Malware Analysis Report

2025-01-02 07:34

Sample ID 240510-dwlrzsga21
Target 5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics
SHA256 e6667db5e1ba21054c7b5dd90eb2a060eb2e5a8ebc6a0d25f58fc461e9ebc4ee
Tags
privateloader discovery loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e6667db5e1ba21054c7b5dd90eb2a060eb2e5a8ebc6a0d25f58fc461e9ebc4ee

Threat Level: Known bad

The file 5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

privateloader discovery loader

PrivateLoader

Loads dropped DLL

Executes dropped EXE

Deletes itself

Checks installed software on the system

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 03:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 03:21

Reported

2024-05-10 03:24

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe"

Signatures

PrivateLoader

loader privateloader

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\TurboMeeting C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\ProtocolExecute C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\TurboMeeting\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\TurboMeeting\ = "URL:TurboMeeting Starter" C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\TurboMeeting\URL Protocol C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\TurboMeeting\shell\open\command C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\TurboMeeting\shell C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\TurboMeeting\shell\open C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\TurboMeeting\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TurboMeeting\\PCStarter.exe\" %1" C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\TurboMeeting C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
PID 2868 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
PID 2868 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
PID 2868 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
PID 2868 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
PID 2868 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
PID 2868 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
PID 1908 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 1908 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 1908 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 1908 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 1908 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 1908 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 1908 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 2784 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 2784 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 2784 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 2784 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 2784 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 2784 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 2784 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe"

C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

"C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe" --program C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\rsp1024hcmd.txt

C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

TurboMeeting.exe --VSEDetect

Network

Country Destination Domain Proto
US 8.8.8.8:53 support.madwolf.com udp
US 64.210.231.141:443 support.madwolf.com tcp
US 8.8.8.8:53 support.madwolf.com udp
US 64.210.231.141:443 support.madwolf.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\TMSetup.txt

MD5 f3b70a1de6ef43117409ba4bc8e64393
SHA1 2d97d7869aec5b6e219a5e36b89664991a1b9e74
SHA256 d1d4cee99c6726df6841f9b5d048b25460f232a34872b3cfbc3076b49dcd8448
SHA512 c08d8273fbeb7e722938420688f659d61ef0d2db260c37a1d296624925936687889ae43122d0a47fc60ce508cd4c94b16b68ec98f7ed0ba0ab99500106523da3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarA64.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

MD5 8fca72c59d3a9aa6eda33c64daa0296d
SHA1 5229d88a9e650430719dc5317f8f7601117ef637
SHA256 11b64793473c88aa0ef2f9bde703e9494495029d416e76d954fd3f044ef8fc10
SHA512 7d898f74d292c23d8f38a29c2c3d8c2e8f6d610c2cca5b89b5273222a6e31db078c266a25c4072533db4f907ba4f3fc700e020a4e7ebd4fbb4d4ea13d0faa0a3

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\version.txt

MD5 8797773bbb9b3585f186fc2684a48f6c
SHA1 460a68b60688e4ac8a169b5a972e5a0120a977bc
SHA256 18805ad87bd499c00bc4b72ec6b52e9ec1b9087760e1741ea73cd53a92cc839c
SHA512 a4f8da05be6f56a1a8347c58a439638967c0129b21884b5c7c624059c690fed7cd131fb1988c524f8d209c407725e223b388e984506a27803dc0f2cc24fb1d50

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_ENG.tmd

MD5 822e31dfdfcb95a50b6d28df87608cd6
SHA1 9c811ade35b8f0b7c4b6f69861755539499f10f4
SHA256 4a1f173b90493324698e29f089d829d0f6faaaa728405ebff602d86d72b77ba6
SHA512 a37824feec7c3ca968e2de2c36d213e662c1063d624534e1c420e8f3ad03c0285b6674858c8d6e5c0b7f6d74515f9e21fd01bbcc1e67bfd843f200c568fbca4e

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\rsp1024hcmd.txt

MD5 17a66efe72e6054722044ba89693c169
SHA1 99f0e16bd0d24e61630dc7d4dc49496ef1622d05
SHA256 4b33b05f9fe7abbb46e4b1071b55c9b6b5c71df40276e44ba0f63f472f746b00
SHA512 10af4f9f63d34a14f3cbec7ae1979ca95f16a61fada3b923805812e351d4369936c1076f1936bcb8647f01d2e0ad2ea6d1bfb3c590b49cbbc3368b23eed56674

C:\Users\Admin\AppData\Local\Temp\TMInstaller.txt

MD5 d9f838a14cf191ecbc857ee3cc5c3d2a
SHA1 5c0934f124266aeca1a29de81cfcff6e405bbce9
SHA256 971662583e2effbf8bbbe828151d006988126727cedf893a26133b26011fce0f
SHA512 9d279c13f9866d7cce1834d1be82993bdc94b77d973973b0c39ab4267c38dea96ca1e5d45f190b582f07d4107611afca64008f482cf2a08d29408a3061bb1685

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\ClientDatabase

MD5 180d45be65098da1e2d0f72795581c5d
SHA1 b4b90f594bf1b1a0603d28a6342cc2052bb010c8
SHA256 c8a22ee90c0e0db5877fd047ea957452d827a077c5a823c2ff6a0a3e6d421a52
SHA512 f65a2667a5dbaee134c7b744e60b9a442a72ae6ead97501180da0e1b058fe5f33864d9b91daf2057c205db46276ad4b15d8f8d4af131c0c9b1a2eb5a90e32b01

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dbghelp.dll

MD5 cc17ae159e28d331b7ec39a4f34527f2
SHA1 68bacd3808895db9987f11b63c857e288e022c17
SHA256 4bbae6b52a99355e7c695d901151513235e5b0bf01ff8d5345580d6529763b78
SHA512 a5bc90dacd81c278ed4bb3bf862af1406b4c704845c3f5be7f0927d4350da790b7a9fd98e774deaf5a5004251c45c558eede1f797b842e305fbfb6ce8d4a9de5

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_CHI.tmd

MD5 e19c646ddc1e5b7af92280538a863e04
SHA1 4c87c7fb61dbc211c80a44928e6d121e55bdc929
SHA256 4e51c94eed094dc6a0d895366750c80b71f5270a3fc96dd9b8047a85c87d40a7
SHA512 cb3d2cb4921eddc12c49248c54712e503d304f4830dd528f66f45fe986f2c08a49f7c1ff244e470875843dcd99ac0d8b2d1393bf1aa8636435e96171f61401f3

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_CHIT.tmd

MD5 b34e838e74870b3094da1db18fec92ea
SHA1 4414dc5f71facced09700c12769e61674574acc7
SHA256 3c34b2b116b9017826eb48cf6a6f44ec134fc36f07ad9171b233ac2dc0bfdf34
SHA512 f2b81cb346ac3e5296b497ff2e86fc2a12b0875da8faba4f6488dae7ae8720fd86bc50b4da00e6b17adf05385a7546e420cae662a843870b68db8f7649ca1ac4

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_DTH.tmd

MD5 ffc94815bcc52593e591f1db945da142
SHA1 09fd651ad0316f616374809ee23548acaab8e0e6
SHA256 85a9060d5370a433a147483ea8cd5129d6b77d3fc6c85861be43e51c83fbb082
SHA512 1cc917de72f7900baa6e56cf7984edcc0a9122b77c7c9fc05507d86f87a82827eaed9b58385075cba9eb6c9e18e7cf44f5339f6f616bd0985f607ef80fb4e7bb

