Malware Analysis Report

2025-06-15 20:06

Sample ID 240515-nwaptsga36
Target d05c3fed6935d824e2f431b7a0287c60_NeikiAnalytics
SHA256 35d552cdd668999d6c36a29fac800769f58012f333d88017e9b967ee3ef79ed2
Tags
upx spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

35d552cdd668999d6c36a29fac800769f58012f333d88017e9b967ee3ef79ed2

Threat Level: Shows suspicious behavior

The file d05c3fed6935d824e2f431b7a0287c60_NeikiAnalytics was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx spyware stealer

UPX packed file

Reads user/profile data of web browsers

Drops file in Program Files directory

Executes dropped EXE

Loads dropped DLL

Program crash

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 11:44

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 11:44

Reported

2024-05-15 11:46

Platform

win7-20231129-en

Max time kernel

119s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d05c3fed6935d824e2f431b7a0287c60_NeikiAnalytics.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC78EDB26\setup-stub.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000f7ec0e70cce9f4081e5d04456a4264100000000020000000000106600000001000020000000cfb0acd6d60c6ddb71bd5fa544de35bb7e8b83011c05487b48c35924083d70b9000000000e8000000002000020000000cb660445fdf1639578fee79198c88826db4db25bdef9280bd42b10887f80e8809000000067ce4e37283bc7b2ec5d320d5cbe817fc96c56284d7d373a13dc491988f269ad2f61fa093e70af261bbbdb770029444269ea329fac6fe21a02bd0be48ba020d0bbc67982b0193c218fb48c1ec5e66ad188b4c38651c922d775400cafdbbf81daea423ef415944e3a53da5447866c7e46093c3193689132866183bf4f10b974dc37279d02b2e0768b8e117c2929988d2740000000b8d953833f51f21f5f794a36df0b393efcd7d0a8d73697a17fb091edca7aedf8b120a1242eda96e364d24db20f62b14bc0524e4994bcb2c3dd36b0ec7c92d9dd C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7BEEDB11-12B0-11EF-BEA9-FE29290FA5F9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000f7ec0e70cce9f4081e5d04456a4264100000000020000000000106600000001000020000000e11ce7850e1cd1244572f2098928db42ee3dccac58aa98bfa9cdb817bcd7a831000000000e800000000200002000000020c6b64f3ac78329ba11369925e7e81e33ebd2b583716d37c9e7a57b3f73817820000000572321ea2bdf790c2196a04590b51a8824541d2f3132355f298a9346da2c02734000000083de7462bba3e706df0644a6ef9034aaf76c06f0d7b35f4c90110a10d3d964d3e7a2aebc3e7775cf48a39229d972b8dc3ab0080db50b4d8b9c8371d7a1026f54 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80bc9452bda6da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421935335" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d05c3fed6935d824e2f431b7a0287c60_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\7zSC78EDB26\setup-stub.exe
PID 2172 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d05c3fed6935d824e2f431b7a0287c60_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\7zSC78EDB26\setup-stub.exe
PID 2172 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d05c3fed6935d824e2f431b7a0287c60_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\7zSC78EDB26\setup-stub.exe
PID 2172 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d05c3fed6935d824e2f431b7a0287c60_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\7zSC78EDB26\setup-stub.exe
PID 2172 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d05c3fed6935d824e2f431b7a0287c60_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\7zSC78EDB26\setup-stub.exe
PID 2172 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d05c3fed6935d824e2f431b7a0287c60_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\7zSC78EDB26\setup-stub.exe
PID 2172 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\d05c3fed6935d824e2f431b7a0287c60_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\7zSC78EDB26\setup-stub.exe
PID 2352 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7zSC78EDB26\setup-stub.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2352 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7zSC78EDB26\setup-stub.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2352 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7zSC78EDB26\setup-stub.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2352 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7zSC78EDB26\setup-stub.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2140 wrote to memory of 2576 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2140 wrote to memory of 2576 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2140 wrote to memory of 2576 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2140 wrote to memory of 2576 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\d05c3fed6935d824e2f431b7a0287c60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\d05c3fed6935d824e2f431b7a0287c60_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC78EDB26\setup-stub.exe

