957fce6
SHA512 6db24e68b11728a8147de87133f76fd6270e8cb0032a14d2416e15cdb338c5ff9cf28d7c23ad2ace6defc412eecadbe0e827d0bc5a6b91a840519f74306026f5

\??\c:\windows\W_X_C.bat

MD5 4db9f8b6175722b62ececeeeba1ce307
SHA1 3b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256 d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA512 1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

memory/2784-62-0x00000000023B0000-0x00000000024B0000-memory.dmp

memory/2784-63-0x00000000023B0000-0x00000000024B0000-memory.dmp

C:\Windows\W_X_C.vbs

MD5 f6c84b0b807d9c88dadd87289cbd9a71
SHA1 0ce2e8163c8b9bf6e56f6d819084d876821f8002
SHA256 73601c28154e4bbfcc10d4632aa75447ee9c97aebc599b9128fb0024af8939ac
SHA512 bf68dd033feba173231c07ca6beeba95c464d8ee226a957066901eccecfd771f457b59b475313fedd56856958fc575c14241bada16919b2400e6aa105d13849c

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 413a908a2749b133288e0118b2f35ce6
SHA1 e2160c7b9e7efbae944d2634b49526a47a60fd41
SHA256 4fb8e97d8040e4c0333db19b17c1b25f7047f93c097f81494dd9fb92ed4ebc37
SHA512 18ac4dfa016235532df2625014a84348def86b52c277bf11ffbd423cdd704e50ec406388a51d4bc03d50ef9951c9ba4dec0b89146086e35d1da5fc79e76db332

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 d0b12d5451f835decd0a7fb43df00059
SHA1 68e32c482bc4b41d69e78545c794fd2db8b3855d
SHA256 8a6ca68ee99f84b0a610de545091f2fd2516eecb7babfba2a3620c0178c1a171
SHA512 dcbd01368fcfd3d8d2858eb3274720a5bdf808be81a64766232d0ee5ea1224399f65688534e0f2dac445031af138d41e7c13a165fa5add02a010564cd96ca037

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 8592f83f38319420e37971c537d1201a
SHA1 baacdfc4095d3b30eb4a4372820d7d6c693452f7
SHA256 1a6682988d7a6b8eba67d75f57b278e6507078dbeeaf007175d735bf5d866cbd
SHA512 32ff760e660ddf898ee8150ab3db4093250ba52fdb5d3ba377892fdc41f156d2c0d3ee0dd09357f29db117cde7231f98791a9249573c5c2b5c1b672e1fd8acdb

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 509df21a9e5e0f6ed190de6e2f71763f
SHA1 3552770594fff4a704e17403e994806c1801823a
SHA256 0a3e80a596901fe18e6d16a6fb689cfaa4ca1a06f97d721c76a47f54b5615d82
SHA512 6652d24a2942576758c3828322645a804e2f15203275eb2f1d50fab7bb17c5a2ae85921c7aaf070400db3897b73f68275453d5f4cc9f45097b0bc0b88db6749b

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 6a9982eda6791a4871e1f7671c1a4521
SHA1 5415ff7bfd9d90f2442b19ef8d8ac1ca9ae5bafa
SHA256 2df6d1fade3ff094dc08a4b5b547a1f32d0f26b6c67091f2f6d5d73710cbd1bc
SHA512 76d2c1e5ee89c13a5254c26a9cf87cecf12134b5f459eb5d520a4f744300481133667f8f6f0f12e0aef80217acb176e9f4d36b3d67211bdc6450fa744a8d4cc2

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 7bd365e7c1fa448643e6fb34580ce230
SHA1 8dae7d4248fdadf053f50d341e17c23ffc8cf31c
SHA256 37d3c96d6cd4d07dcb73a32f239caaf1e73a62aa7d80663648c5dff5c843fd0b
SHA512 679a5524a988248e275a1cb7633e427b7b91d402e515712e3fc2f176ce103a94bec31ec6a54342bb70fec6b5c29ac369662352dc5a7a765d853ab24b52df1a92

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

MD5 6e2bd7ab748c5767936cb689a0baac36
SHA1 20a8243288b388b5986d85b3fd083b5ce01a326a
SHA256 7618af0d1f217c321fdfdcf6f27ae7f20a7dcac897141e36d33b20dca01cf4bd
SHA512 7f25af9d342075c6cdb8f7dab696f305e1aae11b2ec2b971f22c6be29202a9bda8ac0724e44e716a5512616fabccb3aad0911d009ea2849559cfb36e1786e8d7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 01:07