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_FRE.tmd

MD5 9f9effc7e14cfef695d97ba63d261341
SHA1 15b649b698acd53963e3442348ebc729a04b857c
SHA256 6f773a3b38d8ce1f077a53655f221559bf36f0a2e5611723167028de759fb45a
SHA512 96193d061c8c92aed1124cf4577a1242a5b0ed4a45176cdbb22486277fc1b9e88896a825c5135c05014ecdf0a1659ecab079e877f3c9b003cc8588793810fd41

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_GER.tmd

MD5 9ad8edbe48a03ea9f026a63d1950f59c
SHA1 d4cfb9555dda08dc2582b18c54ced31282f7602e
SHA256 326816125fa54d4a09723807ef47884241b3513e8a52f42cad66ac177e040a6d
SHA512 e358c2b7a9827d14a8ded104f79a613c765042a016073fe166e40bbd0500ec0d129169180fa3f3745635378dbf4f9e7903f812b2ee9c8a713a9ebaf3f9211cfe

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_ITA.tmd

MD5 555ba58246b88d60247b6c9d6fa9106f
SHA1 b040e9a84618fbd0340755c500f92ce9e692a0a8
SHA256 fc60df878a62c597bf669f24178e1aeb73d619f15385cac798a654120141012c
SHA512 921aa1946e07ecbedd00a0ad2d58442820c17fe310fe1f6d0ca6f464a773f7ea6eff64e315d319e79f9644adac66b65d6f02a147a941a5f1f9c05580c7034c21

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_JPN.tmd

MD5 f8fa38ebca233b3b805311979ec31646
SHA1 850778b2f3949d28c858534720e4cd1e154786f9
SHA256 e45d81061cf6ed74405d4ebf3bc530489f6a780b84df510894f8b0a8d4d8a89e
SHA512 c72c9a783e34db019fd4fbb251018b215d2157fddc70d273e76c3e5b59aa836097ed22cc341093becce8c367b89f03503f636d93070ac4c2988a738e6d5c5917

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_PRT.tmd

MD5 6a3e7509311be81cc2ffcad1b697f3bd
SHA1 e24348698a2f8e316d017a47903683b08b7ec9cb
SHA256 5a92a07d17108ea6d852108731a2f7cb92f610ad485505d7f8f02baff5f5184f
SHA512 8acd6ddd22fc65e7745691e27ca811885c7f9c760191bebcc9108269745b5a284ff5d6b884e3e45c662fe2d9392ef2a6ad46de4a73e28c70409cc58fb45539e1

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_SPA.tmd

MD5 59f4a43b89e599128da95f68c6c93c5e
SHA1 5de54065488d0417ec2c655f156fc6edc173ecb4
SHA256 b27c22ac64e6d231ae4c17cb93e0a889d376f24ea44864ac15349c7f70c94910
SHA512 a016029c5a9288755c96793fdbecfc2663ffc3b6c3e6db28b9a786d52458d8b9b4500fb923d1d58ca282ec92d1430dc550d368d664e8ee3f7bacabfbe4434d5a

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_TUR.tmd

MD5 01e157ed08e05ed80052ad8df404b530
SHA1 fd6229c6410350c30d5b7907db42c521fc3edb62
SHA256 295a963cce972904acf33153c7caf731027a36b5b8f5249eaafc5b5d03012d67
SHA512 1eee1112b12fb3feac86f9555af20ab1a16ebf0fdde09004d4a294603b4bc9a15105b6453bb31b2741998ba781527b339f5174d04b7fa3792172035c20582f0a

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\image\ApplicationIcon.ico

MD5 883746cda8ecf40ef07d2f26a687e550
SHA1 88d8d8d7676ae4890c06aced19212122be59f44e
SHA256 4435e5c62be3b529d5e2100b5f1f57edcc2be82281601313bc8594e52c445d66
SHA512 a8ca2e91aac490eaeeeeeeaf21f9de64fc1e24a5d690790bec09e694a3738f12fb4fcadea799fc54f9d4b766a5c951873f39bb4875e5d58b75243b4e2833f018

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\image\CTMeeting.ico

MD5 f366c80b222e8e83d5ec6d90959c2c45
SHA1 cbefd8dc9c8e342c6165d0f9c1fcfb177d2e01be
SHA256 8cd38c8e1a62198bea0bcc85c0b339a835e460ed08a8d8c98be524b528f07531
SHA512 db1c073c9a7837d8d3d1e3f654c8c95060971130cdd527cdd1365cdfe48cc2bed963fb0d574a4705ba92e2e70102f73795adf97edf9edaab3eeefaa03d3e8517

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\image\DummyWebcam.png

MD5 2cfeed234a8558fafa50655acb115fd8
SHA1 2ffb1a9fe6536723e96ae500554d3abeed2147fc
SHA256 615861e3be02b7ebcf9378bbfeefe969b503a11c738dfbd9a6514029205646f9
SHA512 da7e66a2da8eb2363583a9c055b590385412bb924fc0d0d28d8cbfde9567dd0ab98019f1ec752b16f590764c1d287aeb583b90458820a3d6a75c43e59c7b6583

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\image\IMDefault.png

MD5 6e8f635f6528cc0433861a8dfb0c2d30
SHA1 e85ec2e9154d1b12835e0590ed00c22a49e3a6db
SHA256 a8cc2b4c182384537cad5e091dff777f6806e77eed0e5800b96c573e4fbc1a00
SHA512 12f54f49fddf6857a840608ed070822c7491d6c15b56f6f5a024c27a28264ed1525fab4d57f9716d49c284bbf24a677a46f8f084bfbbf485d0f62d11b5cbc725

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\image\MXmeeting.ico

MD5 e7d9e81afa9cb104e0fe70ee9dabcb6b
SHA1 fa2d7df277cd730bad0786f5ba92d3e5d777403b
SHA256 a04e701256b583f226ce290d979b19d51a6ea4c5a94341e4e35db1ca94ddc6e8
SHA512 1fde7f4c1387fbe304acbd1ea2479a89306ac90bdf72c6c5ab88b92c44183dfbf7f01729b23c112d77ab7378d4fb007eb2343b50974436c84d69e51c11656a72

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\image\ProfileInfoDialogBackground.bmp

MD5 a8a6ef427c5c0ede5c70af58aa5680de
SHA1 127365eaf32cee2ba7a958e766fdccad0e3c50c6
SHA256 1d3f66e964cd9bff854a550d5acbb55b2c2027c05ceb7a9396a691b1c9d8c6c2
SHA512 c2ec78255ec33af2ae799972aa275c8fa3378d56092b480c4f39105cb5978983c16b97c33e94ccb5d76886340eea116b08c207a1d593945b7f600ed7c8751e41

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\image\Separator1.png

MD5 b7ccd0351eb77445e7323f2bb74788fd
SHA1 e0525da70a851e6dc72d57dd9064f16b949c2a26
SHA256 8baa0feaf55d59c0929419101bdab9ea326348f13de8b68edfb710076f0c3f78
SHA512 34015eca33a939e74481334a55db4731d2777b4975e4bcdd648a8df1cea80e2c65e93047a5d9c22c681d1ca417cced190c65e58e8099b740ca669dc9bf829579

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\image\SeperatorLine.png

MD5 4ce28b32c7836663ce74b29f11d176a7
SHA1 608ebf86c32394e609acb091e5fefcb0af4b9d39
SHA256 4199a78439525d778cf91fa5defe0c68320b3e51b3eb9c7672939dd4b2f33e50
SHA512 e5df9c12f74a92898a78702935c454ca0314997d7ba36b89126bbf177fd652b5dfecfe8c3687a117d60810fcdb0bcc91abcdef7f19b6c4ffb8725f793cc1bd02