.\setup-stub.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.mozilla.org/firefox/system-requirements/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.mozilla.org udp
US 8.8.8.8:53 www.mozilla.org udp
NL 108.156.69.115:443 www.mozilla.org tcp
NL 108.156.69.115:443 www.mozilla.org tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
NL 108.156.69.115:443 www.mozilla.org tcp
NL 108.156.69.115:443 www.mozilla.org tcp
NL 108.156.69.115:443 www.mozilla.org tcp
NL 108.156.69.115:443 www.mozilla.org tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 216.239.32.36:443 region1.google-analytics.com tcp
NL 23.62.61.185:80 www.bing.com tcp
NL 23.62.61.185:80 www.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2172-0-0x0000000000400000-0x0000000000446000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC78EDB26\setup-stub.exe

MD5 4a8f61f7a57d35412e1432ecd3e17dfd
SHA1 470e537ee7b443437c70e3add089acb2ff17c379
SHA256 c21143d1784a88c88f66465e33d1ff0cb447b92511bf4109c5c4ead6e1e0b797
SHA512 4687820dc9ac6d6836efde9dbe4a0a61d8b4b059fdaabeda0aafced2273b2a278c9bde8154c68edc692c988f294d11ac12f9ee186d45fe80317971d0804841f8

\Users\Admin\AppData\Local\Temp\nso86B.tmp\System.dll

MD5 b361682fa5e6a1906e754cfa08aa8d90
SHA1 c6701aee0c866565de1b7c1f81fd88da56b395d3
SHA256 b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04
SHA512 2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

memory/2172-18-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar2A41.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f275535452957f9878cd91460887455
SHA1 fa21c10e56085bae29c5b066b38aa3da59f54127
SHA256 4c74c64766def760e1d32299a0cbf480de13b18301739a6cff9b4b523114cb44
SHA512 def309300b696cc061042a237b3280f036cd6fc3d69fe8e54ed4a3d5f5784af6925902229fce21260e34a31764339e7c24dda7c7e16e323688a2cd905716d0c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a3d3fb9caa1f64428bb625c14a6507a9
SHA1 55247072f08054646f9f6b48a055864dbab0f20b
SHA256 35600814684a5e3bf45a0af5b5da46f47d3f6178d160e791954f0d4e9d6d28bf
SHA512 b04d2a31f8377a75d58344a6a78622569e9ddbc33d96d277c1e5d98eb99b236388c97a34a7233001551687b5c96ceeff71b6e5740a63c06b8d9155dd26310d15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee4161c80b0ae775a3a4df335324c029
SHA1 5261791fe0a8c23f26296b2fee0e35f655832f72
SHA256 408acd6ab0213887195eccbc11b5f774480afb949635da5091987518a721c7e9
SHA512 3aba2a5b6dfad13d54bed02e413a635d7f52d923f02e54519a967a512927a685f02b8de6cb2d38260daa4065e8470245315826f0a67a35b46045a2c9a9103d31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eac695eff44bb8b14100b78c8ee5fc01
SHA1 4f45ee55f94c3fb8ac5af83b223b50b9d23eddf7
SHA256 ce1d98c78ab12d5717f6baf2c3713a478f2e4f236bf626d6a356dbbbf0e40368
SHA512 02ecd95f21533007b1f4c9c43345fc060555dcdd4d5a9602ebbcdd8ac96b969bae1dd941f67f28e2fb18134a81bebf04167c89b8190bb4bd992008e5d06efef0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40d17c56a737cb23ac9edc40555ed080
SHA1 f8d8a7a7dad5f4b23052fcb7a5ab337c6cd9d78a
SHA256 660ea78954b127e8a97bbb51ec2a814efb8fef7d9c1c06e802b028df67590654
SHA512 440a17dad4b3577053ede54c2ae50af3b25fd8d81a4905370b46844e50d2469989ba0f3b243f11b608f7a4738434c3df82da6abe00e506c51d28bf225b2f1802

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a5e165ef86d849dbd5d8fa565f38b9e
SHA1 6f15e694d709d0202241feb3d4cc29f4d28620a9
SHA256 fbc3a69d5bee7b631e8909998983df1cfb9a9fd55be1f72d3fe948b1204f692f
SHA512 03b87587297ecd4a4f2d6814b4547ba66066fb777c23ceb5ae1ed724f6751ced2106bf05a325138b373f8e54fcf1f54e31c92238eb2f73634308d4b2ec742332