Reported

2024-06-27 01:09

Platform

win10v2004-20240508-en

Max time kernel

121s

Max time network

57s

Command Line

"C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\windows\hosts.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\windows\hosts.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BVRKIPTS = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BVRKIPTS = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BVRKIPTS = "W_X_C.bat" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Windows\SysWOW64\REG.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Windows\SysWOW64\REG.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" C:\windows\hosts.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\W_X_C.vbs C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe N/A
File created \??\c:\windows\W_X_C.bat C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
File opened for modification C:\Windows\hosts.exe C:\windows\hosts.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe N/A
N/A N/A C:\windows\hosts.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1892 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Windows\SysWOW64\REG.exe
PID 1892 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Windows\SysWOW64\REG.exe
PID 1892 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Windows\SysWOW64\REG.exe
PID 1892 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1892 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1892 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 4228 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 4228 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 4228 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 4228 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 4228 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 4228 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 3700 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 3700 wrote to memory of 1220 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 1792 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 1792 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 1792 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 1220 wrote to memory of 3088 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1220 wrote to memory of 3088 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1220 wrote to memory of 3088 N/A C:\windows\hosts.exe C:\Users\Admin\AppData\Local\Temp\avscan.exe
PID 1220 wrote to memory of 468 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 468 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 468 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1792 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1792 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3700 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3700 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 3700 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 468 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 468 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 468 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\windows\hosts.exe
PID 468 wrote to memory of 1244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 468 wrote to memory of 1244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 468 wrote to memory of 1244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 4228 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 4228 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 4228 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 1220 wrote to memory of 2500 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 1220 wrote to memory of 2500 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 1220 wrote to memory of 2500 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 4228 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 4228 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 4228 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 1220 wrote to memory of 2748 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 1220 wrote to memory of 2748 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 1220 wrote to memory of 2748 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 4228 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 4228 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 4228 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 1220 wrote to memory of 3148 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 1220 wrote to memory of 3148 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 1220 wrote to memory of 3148 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 4228 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 4228 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 4228 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\avscan.exe C:\Windows\SysWOW64\REG.exe
PID 1220 wrote to memory of 4472 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 1220 wrote to memory of 4472 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe
PID 1220 wrote to memory of 4472 N/A C:\windows\hosts.exe C:\Windows\SysWOW64\REG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe"

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Users\Admin\AppData\Local\Temp\avscan.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\windows\hosts.exe

C:\windows\hosts.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\REG.exe

REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\avscan.exe

MD5 c550d9b404e6f175066c05afe7b1ab46
SHA1 5062911563003e3d83d0202ac7908ea3591afd80
SHA256 37d7f412f7036c3dfaa19c4cde9f8f9f1eba487c4e7a6a187a15c146341208f6
SHA512 5d5fe151a880f9d333d0cfdc9cf19eaaa9f7a870aef2cef442ca5892f7e7b4828490a778abe1a418add64507de590f6f8038999df3aca82eaa50552988079b8c

C:\Windows\hosts.exe

MD5 f7a3d779828fea2783673da73bb7b53d
SHA1 74019771345c5f73d46aa749b0145b5785ccf8e8
SHA256 37a4a86330ae5cc0dd9f21d2f6266324e0b6475d696b0605c8895f5ed626a714
SHA512 3f3be0b211bd897d772520a32345b47357254681c61042f22b6b5035b2ae6906dd669d054c99cc2526e78c57d098dd5021fd18bf3e22344b52d2a725c3c9fda1

\??\c:\windows\W_X_C.bat

MD5 4db9f8b6175722b62ececeeeba1ce307
SHA1 3b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256 d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA512 1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

C:\Windows\W_X_C.vbs

MD5 2bf5a187f48b0e3c967d35345b39cf75
SHA1 5dc7cfa3b9818baa039314fd49d38825a88f30f2
SHA256 9676e777e8eec50aa91525d3c0ed7c17047ddf363cb28a83a474c2840cd4c7b1
SHA512 1f0c2d5fadc2304f910caf7569a968b1824687cb57dd8f470dc67b8262cb009809c83ea626f2f99d9ce4e8113efb46c53b979f6dc3113433f7503ca4d119e16c