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\image\TurboMeetingWatermark.png

MD5 c939af5f23d396f55808e95668c73c18
SHA1 3e8767c4fcb16767e6e04a34a9b81b74c061e411
SHA256 b128c15ea8bb492570e441f2bd3f81d1a481c75997ae107a1d9e830c98067fd9
SHA512 be5d99bedeb70c53b127bced885c704c1e7e42634b64a5de9e4b9138cb91c14c5d774ce27742118e6549d7f562ad5dafd1395ab02bfb7e04b431f18fdce16b7c

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\image\Ymeetee.ico

MD5 e20adbd0c131a94e99fde12e0c60d247
SHA1 ee5eb66e8945ec49a178d739834d448350c1080d
SHA256 9473fe1fe2d941db548f70e716dd8ed841dbac60c02c71a5ce6ba760872dc69a
SHA512 e204339033903140ff0765f38f35daefd15c4d336d2c2595a04a481e9104cfc96892fcf9621ea4745e5ddb0f57d9a5641422eff6c03324842adac91a61beb5e4

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\InstallService.exe

MD5 ca2c90a15e0b8701a71b28e875865f35
SHA1 319c1961f05d1d6c31984d141b91b870dc0b1efa
SHA256 7aeecedc2d37bd3ad549851121ccfed9b9d62285db474735998c8ea741dca867
SHA512 ac3cb38535a0d48b5ea14ec89868fdf9b5eea0bbc51ed11d59ff83fc43a5286aa67e7f5896434200cb0c615270dc6a1ba4f901c0cff6a79fa6a8b9d913872f31

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\jsproxy.dll

MD5 7bcd58df45a40f865e8dbbcb5b2ef6d1
SHA1 6b8c19c6521ce5e4c8c81f5a59552f3714b15e17
SHA256 f8cdac83b1512b6bcfabc616f3865bf11c049e59e4a2c8b5d5d4f031332d83d8
SHA512 deaa3f5ca55d53eb398328f6910e86ab4e95a5e8b37fd67ee6fbd21c1ca8e747d09544d7a54a01815864c2cebd376aa5ed34313c21b7235d31450f996c84ca39

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\PCStarter.exe

MD5 c28568a1eb37159185590bccf20f9866
SHA1 dfe01651da872470e686c2be78400c80c98fa450
SHA256 ed500e8a0b1260f47ef142b06cf08af8719d003f227c5ef48dd0166c6456d941
SHA512 476324f2e9ba91053145a77d36d26020318ee12f336d056861d9556e989771d134ff65bfa18f5090419da131b082a711635c0e37592551af25e0bd0575c14f9c

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\PCStarterXP.exe

MD5 8ce1dc1e87f955f2529ca7a796ad8820
SHA1 9a51c28787d5ad0363dc33fcbcedd3995f855482
SHA256 27773d79b0ae6a473909434bf72642c2098b649f4033139bc06c274ada88e3be
SHA512 d40a82436183802f31e492d2c14ca4b3559edc24975dd937bbf6a7588f6595c24dd67b417cd109aaeed49dfba6319aa575047386bc08a859d5dbe8fd7df75941

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\Sss.exe

MD5 e0861d6f2836555e2c1e5f223234a9f1
SHA1 c2f9c1b8eb85722b5ef83e080c78d5e378cb5210
SHA256 84f0b260e146d07f0be5a0c61cabcaefe5288850a707f073b5ebc8faaec408c5
SHA512 04f7d3943e49a54d45abe55ee93de1772a5c1183a994db521a9234c0b21d0211caddb2968b2b3c4e922e50db328cc4402043ff30b3e9ce5a69a18f6b31347c46

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMDownloader.exe

MD5 ba7323cfa2e6b7a11e61e5c8621141cf
SHA1 bb49041c3257ce0a159c3aa49d0fcff093a24921
SHA256 0c4f996d1aa194951d756de74514f7a1d03f68270e33f3c7e7b5dcf262885166
SHA512 19abbd2f944bdcfb1770b31537206ad3610bcfe566ca25e23e172c14f17575e04a13c10cd08b8fb202515d43237504a341046e9eb7d34410b07f370de282be9a

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMResource.dll

MD5 dd12c30e38fd57d25cd75b07e679330b
SHA1 00c725161356a75121a393f8615641da10eda4c6
SHA256 0c168e4e9aea222bbcb4eec3e61fa72b528f7276492fa4bacae029241b3808eb
SHA512 8555d52dea80903b5333e94697a0a26dbc0a0faef5e833c030c1d45d4bd300219193d7124a4b7e8b8e9fefdc862b1b8433610ac703149add39bfbc0b49264160

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMService.exe

MD5 26ac20e2f474ac15e0785770931001c3
SHA1 2bb6cc026b7766d2bacf71e257836771dd8ea462
SHA256 2a8a64ebbfbffda40db3eb7f6dd9efab0143818637914b6246fba81d938fa897
SHA512 c8669a17d1f4ce7c49325905fc3632faa420835c775196b6346252bd3f354b86e96eeeccfd1d654f278111f72f61e038d45944bbe8af75715c650039434644cf

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TurboMeeting.dll

MD5 dfc9a458625b2095d18a17ff37eede74
SHA1 7b397e54eb28167dba481b0ae6a64d8b72a24dca
SHA256 ae13b7b55095775805a2a2d0ab8dd224678b1f08556252431107a9f3aa3a0ff3
SHA512 6b027ea5ae8bf21acec150d9b56c9fa8579e2f3bf357f17bf3ed08e9d2c37c3d194fdb4207a04d9b3e2fe700a6660ad28b9655e40764a78951ec312878660c92

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TurboMeeting.exe

MD5 d973ee70262adf0a3d8ac412964517f9
SHA1 5eff4b9800b66d63213162e7bb009928f86ddbfd
SHA256 bd69cc4974617a01d2759aab58cdde4af9199b8102e325178c2ae043e6783e28
SHA512 931152e6fe92e58f22eab65cc693c69736238333078bfedd294e2d7a547ea6a0179281db37395c52558a09defe48e35ab927539d2a425d0b2587b15facb271c7

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMRemover.exe

MD5 f7a57d58de9e992509f28477d85ea442
SHA1 48747fe9ca9d804110462fbebcc13f4519230443
SHA256 b660b3f98e2c45770af8421e75d7cf7af71bd7af8a30efd4091e75f4d664b2b3
SHA512 c12118b16e606cac969b30462eb0af501ac7e53a1dfc6bc0635ae3e6c62aa659085dcf19e499f874141ccebc15245246bcbfa7ba15ecdf5148884a6599b737c8

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\vistafunc.dll

MD5 d9f52809f0a87fa85638e08187040545
SHA1 7a4baf2dcba8193ae9209bff85af56b18df9344a
SHA256 867b919d932c496be91fdb3fc0ac489fdffae9371463bfc24c844fc7cf63a9e4
SHA512 8617f7b992f824294d1b840aa0d04b6c040e3c756907729740ccf56e709cf1509e7a8f79b06901fe944d5dbb5c9edcf1bfa4c1f166607cd2392ef8b6c81d14c7

C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml

MD5 2209fbed3ebc32a3aee4236ad866fa30
SHA1 7b145c25555db66b70e5901c840bbfc3f4d8571a
SHA256 575234ae51c7f81f26ba92a63c54ff15e969797060b954fb899c0520580bfda4
SHA512 04c3669fab81e607395856958730584013958587fc8ac7e912684bca327c68502b3ee1f0f63792e773d77ef9cf230c6e16ff081604397745c44747396b06aa3f