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35258b74c3067af393bc4cd53b7be1a9
SHA1 7d06b24be939276d43d75b51add1599e10dee09e
SHA256 6d3876bcb8547d92caf47b0560c44af983c192cdc98bbeda031da2ad086f8133
SHA512 c679359e527c1c9c606eb5f01a1046289045c69dfecb9d81525f7913dbaf74187acb50330e5797019409a59113d8253f3ee70caf206a9d302f28e4b90a842277

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3318ec3ffaec58e571a135b72892073
SHA1 8a9618970507edf778580e9d5c8cb520730c31d7
SHA256 321fdc4fc416139825847eee0c367b59ffe8839b0698f8ebe57c0391b76edcd9
SHA512 eff1cc4847bd6085107c68cbf28b2c58f5609edd079ba6c8f9f73cb518b225b6b6660137d540f3aaf77532c302059be639a4f961a630f9464d7c11405ebf6a59

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y1VMXRDD\favicon-196x196.59e3822720be[1].png

MD5 59e3822720bedcc45ca5e6e6d3220ea9
SHA1 8daf0eb5833154557561c419b5e44bbc6dcc70ee
SHA256 1d58e7af9c848ae3ae30c795a16732d6ebc72d216a8e63078cf4efde4beb3805
SHA512 5bacb3be51244e724295e58314392a8111e9cab064c59f477b37b50d9b2a2ea5f4277700d493e031e60311ef0157bbd1eb2008d88ea22d880e5612cfd085da6d

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\s8rbov0\imagestore.dat

MD5 87f6486236cc4c9acf47f21e8002d8b3
SHA1 5fa65796bbe3a279f858120bc1ffd189ea5ffd9f
SHA256 4ae07eaa4a762b60d379da261fba77c1d900523712c33a3d03273101356d5d3b
SHA512 cf41c42ef163d1ed0df0908d55ee02fa2b1f137b1abba38ce5fb17306e434c853a76a1ffe0dcf957bccb429a47992a299b0307f5dcd9c9070c3b2ece4f744e69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ebcfdcb584801f4edae370f6ec35e1f
SHA1 d821e0ca26ff65fc09d0bba714dd5553d0a57127
SHA256 c08f8864f158239280b704052ec22c000e6de67b3779a8990c12caa7ff9d4c06
SHA512 5c7afd85ab09b412d676fc52761ce8502c3df84e116d04ee2943778892d4f94733b4249b2df6eb9cee4ecbc9877d67bc9a77e0b4db9be1bfc8ddb2339a64ab9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 895e5e4de734bc4b58e9e254b6e882cc
SHA1 ae40ac7f644ce14c2dda7062243b2d7cef3f4b37
SHA256 b1a8fa56c19b1489fc094f3ec84076028e7a0589146877608fe57206df6a372d
SHA512 0bd0da4ceec1181484e72fb65b116dafde337b467f8f118f3c8397b2978524e58c805ef18e0c3935bbcaf720c6b52706132a898909ae48e58cfbda6d7f048ba2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a93fc4404c61b464b75783eb87f3665
SHA1 5199f17962e9ed606626baa1f7ce578f7cc05636
SHA256 4c9de802ce987a0f72ee77ac50beaf678bdc384ed2ff148503ad6619097a4316
SHA512 435ea3de2d1cfcd104d78c778e5cfc26816563f44510c5a832bb6caad36904a8b0a16a4dfc1b195f3782ee4dbd018c005f5f50f30d0031f0be9e44156baed6f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e54a0119d13395cf4f69cea4c7eef9fd
SHA1 e10e559fe03eb4435c864ebca0b59f57ccfb698d
SHA256 9fcea3e845a112afc18beb23b6d3aede1e959ad7167a1e3db5b020c859c1f658
SHA512 3a7dbc37240bac3ceef1bc11d3fc95177a4269df72b902bf4831597fbc91e77d7499807ae0369bf439a86b88b498df7ed2220d4287b0fcc64897b1112ef5ed4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a0b7ce511c09c730514e07029b98eb7
SHA1 868836a72d3cd88a5c43a7801fd0cbc49c52cf42
SHA256 fd4b99a6b385fbb8f6ff43edb342a24fc6566a16633d76f6867dc89453d2c46d
SHA512 77d2a71e78dd060d0199bed8d4609f270cf681e1fc1be7efe1563ced072f59332bd98b5e48ab2047ada24a984f1bc9bf56fb44e71115f81e75ce9abe3e5e8300

