Malware Analysis Report

2025-06-15 20:08

Sample ID 240515-nb1eraef31
Target cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics
SHA256 d7d771d27ed3aeeced41548568292535d6c9d06fb1ce557fcbea21233880a653
Tags
collection discovery persistence spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7d771d27ed3aeeced41548568292535d6c9d06fb1ce557fcbea21233880a653

Threat Level: Known bad

The file cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

collection discovery persistence spyware stealer upx

Executes dropped EXE

Reads local data of messenger clients

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Accesses Microsoft Outlook accounts

Adds Run key to start application

Looks up external IP address via web service

Checks installed software on the system

Suspicious use of SetThreadContext

AutoIT Executable

Enumerates physical storage devices

Unsigned PE

Modifies system certificate store

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 11:14

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 11:14

Reported

2024-05-15 11:16

Platform

win7-20240508-en

Max time kernel

147s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A icanhazip.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
File created C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr119.exe N/A
File opened for modification C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr119.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 1212 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 1212 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 1212 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 2780 wrote to memory of 2708 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 2708 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 2708 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 2708 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 2708 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 2708 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 2708 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 2708 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 2708 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 2764 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2764 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2764 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2764 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2708 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2508 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2780 wrote to memory of 2044 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2044 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2044 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2044 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2708 wrote to memory of 2980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2708 wrote to memory of 2980 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2780 wrote to memory of 792 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 792 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 792 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 792 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 1232 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 1232 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 1232 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 1232 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2016 wrote to memory of 332 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr119.exe
PID 2016 wrote to memory of 332 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr119.exe
PID 2016 wrote to memory of 332 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr119.exe
PID 2016 wrote to memory of 332 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr119.exe
PID 2780 wrote to memory of 496 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 496 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 496 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 496 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 1792 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 1792 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 1792 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 1792 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe"

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

0

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp9157.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp9223.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpA667.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\system32\taskeng.exe

taskeng.exe {861DCD1A-8777-4CE5-8607-66F370BAE38F} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]

C:\ProgramData\winmgr119.exe

C:\ProgramData\winmgr119.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\ProgramData\winmgr119.exe

C:\ProgramData\winmgr119.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:80 ipinfo.io tcp
US 8.8.8.8:53 smtp.mail.me.com udp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp

Files

\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

MD5 e6e76737fc9f0394c7afde7f06d6ff60
SHA1 d36336f4f9f71775325a43c55e6010ad480c4fdc
SHA256 83c2da139c89e89bdea5db45c6b92f7588dda711a5de200361a44ba982451c99
SHA512 f06d40e867b9c187e43f2f97966799b415798165e9203cdfe013fc0470424ad46d0b87eeed974e5a0aed987f5be71431097764e0ddbcc2d831b98741912def49

C:\ProgramData\winmgr119.exe

MD5 6249a5425d4d3baa42295bc774182561
SHA1 28f644257326cd6a5617662b73af17e7ee1fcf6e
SHA256 725df0b2314d9dfea223c5b3044017992e90d10d608b1471074b730abdf4fd8f
SHA512 13d83599407eccbfbc72176118f51cc0464cc4c68f27ed320a3af6ec9fc3fc27d6d8399a33a5244c109eef043f08c515d3bd3841040d2e09635a5a6dc6e47558

memory/2708-10-0x00000000001D0000-0x000000000029A000-memory.dmp

memory/2708-13-0x00000000001D0000-0x000000000029A000-memory.dmp

memory/2708-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2708-17-0x00000000001D0000-0x000000000029A000-memory.dmp

memory/2708-15-0x00000000001D0000-0x000000000029A000-memory.dmp

memory/2708-18-0x0000000074632000-0x0000000074634000-memory.dmp

memory/2508-23-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2508-24-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2508-25-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2508-30-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9157.tmp

MD5 e4bf4f7accc657622fe419c0d62419ab
SHA1 c2856936dd3de05bad0da5ca94d6b521e40ab5a2
SHA256 b32fa68b79c5a7ceaa89e8e537efe33a963c499666202611329944bd2c09318e
SHA512 85dc223e39a16ddeba53a4b3d6c9eff14d30ec67dfda1e650da2c9057f640edd033a31868915a31caac0d325d240a7f634f62cd52fbd2adc68bd1d9cb6281431

memory/2804-34-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2804-35-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2804-36-0x0000000000400000-0x0000000000491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA1EE.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarA201.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/2804-74-0x0000000000400000-0x0000000000491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9223.tmp

MD5 de4e5ff058882957cf8a3b5f839a031f
SHA1 0b3d8279120fb5fa27efbd9eee89695aa040fc24
SHA256 ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49
SHA512 a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

memory/2980-77-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2980-78-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA667.tmp

MD5 3525ea58bba48993ea0d01b65ea71381
SHA1 1b917678fdd969e5ee5916e5899e7c75a979cf4d
SHA256 681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2
SHA512 5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

memory/2980-80-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2708-86-0x0000000074632000-0x0000000074634000-memory.dmp

C:\ProgramData\khaxFMfI\2c945db753d341ef9b0f02d75d493749

MD5 ed0124f2edabcd6ff87b61312dee9b47
SHA1 627deb090d4de5985e5e76b84cec23facdb846ba
SHA256 21f2bb3e0ff41148a8708299d8dc5d6bdf6f6f7326de2ab725a2ab323aecd20c
SHA512 1dd511bbe99a930cc7f7a4262d17e1de773f7f5a7d0d6579574f0df3c817c6ea0474c6db91bb672fdb7f760d6976ba4430f4ca0c471432432302ec6f0d84fb4e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 11:14