C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml

MD5 c29d34cc3c1de4fd3d296e1d17e62eac
SHA1 b98b5d7e7e135262e6f862659bedfd2d866e0ef5
SHA256 c17168fdfbb56373a4662e71ddb7e3da5f4d11ba68e59e9ee7538910b9057a23
SHA512 378f1f6014e299b518fa30df3da53c9a5faff3bfb45f4d68589bafc1f8c89dd36bb7a09be0efd5e114e172a875bd9ecab5dc8a3e499dae277286105f16137a32

C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml

MD5 123758bc7261fd214ad5e454a829656d
SHA1 9c661c902118488dff2b5e29a5182ce63c8a3a77
SHA256 3957edda90cdfe0ff751f563cbd3c864f3541a9d67e505108478904216577abe
SHA512 abd8a13fbfde33088c84399190bea9be73af1af1921a8a4111675fc1683e0d6bc20013d04eba0899e68292b24d54bd2defa6457433681d98d39b4412f6dc5102

C:\Users\Admin\AppData\Local\Temp\rsp1024h.txt

MD5 a6495e2adb588fe430e9a7902355b383
SHA1 2a46ba5d628cb27caef2b81745efdec264d64934
SHA256 ac4063c4fac4fb6db64e12181cf8b2abbb458b8eda8db8f30ed7ceb5865a0fae
SHA512 709c8713522ecf94e2b03181fc912bc467755fb5829ced3bbf6797bca01b80e1880f74f0462c4a6fb7c9ed61ed85734818e99918ab0e72a5c4ab8f1f10533c1b

C:\Users\Admin\AppData\Local\Temp\rsp1024h.txt

MD5 7e22e5ce3baeca07bb5dd2e0fa6a81ec
SHA1 5ae06951ebe005c7582f59873246aa922b1d1df7
SHA256 72af09ef3e8977d50ea2c70ee1962f829efd622b3cb478c12179dbdf916fe216
SHA512 1d57b5db06eaec57c18c94e319c4822453d11ab782cb4b75591644468c1e4cce704d4706009786cadda5d825b6112493f8a8c89c10a489baf703fcf94ef942a4

C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml

MD5 326cbab7baf726a3e31f194bc3631606
SHA1 0c556f4b2e88e54324a664c0c174d69c9bb4d620
SHA256 a9997c1c473259e32e2045d23968fd6bbc2cf26a1eab8bf6120f4a240f7b3d01
SHA512 49c7239dc4d0397822f13cfa8196a8ee58549a653383a1f25432326d05e924e2139e56f772fe35afd2663607aae401478ca6abfb18fa2a598c5ccb70fae368cc

C:\Users\Admin\AppData\Local\Temp\rsp1024h.txt

MD5 42c49f3d6b3eaaa6c4de775efd393852
SHA1 50d08fb7b98f8976676ac4d0b044949d9b99ad73
SHA256 6b71d0c1eaf1e526d528b74e9e732e4216f4f2947e8b543cadc0a5fe0f4bb6cb
SHA512 532dbf378e5af6d1c40e6624d7e7252288e0fd765cd28eb42a1041a7382c9606b3f89d890e22427b75d26f333a39931f2f4f309707434ee8fea3732ace301130

C:\Users\Admin\AppData\Local\Temp\rsp1024h.txt

MD5 f88381e33828470474a6286ecda62b53
SHA1 7afa5e690db7723f56cb2f133f5ac4aa4e794151
SHA256 e497f07176cfaeb2bfa83ce02ac5d7ff2023ebe538a5ed26beb8821fdd375674
SHA512 59c6b6d97ca8229567f1cfd1ae740046b9e39a5f1a9e07aa251ba574c729eba12ca9901efa0d1c5ae535d87f5ea10dc8ba90d86172c849a6dd95110ef9778f42

C:\Users\Admin\AppData\Local\Temp\SVEDetector.txt

MD5 6c84352dfde44a0e65e9f49a50184610
SHA1 797034912f2eea93f201b32514ce70af0857b027
SHA256 7ca6e36a5459574aa543ae7054bc29a72edb09b414a77e170ba66231a503706e
SHA512 95719a090b2e29552807d92ca5ea1da6a93a36808b0b14c85a6f9625dded221dd02b45ecbe474f988b9a9e61bd54001e8f677757d367d5375e2f54beb0a2e378

C:\Users\Admin\AppData\Local\Temp\SVEDetector.txt

MD5 38bbce43497e9845ed749633874b6381
SHA1 5ec729b33298218210434ee00369800986eb66b5
SHA256 8bd97995ede08333788f5cd37b3761f7780de55455b0731183408a18257598ae
SHA512 d1f5a14dd94d7b867c44608557bb81f01747733290c0d781ce450f8f77c0f74dd08ce7dbc03e246805f959c5855b84a517f813e157338dd86f883f3f84d688a5

C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml

MD5 2deef8bcc0a69a00a1df39e49062cd3a
SHA1 52818264f58d7c719957608907270609f4e03b1b
SHA256 50610b5b6cfd2f02e34e2066be2b11d2e3d85a6cd0422e3f303ff03850d3e27b
SHA512 e5ec2b60d3309eebfde7dbeb6fe8181223f6d2501250232923a2c84219978ddca791250eef83162f7cc00d87f05c6bb770e1f51d4aa579a1567983f944225dcb

C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml

MD5 d500580e07804ec595cafb39e75cf3b0
SHA1 cab658d3f4734efa941e1dad2874008116e61732
SHA256 180c5cf8a70aa7c30c6de53845d72e40a1fda18001109ddd49280872be6eb747
SHA512 43ab21fc7d813a44119fc99f0281bd2efbbee2fac7c27be32f4d77e7b4a4b010e058ad792a88aa3820450ffa43937134e8634fb15183dee931ef5a5190d80f5e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 03:21

Reported

2024-05-10 03:24

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe"

Signatures

PrivateLoader

loader privateloader

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\TurboMeeting C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\TurboMeeting\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TurboMeeting C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TurboMeeting\ = "URL:TurboMeeting Starter" C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TurboMeeting\URL Protocol C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TurboMeeting\shell\open\command C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TurboMeeting\shell C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TurboMeeting\shell\open C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TurboMeeting\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TurboMeeting\\PCStarter.exe\" %1" C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4376 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
PID 4376 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
PID 4376 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe
PID 4912 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 4912 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 4912 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 4728 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 4728 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 4728 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 4728 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 4728 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe
PID 4728 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5b29e1041f2b58eee1a728b63b17fe50_NeikiAnalytics.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4040,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMLauncher.exe"

C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

"C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe" --program C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\rsp1024hcmd.txt

C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

TurboMeeting.exe --MagDetect

C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\TurboMeeting.exe

TurboMeeting.exe --VSEDetect

Network

Country Destination Domain Proto
US 8.8.8.8:53 support.madwolf.com udp
US 64.210.231.141:443 support.madwolf.com tcp
US 8.8.8.8:53 support.madwolf.com udp
US 64.210.231.141:443 support.madwolf.com tcp
US 8.8.8.8:53 141.231.210.64.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\TMSetup.txt

MD5 2a3004c25f87bf1f01567355cad12831
SHA1 9cbc15a52e65be7ebccb4ec9d216da9ecfdb4728
SHA256 71b93fede39283e0bb94781ced690489a2a577f98e05579512829eaa6c946b10
SHA512 f27d7d824d045183244142f416e550a730392e07cd0d05216b9dd00c2a279222e04beb872d3f8ae72d1b74ca3bcce2651319e89a74960147ec66a199b65b89f4