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96ececd6155dc91ca6c89603df2bfa48
SHA1 4c5142bda66468e47089592593a321a53b077e52
SHA256 a3327bfb89afefc589878326f14196fd7c5f5c0ea7909cb57199fb5f66772211
SHA512 f2c88fc2efbc565d00d5028ed1444a506866c443bcc409bc470c5ed2e0ccaaf6ded7cb65bffa738f6e0793e87a9b070dad5547f2b4c37462bba666f944950a8a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a599f80229b545920e38dc0ceed91e88
SHA1 5af05e708d894d0cf4fdb3a5933ee3c934d5f78f
SHA256 a81e19c0ce1289484af81018802f8d915fb7a7a2b2d752935f634405ab7ccec8
SHA512 c2fdfd48257cad8c2db1daa77bd1e1d83fe2baa0fbd25d830d410285f506fdf1ffeb848cbec1265d1200a258e84772c3415aa123a6ccfd7ddbe84df2c9688792

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d40e8825e66433c12af58639a592c127
SHA1 7e3eabebab1408a8e5163c215ebeed955ef9a949
SHA256 c8cd5626232b95398d14ae4d4af26a6642e898c1a2b2237cffc5ab0d6d20cbbd
SHA512 580e513f79c096692906fc5832b39693e1bd202026886f8eed77aa335b5a086a5ae978160b464cda62f3c3a14bb774e5b311378f6e9c6ff3f8f41a4eec0b1b30

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7874629581cf374bee00e89dba41ad7f
SHA1 fed3e8c3b2a4b0a551061ed019a797c40fc86d7a
SHA256 0d810af1b25cb4f1f716d1e47e179ceeb5e752df044e11b114a413a09d86cc1e
SHA512 f250dd0a31f59a418d953851cae101ffee9f928a27135e5ed7eb7bee65e8d369f6fad0b2631656e59ebe6b11dc81e2d189ae135d23e65dc458dac1c7b1605392

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 f8bb6c81147c5f82090fbeea5e786e52
SHA1 98dab6973b3a61f98e2482209053d9e7a812c769
SHA256 79972985811f8f59f9020309425cc8839e9e704c87127da994d671f5386597c5
SHA512 70ebd926212629bbab3ff17838cb1e38cf932d218df835fb86e5fed817e84ce2e94da65531ac091983f253b81c873eb425920159a3949afdfe8e24425912f2c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1a39bda2bf506e545d81ecaa7edf15c
SHA1 831dd0ebb6aadb9f67bf9732f3124593dd1b0913
SHA256 f65f9ad35db725da15d89b56d05b630961478e5f56ac20c6bae58c5a2d63606c
SHA512 092acf607f9db367d45ca94fe56e15d98faa6cef5529bb6b95cc2b2e0e9ed4db1d860de79621f794b2cd062e5ba4018fc3def892a9bbb1b98a57781487c476a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1cd033351c98e462770df185af652890
SHA1 119bf60f8a8fab7c58324223a3276cc15aee254e
SHA256 4ed9f120ca885e701e9f70fd31349a38e16f0ce90ed79aa490f6f1eada17743f
SHA512 5e3957e320a500cfa74aed74c0730d43b5c8ee0aae7fb8d39582634313741afca6166c3c07b5ecea9b17d8ddfad1ea8de5df88ccfa93ce5d4b12f8aebcbfb8df

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d56fa71bfc974ca84be4d47b6d5563b
SHA1 2ed8e0acedb1aae194e591147e40df2557b422d4
SHA256 6df8fa603146666a2dfcc718a3ff5252ee780a05003567c4bba726320e54499c
SHA512 92bb127d9513cfd5474ec1f9676fa677e8d972c0f5bd389a97560900034bfb15a585eec9d6ec6a40464452ee4b255c086191326d695210565103169f979597a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56260626f017363d00660b344929ea53
SHA1 46f166b8c468feca1e37fdbe5fe9dd9c95c1b8e5
SHA256 ce217236b9f0eb1abafbd7c56658eff71dadb0eb0e0dd1e003f907734ae36738
SHA512 41f4b84e38744def6c97d4fc9bbcc54489d1098ec021c5a935e356c3605a6ba03a46f14d93c00b286832e0cf405905da79ce4b6aee96e8a481bad72bc20c9b41