Reported

2024-05-15 11:16

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A icanhazip.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe N/A
File created C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
File created C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr119.exe N/A
File opened for modification C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr119.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2692 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 2692 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 2692 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 1584 wrote to memory of 1856 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1584 wrote to memory of 1856 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1584 wrote to memory of 1856 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1584 wrote to memory of 1856 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1584 wrote to memory of 1856 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1584 wrote to memory of 1176 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 1176 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 1176 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1856 wrote to memory of 3248 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1856 wrote to memory of 3248 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1856 wrote to memory of 3248 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1856 wrote to memory of 3248 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1856 wrote to memory of 3248 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1856 wrote to memory of 3248 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1856 wrote to memory of 3248 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1856 wrote to memory of 2492 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1856 wrote to memory of 2492 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1856 wrote to memory of 2492 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1856 wrote to memory of 2492 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1856 wrote to memory of 2492 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1856 wrote to memory of 2492 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1856 wrote to memory of 2492 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1856 wrote to memory of 1988 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1856 wrote to memory of 1988 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1856 wrote to memory of 1988 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1856 wrote to memory of 1988 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1856 wrote to memory of 1988 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1856 wrote to memory of 1988 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1584 wrote to memory of 1996 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 1996 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 1996 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 4588 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 4588 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 4588 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 4476 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 4476 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 4476 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 4332 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 4332 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 4332 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 1656 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 1656 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 1656 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 2824 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 2824 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 2824 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 4976 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 4976 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 4976 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 2720 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 2720 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 2720 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 1524 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 1524 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 1524 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 1340 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 1340 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 1340 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 5096 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 5096 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 5096 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe"

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

0

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpAA98.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpAD58.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpADB7.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\ProgramData\winmgr119.exe

C:\ProgramData\winmgr119.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\ProgramData\winmgr119.exe

C:\ProgramData\winmgr119.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.232:443 www.bing.com tcp
US 8.8.8.8:53 232.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:80 ipinfo.io tcp
US 8.8.8.8:53 smtp.mail.me.com udp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 28.155.57.17.in-addr.arpa udp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

MD5 8361e83ce29232b96d733f7fdd222199
SHA1 7868db4b3c3dcd1194e8ef134e13038590e65207
SHA256 ec0eb87c09d5c94c118be14fe83cd9f7c71650cbf9e87d78b2df6467ac4f39b6
SHA512 d3b508fb544d24cd1485a79a5fd3e96d355d33ab604646f82ea1ecfa48afc9a7a55dec6fddd84b5f91649955cebe68c28ed9f5d4f60a687f2e91fbd5506e81bf

memory/1856-8-0x0000000000A30000-0x0000000000AFA000-memory.dmp

memory/1856-9-0x0000000073BC2000-0x0000000073BC3000-memory.dmp

memory/1856-10-0x0000000073BC0000-0x0000000074171000-memory.dmp

memory/1856-11-0x0000000073BC0000-0x0000000074171000-memory.dmp

memory/3248-15-0x0000000000400000-0x000000000048E000-memory.dmp

memory/3248-16-0x0000000000400000-0x000000000048E000-memory.dmp

memory/3248-17-0x0000000000400000-0x000000000048E000-memory.dmp

memory/3248-22-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAA98.tmp

MD5 b0cc2e6f2d8036c9b5fef218736fa9c9
SHA1 64fd3017625979c95ba09d7cbea201010a82f73f
SHA256 997aceeb78143e057d4ea0ed699db3cc1c723f699b4532663b7b85c83baa5c50
SHA512 a1fe80b2971c4d1141a594f27eaea61500bf701cd1b8fbdb5ac2204a63c8ef862344f8c30f65ce769f0acf2b0718ed33a02744dd1a152c4a62a5318333d29b9b

memory/2492-26-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2492-30-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1988-34-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAD58.tmp

MD5 de4e5ff058882957cf8a3b5f839a031f
SHA1 0b3d8279120fb5fa27efbd9eee89695aa040fc24
SHA256 ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49
SHA512 a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

memory/2492-28-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2492-27-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1988-37-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1988-35-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpADB7.tmp

MD5 3525ea58bba48993ea0d01b65ea71381
SHA1 1b917678fdd969e5ee5916e5899e7c75a979cf4d
SHA256 681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2
SHA512 5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

memory/1856-41-0x0000000073BC2000-0x0000000073BC3000-memory.dmp

memory/1856-42-0x0000000073BC0000-0x0000000074171000-memory.dmp

memory/1856-43-0x0000000073BC0000-0x0000000074171000-memory.dmp

C:\ProgramData\winmgr119.exe

MD5 9bf3c49aa8d5d7011adaab003d656644
SHA1 4d93749808d8a8f2618d7d163f5a3c5de292f02e
SHA256 e383de0680963a52877eb1596788e951068d5620f7d2fd5f95d7020c5dc0df9e
SHA512 ec2d2458034a488d41689c4d7a2c7746e2eb5127ca19833a292f1815284c0c5b6acb30dacb8c54ebc378c151d7e07d65709837b2d2cf31921bda7f92046998a7

C:\ProgramData\khaxFMfI\2c945db753d341ef9b0f02d75d493749

MD5 6c2a4bf975328060d16847051806715c
SHA1 36d15b081a52240bb8d8eb73b3a28d9a1a1f9dab
SHA256 8edfbbb65d300eeda13fb22735a237a959451d96635a6cb31f1f7041f4363668
SHA512 ea40ab3be267025a04807923f876fe3c6025200d3f22d4d567d12f520f51a427d3131542a96e62c50ec4c952140f5b1f0f6e0cc3391b1e3c2c6c4ba2042cf0e8