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMInstaller.exe

MD5 8fca72c59d3a9aa6eda33c64daa0296d
SHA1 5229d88a9e650430719dc5317f8f7601117ef637
SHA256 11b64793473c88aa0ef2f9bde703e9494495029d416e76d954fd3f044ef8fc10
SHA512 7d898f74d292c23d8f38a29c2c3d8c2e8f6d610c2cca5b89b5273222a6e31db078c266a25c4072533db4f907ba4f3fc700e020a4e7ebd4fbb4d4ea13d0faa0a3

C:\Users\Admin\AppData\Local\Temp\TMInstaller.txt

MD5 75bfb368176b54791a73521542c19f9c
SHA1 ba2254825b6e42510e0e1a84c8319b64a02283be
SHA256 bdc101124244bc50957b3ac0b5765c40db3ddd6735afd9a0fdf8375cd9f0ec6c
SHA512 b8208da678f75ce234202370ff3b30ad806c944394c3f390d20385e689f7d2c25a9dce548eb3493a9b9a0ed14ca3823d666a9c6fbecf1581b4f55d3ad5c5ac48

C:\Users\Admin\AppData\Local\Temp\TMInstaller.txt

MD5 520aa32d0fd84b1e57d95b7ffc55db95
SHA1 a9e84d0be0338c55e3337c7da43a357c40fafc0d
SHA256 ecb082cd26a7cd388b1fdb54c8304aff524da2d882f5dfd573005769be190ef2
SHA512 93645890810ef189be2d9164768f1ecedf673db6beefa7fbd8f5b16cdaa2988a065127e5a328c5afbfcf884ea521c5dc05816d75043fb1b6a146361873314b2d

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_ENG.tmd

MD5 822e31dfdfcb95a50b6d28df87608cd6
SHA1 9c811ade35b8f0b7c4b6f69861755539499f10f4
SHA256 4a1f173b90493324698e29f089d829d0f6faaaa728405ebff602d86d72b77ba6
SHA512 a37824feec7c3ca968e2de2c36d213e662c1063d624534e1c420e8f3ad03c0285b6674858c8d6e5c0b7f6d74515f9e21fd01bbcc1e67bfd843f200c568fbca4e

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\version.txt

MD5 8797773bbb9b3585f186fc2684a48f6c
SHA1 460a68b60688e4ac8a169b5a972e5a0120a977bc
SHA256 18805ad87bd499c00bc4b72ec6b52e9ec1b9087760e1741ea73cd53a92cc839c
SHA512 a4f8da05be6f56a1a8347c58a439638967c0129b21884b5c7c624059c690fed7cd131fb1988c524f8d209c407725e223b388e984506a27803dc0f2cc24fb1d50

C:\Users\Admin\AppData\Local\Temp\TMInstaller.txt

MD5 ae92ef32955ab0b64243eaa8b6d06422
SHA1 653ca7952a6d495afb2cbf2dae62a8363b18489c
SHA256 fc346c99e19fab3e4dd9bd5ab0546fb6c8cf04b58b2e11ca96788a12fffa221a
SHA512 6f635543f242048289e7c5d69c8b8d4c632084652e7170e072af3fb4c49dfb6fdfc4b56554858547b74872a41bc592898d720d8034841c23518255b9bd09dcd0

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\rsp1024hcmd.txt

MD5 17a66efe72e6054722044ba89693c169
SHA1 99f0e16bd0d24e61630dc7d4dc49496ef1622d05
SHA256 4b33b05f9fe7abbb46e4b1071b55c9b6b5c71df40276e44ba0f63f472f746b00
SHA512 10af4f9f63d34a14f3cbec7ae1979ca95f16a61fada3b923805812e351d4369936c1076f1936bcb8647f01d2e0ad2ea6d1bfb3c590b49cbbc3368b23eed56674

C:\Users\Admin\AppData\Local\Temp\TMInstaller.txt

MD5 98575a0c3073c95b38b2adaa9cfeb6c9
SHA1 2bc75d701ecf3a56e3423164c5bdcbd9322b005e
SHA256 2897eb87d2dc8b7494e8f86e9aba0a2bf16277d37ca5ff0be316d5901fe8e059
SHA512 f89a8e023afe167ed87deb95845d4504c48e1bd4e3cf5659adc05cab8ebe4d928f363343efa9ea4c6067251bd15776417eda87b2295f6a68b04e72d1a835dd9c

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\ClientDatabase

MD5 180d45be65098da1e2d0f72795581c5d
SHA1 b4b90f594bf1b1a0603d28a6342cc2052bb010c8
SHA256 c8a22ee90c0e0db5877fd047ea957452d827a077c5a823c2ff6a0a3e6d421a52
SHA512 f65a2667a5dbaee134c7b744e60b9a442a72ae6ead97501180da0e1b058fe5f33864d9b91daf2057c205db46276ad4b15d8f8d4af131c0c9b1a2eb5a90e32b01

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dbghelp.dll

MD5 cc17ae159e28d331b7ec39a4f34527f2
SHA1 68bacd3808895db9987f11b63c857e288e022c17
SHA256 4bbae6b52a99355e7c695d901151513235e5b0bf01ff8d5345580d6529763b78
SHA512 a5bc90dacd81c278ed4bb3bf862af1406b4c704845c3f5be7f0927d4350da790b7a9fd98e774deaf5a5004251c45c558eede1f797b842e305fbfb6ce8d4a9de5

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_CHIT.tmd

MD5 b34e838e74870b3094da1db18fec92ea
SHA1 4414dc5f71facced09700c12769e61674574acc7
SHA256 3c34b2b116b9017826eb48cf6a6f44ec134fc36f07ad9171b233ac2dc0bfdf34
SHA512 f2b81cb346ac3e5296b497ff2e86fc2a12b0875da8faba4f6488dae7ae8720fd86bc50b4da00e6b17adf05385a7546e420cae662a843870b68db8f7649ca1ac4

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_ITA.tmd

MD5 555ba58246b88d60247b6c9d6fa9106f
SHA1 b040e9a84618fbd0340755c500f92ce9e692a0a8
SHA256 fc60df878a62c597bf669f24178e1aeb73d619f15385cac798a654120141012c
SHA512 921aa1946e07ecbedd00a0ad2d58442820c17fe310fe1f6d0ca6f464a773f7ea6eff64e315d319e79f9644adac66b65d6f02a147a941a5f1f9c05580c7034c21

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\image\ApplicationIcon.ico

MD5 883746cda8ecf40ef07d2f26a687e550
SHA1 88d8d8d7676ae4890c06aced19212122be59f44e
SHA256 4435e5c62be3b529d5e2100b5f1f57edcc2be82281601313bc8594e52c445d66
SHA512 a8ca2e91aac490eaeeeeeeaf21f9de64fc1e24a5d690790bec09e694a3738f12fb4fcadea799fc54f9d4b766a5c951873f39bb4875e5d58b75243b4e2833f018

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_TUR.tmd

MD5 01e157ed08e05ed80052ad8df404b530
SHA1 fd6229c6410350c30d5b7907db42c521fc3edb62
SHA256 295a963cce972904acf33153c7caf731027a36b5b8f5249eaafc5b5d03012d67
SHA512 1eee1112b12fb3feac86f9555af20ab1a16ebf0fdde09004d4a294603b4bc9a15105b6453bb31b2741998ba781527b339f5174d04b7fa3792172035c20582f0a