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65d0dcac928b6438b7264749f72d2555
SHA1 7518e20a12d72201385e0fb5503af39bcf1965ef
SHA256 942a34e951bb51bdf5b1203f02fb1cf1dc3b1515858c51e4f3f038de6b1be03f
SHA512 b46ae7b798447dac36ae261cb3121b3cac6da870d751c178a52abe745fb2109bf4e85668be366dc524547aeae8ad1cafd370be2925c67f51e9ee0122263f7155

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85b101bc87036d15a28a2636fb654fcb
SHA1 58b3bfd88f2d96dcc879953796ed01ff34311588
SHA256 e9d17d71bad6e7b741d2b74eee14684999f88cd69d6f5a85c328a77c736a3b66
SHA512 78bb2f0d965e9e9dac389469232f2fd9ee549bc3c3853d08bdf2b743e793853f7f955388f403275c6b479fd4a210565a47726935a1e7b1364c5873e36c0f1e06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 037a8e31c534d5a3fbae35dfb13ceb09
SHA1 47b59e2e051b04fa1d94309ae2a2f75aaedb575c
SHA256 f89dd1b7511b769f26eaeaeb47e97392d05e64fc73df6168cac77612aa01cc36
SHA512 8db35bd2ab72e9d3172b9b6331b4df86ab9b4433e1f08b4f928c87b41f60714da2edbcb3b238ebea02573123cc57fe142c2149699fa69a1c068b724fd2e4e725

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e0221ce8c65c4478e6628ef6c5ef23b4
SHA1 317159496df06fa6a5a79925220876dfbfbcd88e
SHA256 ea7c68343d1f5165ba20b2b2f6035ff3bc786237645144f2079a78fd8d23d35d
SHA512 0503c9cddea87ea8cc03827de67a508644000b1e05d061708a34e2f3fc9d412713ef1d64d35cadbf9d68f8ff6d53ec437656addde28a29d0aefc9877d2af8711

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e8d41b7631b854cccc8c8b779c336ba
SHA1 ab869f12ba5d5b26a47e5003351fda532200a5d1
SHA256 b0d6603185f98f98ed4a62b2b6cfa9651b97be3215ebdca13e07a6f3fe5f3697
SHA512 64bc31eff77178d4dbcb4d4d07a8679a562fc0b61fc4be03705d1de89a4de963fae0d939246ec82092c3c9dfd676144975f90bca4fb0be008173e0fa5f35d001

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c37140dc03e53f1fdd0d71feff0a2ee
SHA1 ba5bfcea35e4409c92088ce8c0b5a5ba3b5c22f8
SHA256 849a587ce3d9c6081bda98b7249013207f880c7fca5598878337a11b2a1d4143
SHA512 23d2af50b7a90aa7bb7fa2e5ecb877caaf0cf3d17dcf21fcc60e602df6159b942bb02671857f9abeff8055eb44929513748474e5f4a2dd547ccf62483f7ea44d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5c3a4f2b050b1921f762c6ee361440a
SHA1 6f1b5f21171c692cfc9e7bd200b488c4b52151c6
SHA256 a235fa49ddbc07b146ef573fc3445847798533874742d35d9d7176ad622319b0
SHA512 a28b17228cde3c59d67bac06372fc4c3bc149c568a792a13941c971c179f01b3765529b524ac400506443ff7f4e2bc59221d7ac1c937f4e75913807d7bb8e69c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37978643ab429f7ed8f3beb5c2a41a94
SHA1 302b6f7a23655682e7eeb3eb38034471076ec288
SHA256 dd2a64b71d0c5015b28ff2020a4ab9b7ace7f5b7c4b034fe6de330745f1b71e3
SHA512 ae4d965e84b2ffd53d631706e963a441026f05ef31ac504c3d3c8cdb264aec6f515c4499d186b1715c3af59f5ed8d76ed08a40866fb6c46456b246a26aca5d65

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 11:44

Reported

2024-05-15 11:46

Platform

win10v2004-20240426-en

Max time kernel

136s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d05c3fed6935d824e2f431b7a0287c60_NeikiAnalytics.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\nsk791C.tmp C:\Users\Admin\AppData\Local\Temp\7zS453C3B47\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nsk791D.tmp C:\Users\Admin\AppData\Local\Temp\7zS453C3B47\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nsk791C.tmp\ C:\Users\Admin\AppData\Local\Temp\7zS453C3B47\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nsk791A.tmp C:\Users\Admin\AppData\Local\Temp\7zS453C3B47\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nsk791B.tmp C:\Users\Admin\AppData\Local\Temp\7zS453C3B47\setup-stub.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nsk791A.tmp\ C:\Users\Admin\AppData\Local\Temp\7zS453C3B47\setup-stub.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS453C3B47\setup-stub.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS453C3B47\setup-stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS453C3B47\setup-stub.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d05c3fed6935d824e2f431b7a0287c60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\d05c3fed6935d824e2f431b7a0287c60_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\7zS453C3B47\setup-stub.exe