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_SPA.tmd

MD5 59f4a43b89e599128da95f68c6c93c5e
SHA1 5de54065488d0417ec2c655f156fc6edc173ecb4
SHA256 b27c22ac64e6d231ae4c17cb93e0a889d376f24ea44864ac15349c7f70c94910
SHA512 a016029c5a9288755c96793fdbecfc2663ffc3b6c3e6db28b9a786d52458d8b9b4500fb923d1d58ca282ec92d1430dc550d368d664e8ee3f7bacabfbe4434d5a

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_PRT.tmd

MD5 6a3e7509311be81cc2ffcad1b697f3bd
SHA1 e24348698a2f8e316d017a47903683b08b7ec9cb
SHA256 5a92a07d17108ea6d852108731a2f7cb92f610ad485505d7f8f02baff5f5184f
SHA512 8acd6ddd22fc65e7745691e27ca811885c7f9c760191bebcc9108269745b5a284ff5d6b884e3e45c662fe2d9392ef2a6ad46de4a73e28c70409cc58fb45539e1

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_JPN.tmd

MD5 f8fa38ebca233b3b805311979ec31646
SHA1 850778b2f3949d28c858534720e4cd1e154786f9
SHA256 e45d81061cf6ed74405d4ebf3bc530489f6a780b84df510894f8b0a8d4d8a89e
SHA512 c72c9a783e34db019fd4fbb251018b215d2157fddc70d273e76c3e5b59aa836097ed22cc341093becce8c367b89f03503f636d93070ac4c2988a738e6d5c5917

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_GER.tmd

MD5 9ad8edbe48a03ea9f026a63d1950f59c
SHA1 d4cfb9555dda08dc2582b18c54ced31282f7602e
SHA256 326816125fa54d4a09723807ef47884241b3513e8a52f42cad66ac177e040a6d
SHA512 e358c2b7a9827d14a8ded104f79a613c765042a016073fe166e40bbd0500ec0d129169180fa3f3745635378dbf4f9e7903f812b2ee9c8a713a9ebaf3f9211cfe

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_FRE.tmd

MD5 9f9effc7e14cfef695d97ba63d261341
SHA1 15b649b698acd53963e3442348ebc729a04b857c
SHA256 6f773a3b38d8ce1f077a53655f221559bf36f0a2e5611723167028de759fb45a
SHA512 96193d061c8c92aed1124cf4577a1242a5b0ed4a45176cdbb22486277fc1b9e88896a825c5135c05014ecdf0a1659ecab079e877f3c9b003cc8588793810fd41

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_DTH.tmd

MD5 ffc94815bcc52593e591f1db945da142
SHA1 09fd651ad0316f616374809ee23548acaab8e0e6
SHA256 85a9060d5370a433a147483ea8cd5129d6b77d3fc6c85861be43e51c83fbb082
SHA512 1cc917de72f7900baa6e56cf7984edcc0a9122b77c7c9fc05507d86f87a82827eaed9b58385075cba9eb6c9e18e7cf44f5339f6f616bd0985f607ef80fb4e7bb

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\dictionary_client_CHI.tmd

MD5 e19c646ddc1e5b7af92280538a863e04
SHA1 4c87c7fb61dbc211c80a44928e6d121e55bdc929
SHA256 4e51c94eed094dc6a0d895366750c80b71f5270a3fc96dd9b8047a85c87d40a7
SHA512 cb3d2cb4921eddc12c49248c54712e503d304f4830dd528f66f45fe986f2c08a49f7c1ff244e470875843dcd99ac0d8b2d1393bf1aa8636435e96171f61401f3

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\image\CTMeeting.ico

MD5 f366c80b222e8e83d5ec6d90959c2c45
SHA1 cbefd8dc9c8e342c6165d0f9c1fcfb177d2e01be
SHA256 8cd38c8e1a62198bea0bcc85c0b339a835e460ed08a8d8c98be524b528f07531
SHA512 db1c073c9a7837d8d3d1e3f654c8c95060971130cdd527cdd1365cdfe48cc2bed963fb0d574a4705ba92e2e70102f73795adf97edf9edaab3eeefaa03d3e8517

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\image\DummyWebcam.png

MD5 2cfeed234a8558fafa50655acb115fd8
SHA1 2ffb1a9fe6536723e96ae500554d3abeed2147fc
SHA256 615861e3be02b7ebcf9378bbfeefe969b503a11c738dfbd9a6514029205646f9
SHA512 da7e66a2da8eb2363583a9c055b590385412bb924fc0d0d28d8cbfde9567dd0ab98019f1ec752b16f590764c1d287aeb583b90458820a3d6a75c43e59c7b6583

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\image\IMDefault.png

MD5 6e8f635f6528cc0433861a8dfb0c2d30
SHA1 e85ec2e9154d1b12835e0590ed00c22a49e3a6db
SHA256 a8cc2b4c182384537cad5e091dff777f6806e77eed0e5800b96c573e4fbc1a00
SHA512 12f54f49fddf6857a840608ed070822c7491d6c15b56f6f5a024c27a28264ed1525fab4d57f9716d49c284bbf24a677a46f8f084bfbbf485d0f62d11b5cbc725

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\image\MXmeeting.ico

MD5 e7d9e81afa9cb104e0fe70ee9dabcb6b
SHA1 fa2d7df277cd730bad0786f5ba92d3e5d777403b
SHA256 a04e701256b583f226ce290d979b19d51a6ea4c5a94341e4e35db1ca94ddc6e8
SHA512 1fde7f4c1387fbe304acbd1ea2479a89306ac90bdf72c6c5ab88b92c44183dfbf7f01729b23c112d77ab7378d4fb007eb2343b50974436c84d69e51c11656a72

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\image\ProfileInfoDialogBackground.bmp

MD5 a8a6ef427c5c0ede5c70af58aa5680de
SHA1 127365eaf32cee2ba7a958e766fdccad0e3c50c6
SHA256 1d3f66e964cd9bff854a550d5acbb55b2c2027c05ceb7a9396a691b1c9d8c6c2
SHA512 c2ec78255ec33af2ae799972aa275c8fa3378d56092b480c4f39105cb5978983c16b97c33e94ccb5d76886340eea116b08c207a1d593945b7f600ed7c8751e41

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\image\Separator1.png

MD5 b7ccd0351eb77445e7323f2bb74788fd
SHA1 e0525da70a851e6dc72d57dd9064f16b949c2a26
SHA256 8baa0feaf55d59c0929419101bdab9ea326348f13de8b68edfb710076f0c3f78
SHA512 34015eca33a939e74481334a55db4731d2777b4975e4bcdd648a8df1cea80e2c65e93047a5d9c22c681d1ca417cced190c65e58e8099b740ca669dc9bf829579

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\image\SeperatorLine.png

MD5 4ce28b32c7836663ce74b29f11d176a7
SHA1 608ebf86c32394e609acb091e5fefcb0af4b9d39
SHA256 4199a78439525d778cf91fa5defe0c68320b3e51b3eb9c7672939dd4b2f33e50
SHA512 e5df9c12f74a92898a78702935c454ca0314997d7ba36b89126bbf177fd652b5dfecfe8c3687a117d60810fcdb0bcc91abcdef7f19b6c4ffb8725f793cc1bd02

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\image\TurboMeetingWatermark.png

MD5 c939af5f23d396f55808e95668c73c18
SHA1 3e8767c4fcb16767e6e04a34a9b81b74c061e411
SHA256 b128c15ea8bb492570e441f2bd3f81d1a481c75997ae107a1d9e830c98067fd9
SHA512 be5d99bedeb70c53b127bced885c704c1e7e42634b64a5de9e4b9138cb91c14c5d774ce27742118e6549d7f562ad5dafd1395ab02bfb7e04b431f18fdce16b7c

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\image\Ymeetee.ico

MD5 e20adbd0c131a94e99fde12e0c60d247
SHA1 ee5eb66e8945ec49a178d739834d448350c1080d
SHA256 9473fe1fe2d941db548f70e716dd8ed841dbac60c02c71a5ce6ba760872dc69a
SHA512 e204339033903140ff0765f38f35daefd15c4d336d2c2595a04a481e9104cfc96892fcf9621ea4745e5ddb0f57d9a5641422eff6c03324842adac91a61beb5e4

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\PCStarter.exe

MD5 c28568a1eb37159185590bccf20f9866
SHA1 dfe01651da872470e686c2be78400c80c98fa450
SHA256 ed500e8a0b1260f47ef142b06cf08af8719d003f227c5ef48dd0166c6456d941
SHA512 476324f2e9ba91053145a77d36d26020318ee12f336d056861d9556e989771d134ff65bfa18f5090419da131b082a711635c0e37592551af25e0bd0575c14f9c

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\jsproxy.dll

MD5 7bcd58df45a40f865e8dbbcb5b2ef6d1
SHA1 6b8c19c6521ce5e4c8c81f5a59552f3714b15e17
SHA256 f8cdac83b1512b6bcfabc616f3865bf11c049e59e4a2c8b5d5d4f031332d83d8
SHA512 deaa3f5ca55d53eb398328f6910e86ab4e95a5e8b37fd67ee6fbd21c1ca8e747d09544d7a54a01815864c2cebd376aa5ed34313c21b7235d31450f996c84ca39

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\InstallService.exe

MD5 ca2c90a15e0b8701a71b28e875865f35
SHA1 319c1961f05d1d6c31984d141b91b870dc0b1efa
SHA256 7aeecedc2d37bd3ad549851121ccfed9b9d62285db474735998c8ea741dca867
SHA512 ac3cb38535a0d48b5ea14ec89868fdf9b5eea0bbc51ed11d59ff83fc43a5286aa67e7f5896434200cb0c615270dc6a1ba4f901c0cff6a79fa6a8b9d913872f31

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\PCStarterXP.exe

MD5 8ce1dc1e87f955f2529ca7a796ad8820
SHA1 9a51c28787d5ad0363dc33fcbcedd3995f855482
SHA256 27773d79b0ae6a473909434bf72642c2098b649f4033139bc06c274ada88e3be
SHA512 d40a82436183802f31e492d2c14ca4b3559edc24975dd937bbf6a7588f6595c24dd67b417cd109aaeed49dfba6319aa575047386bc08a859d5dbe8fd7df75941

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMDownloader.exe

MD5 ba7323cfa2e6b7a11e61e5c8621141cf
SHA1 bb49041c3257ce0a159c3aa49d0fcff093a24921
SHA256 0c4f996d1aa194951d756de74514f7a1d03f68270e33f3c7e7b5dcf262885166
SHA512 19abbd2f944bdcfb1770b31537206ad3610bcfe566ca25e23e172c14f17575e04a13c10cd08b8fb202515d43237504a341046e9eb7d34410b07f370de282be9a

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\Sss.exe

MD5 e0861d6f2836555e2c1e5f223234a9f1
SHA1 c2f9c1b8eb85722b5ef83e080c78d5e378cb5210
SHA256 84f0b260e146d07f0be5a0c61cabcaefe5288850a707f073b5ebc8faaec408c5
SHA512 04f7d3943e49a54d45abe55ee93de1772a5c1183a994db521a9234c0b21d0211caddb2968b2b3c4e922e50db328cc4402043ff30b3e9ce5a69a18f6b31347c46

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TurboMeeting.dll

MD5 dfc9a458625b2095d18a17ff37eede74
SHA1 7b397e54eb28167dba481b0ae6a64d8b72a24dca
SHA256 ae13b7b55095775805a2a2d0ab8dd224678b1f08556252431107a9f3aa3a0ff3
SHA512 6b027ea5ae8bf21acec150d9b56c9fa8579e2f3bf357f17bf3ed08e9d2c37c3d194fdb4207a04d9b3e2fe700a6660ad28b9655e40764a78951ec312878660c92

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMService.exe

MD5 26ac20e2f474ac15e0785770931001c3
SHA1 2bb6cc026b7766d2bacf71e257836771dd8ea462
SHA256 2a8a64ebbfbffda40db3eb7f6dd9efab0143818637914b6246fba81d938fa897
SHA512 c8669a17d1f4ce7c49325905fc3632faa420835c775196b6346252bd3f354b86e96eeeccfd1d654f278111f72f61e038d45944bbe8af75715c650039434644cf

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMResource.dll

MD5 dd12c30e38fd57d25cd75b07e679330b
SHA1 00c725161356a75121a393f8615641da10eda4c6
SHA256 0c168e4e9aea222bbcb4eec3e61fa72b528f7276492fa4bacae029241b3808eb
SHA512 8555d52dea80903b5333e94697a0a26dbc0a0faef5e833c030c1d45d4bd300219193d7124a4b7e8b8e9fefdc862b1b8433610ac703149add39bfbc0b49264160

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TMRemover.exe

MD5 f7a57d58de9e992509f28477d85ea442
SHA1 48747fe9ca9d804110462fbebcc13f4519230443
SHA256 b660b3f98e2c45770af8421e75d7cf7af71bd7af8a30efd4091e75f4d664b2b3
SHA512 c12118b16e606cac969b30462eb0af501ac7e53a1dfc6bc0635ae3e6c62aa659085dcf19e499f874141ccebc15245246bcbfa7ba15ecdf5148884a6599b737c8

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\TurboMeeting.exe

MD5 d973ee70262adf0a3d8ac412964517f9
SHA1 5eff4b9800b66d63213162e7bb009928f86ddbfd
SHA256 bd69cc4974617a01d2759aab58cdde4af9199b8102e325178c2ae043e6783e28
SHA512 931152e6fe92e58f22eab65cc693c69736238333078bfedd294e2d7a547ea6a0179281db37395c52558a09defe48e35ab927539d2a425d0b2587b15facb271c7

C:\Users\Admin\AppData\Local\Temp\tm_starter_dir\vistafunc.dll

MD5 d9f52809f0a87fa85638e08187040545
SHA1 7a4baf2dcba8193ae9209bff85af56b18df9344a
SHA256 867b919d932c496be91fdb3fc0ac489fdffae9371463bfc24c844fc7cf63a9e4
SHA512 8617f7b992f824294d1b840aa0d04b6c040e3c756907729740ccf56e709cf1509e7a8f79b06901fe944d5dbb5c9edcf1bfa4c1f166607cd2392ef8b6c81d14c7

C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml

MD5 c29d34cc3c1de4fd3d296e1d17e62eac
SHA1 b98b5d7e7e135262e6f862659bedfd2d866e0ef5
SHA256 c17168fdfbb56373a4662e71ddb7e3da5f4d11ba68e59e9ee7538910b9057a23
SHA512 378f1f6014e299b518fa30df3da53c9a5faff3bfb45f4d68589bafc1f8c89dd36bb7a09be0efd5e114e172a875bd9ecab5dc8a3e499dae277286105f16137a32

C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\Configure.xml

MD5 123758bc7261fd214ad5e454a829656d
SHA1 9c661c902118488dff2b5e29a5182ce63c8a3a77
SHA256 3957edda90cdfe0ff751f563cbd3c864f3541a9d67e505108478904216577abe
SHA512 abd8a13fbfde33088c84399190bea9be73af1af1921a8a4111675fc1683e0d6bc20013d04eba0899e68292b24d54bd2defa6457433681d98d39b4412f6dc5102

C:\Users\Admin\AppData\Local\Temp\rsp1024h.txt

MD5 3d80976e254733e0b61b3e72fe3bf865
SHA1 abfeb2a25a0ac4ff0142dc818410c76b2a433ff7
SHA256 5d4cacc77f3c0788563781b19faf2cd4ec691032d0f800c3519b0afee22b6d5f
SHA512 9e3a578aea59d23aa8088c0cfea8802b659de483a9434cafc9ce679a8595835d56dcad6626fb58658f76fbc065caa69e18d516bc680bde7da80014c725c2a4b0

C:\Users\Admin\AppData\Local\Temp\rsp1024h.txt

MD5 942710e98e2f0278887f4cf6ae9a05be
SHA1 1e98825f156f4e403b838035fb17a6e8933c0972
SHA256 5bf57ac54e3135add46badc2d1fb4ac22686771d29e936f5a290c2f7c862899a
SHA512 5953ca8901eca99ef728881890a010a3a273fd4d27dd988b3cc3efac80348e81b83005d42036f44f3cae486f8021b481d890083fa934ac541ba2defb76966668

C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml

MD5 cc4b80bfb4f510355c04f13ef980f2ff
SHA1 2448066b9ecca9c0c3cc44558090e6a6dea80363
SHA256 7567d8e009970cb219488306b0a46296defdd231dd365d8db139783eb9ccd430
SHA512 9d8a4d07e958b2cad8e8fe758cd018d32822690ab0a26f0b38578f2a9506d6f051f2f90a17f6b663dca2a73dd9fb3284ed8f2dbc66640daee0d3ea87cb96523b

C:\Users\Admin\AppData\Local\Temp\MagDetector.txt

MD5 eeb1166d698105f6cb387d1981528c81
SHA1 745ebd6e175b17f24db0ba73ab3ebd0ba92916a5
SHA256 4e7e9fdb7ccf5572927c273dbfd7515583835ff55f728231f561e4a9ac02579a
SHA512 154180d83f185aee2b61a24f03cb886e2f6f4d76e825f16d31eedf07e46c08b4336660dc4bfb5fbbce5de5aeffbe868d9b23abd10435ebcfc79996a5e8ffe501

C:\Users\Admin\AppData\Local\Temp\MagDetector.txt

MD5 3ff6889a0d193d713c1f6628e23445e0
SHA1 d871b2544c07e871b68aa741fbbe85a08a288b7f
SHA256 67b373a7628fd97d91dde99578221bb471924f09496bd1f86281384e43080203
SHA512 5e199e12545ac8b272fe8015dd8d4f4240fe129a63eee7c827855b25b195596b0eac657e22c9c06d8b06df6e1c4448b1c06554e9864a2ceb4a5dd300f7e5b7f5

C:\Users\Admin\AppData\Local\Temp\MagDetector.txt

MD5 6d5d837437d0388666e6e97db3d8e24f
SHA1 c3488e5b4a7143bf95e107dc60d5e830a437dba5
SHA256 374a503e85620738517517e5dcc2db3fd24e92e0fb300ed309c301cf909ff37d
SHA512 afbaa19a8be298cf9dffe7d5ff41192e7aacd5f9f2e1c92ff15de6456a28daa7ff014fc739626314f9d5074830b3ac2d9db63ceddf9ae67ca4c6fd51b8748f94

C:\Users\Admin\AppData\Local\Temp\MagDetector.txt

MD5 5f03c4e6d01ac936df91e3a2f5b5f997
SHA1 0d3656057b6251738792ed8b1efeb22cd2691a41
SHA256 eb78f5ba55fa5285ecceeae290d5bed922072bd59e956cc0bf13c60c17e4e4fa
SHA512 d07b9c29992a0f0d7e70e30422476e4b979d3ee0dd825028e24773e82f87e70ff2cf4b61136c7ba3ec79dcf7fa6777d6e40e49e5f835f8dc31ed27ad2b69a7df

C:\Users\Admin\AppData\Local\Temp\MagDetector.txt

MD5 2e172eefc16d6d715f5b712e1db517fa
SHA1 e192ffa0a7f7e6bb5aba23779d25ce55be21f9c4
SHA256 54b356e24b5c550229e7e6a8372c6428b43f2e107fc0d29f51c3a86732b6b115
SHA512 b0060b076acaaff6ab66cc923b441e14ba5c37f422a8066c7f9ffaad2e555b47cf7e3e6d7e6160d3ee05764fbcb5206b0bca6562285bc6b3589cedd5b4afb313

C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml

MD5 7aeaeffca6335ec33e368c3180866c35
SHA1 af38133d028c1f79246302e04f331042ab645539
SHA256 1fb3e894fccfb8b5e3423623cad732aaf809d070b5d8f478ad4fcc01a6ef5c37
SHA512 bb04f39a04210a2640956a5f1147410bfeed78a621b1a26c40d6560dae6cf157b4542ade53973bd59e72f5d17f52e933f3f8e4bc66f51027ccc68fd5a2e1c3d9

C:\Users\Admin\AppData\Local\Temp\SVEDetector.txt

MD5 abc7c4ee0a7bb20d1290cee5ce8b96be
SHA1 f4a4015ad2307683d92b7460948ea7599920bba0
SHA256 f237db43c97d84368d742a5a45009d4e9831497f566ab50d08f64e6e0c2ecf73
SHA512 b7ed5f0872e4f78c5d7e7c9fd7d3d6fbcaa1ad35d830cc7370b06a892457a2e64b8a955af4d53a649d6ab71bec2d6a02edb9f593acfc036cb54eb5a027e8aee0

C:\Users\Admin\AppData\Local\Temp\SVEDetector.txt

MD5 11a9bc25d152d3acd85394cd399a65d1
SHA1 b655cc6b1fc48ed943252a4810c256f35530afa0
SHA256 ddec314a4d02c52627df0504da5c97ceeff358c769ec4602a1b769f598936f8d
SHA512 99517669e0613ffe71c95f7a443f86580a47970140a5aebc1fdfb5e4702ec021d1832f838c9910f2eb481c6291c6ad6b64c78c752aa5f9a17aace005af62d1d6

C:\Users\Admin\AppData\Local\Temp\SVEDetector.txt

MD5 0825a0e61361d3c092e264bae74140bf
SHA1 5753948fc5653627ce4c0b355a6e3c378bedd575
SHA256 a12bbddae0d049075b90f452f65440014368993879e05a63c4f54b75c825ad08
SHA512 b0f6e5e386d918116f1f4db2cf4de512a96e6cdc523d7ad020e704f78d66f3507357cc0c3ad427d07858c2d4008528b9e5a0270f236a6e4bbbea7cdbb73fde66

C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml

MD5 4dc893ddfd47271e4dbaab5127ba9db2
SHA1 b0e5428324f413bfa065ac2bc3ac788e3f8bee6d
SHA256 cc0ed338941cb217dfa5d2df4360b6f6fbafe113560747aa49744837d9b6488c
SHA512 bbcf160e448465e59c53ff0b97bdeef8c117de9c4f570f41408d590afce757d527d0fca7133305d788bb0926045189104d83b70fedc1b2972b7c6dd5cafbd5d7

C:\Users\Admin\AppData\Roaming\TurboMeeting\TurboMeeting\Cache.xml

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e