.\setup-stub.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3520 -ip 3520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 2516

Network

Country Destination Domain Proto
US 8.8.8.8:53 product-details.mozilla.org udp
NL 18.239.94.78:443 product-details.mozilla.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 78.94.239.18.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 115.61.156.108.in-addr.arpa udp
US 8.8.8.8:53 80.41.65.18.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 57.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4948-2-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS453C3B47\setup-stub.exe

MD5 4a8f61f7a57d35412e1432ecd3e17dfd
SHA1 470e537ee7b443437c70e3add089acb2ff17c379
SHA256 c21143d1784a88c88f66465e33d1ff0cb447b92511bf4109c5c4ead6e1e0b797
SHA512 4687820dc9ac6d6836efde9dbe4a0a61d8b4b059fdaabeda0aafced2273b2a278c9bde8154c68edc692c988f294d11ac12f9ee186d45fe80317971d0804841f8

C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\System.dll

MD5 b361682fa5e6a1906e754cfa08aa8d90
SHA1 c6701aee0c866565de1b7c1f81fd88da56b395d3
SHA256 b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04
SHA512 2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\UAC.dll

MD5 d23b256e9c12fe37d984bae5017c5f8c
SHA1 fd698b58a563816b2260bbc50d7f864b33523121
SHA256 ec6a56d981892bf251df1439bea425a5f6c7e1c7312d44bedd5e2957f270338c
SHA512 13f284821324ffaeadafd3651f64d896186f47cf9a68735642cf37b37de777dba197067fbccd3a7411b5dc7976e510439253bd24c9be1d36c0a59d924c17ae8e

C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\UserInfo.dll

MD5 610ad03dec634768cd91c7ed79672d67
SHA1 dc8099d476e2b324c09db95059ec5fd3febe1e1e
SHA256 c6c413108539f141bea3f679e0e2ef705898c51ec7c2607f478a865fc5e2e2df
SHA512 18c3c92be81aadfa73884fe3bdf1fce96ccfbd35057600ef52788a871de293b64f677351ba2885c6e9ce5c3890c22471c92832ffc13ba544e9d0b347c5d33bfd

C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\CityHash.dll

MD5 2021acc65fa998daa98131e20c4605be
SHA1 2e8407cfe3b1a9d839ea391cfc423e8df8d8a390
SHA256 c299a0a71bf57eb241868158b4fcfe839d15d5ba607e1bdc5499fdf67b334a14
SHA512 cb96d3547bab778cbe94076be6765ed2ae07e183e4888d6c380f240b8c6708662a3b2b6b2294e38c48bc91bf2cc5fc7cfcd3afe63775151ba2fe34b06ce38948

C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\InetBgDL.dll

MD5 97c607f5d0add72295f8d0f27b448037
SHA1 dfb9a1aa1d3b1f7821152afaac149cad38c8ce3c
SHA256 dc98ed352476af459c91100b8c29073988da19d3adc73e2c2086d25f238544a5
SHA512 ad759062152869089558389c741876029198c5b98fa725e2d2927866dc8b416ae2de871cb2479f614f6d29b6f646bf7191d02837c3cabc15b8185b563bc46268

C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\WebBrowser.dll

MD5 b53cd4ad8562a11f3f7c7890a09df27a
SHA1 db66b94670d47c7ee436c2a5481110ed4f013a48
SHA256 281a0dc8b4f644334c2283897963b20df88fa9fd32acca98ed2856b23318e6ec
SHA512 bb45d93ed13df24a2056040c219cdf36ee44c8cddb7e178fdaabcec63ac965e07f679ca1fa42591bba571992af619aa1dc76e819a7901709df79598a2b0cef81

C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\profile_cleanup.html

MD5 1cb97b5f8c5f2728b26742d1d0669899
SHA1 bb5ab1b8c00810fcb18184a996573c5accdc72c3
SHA256 dec82e9caa154300e1aa44f550c16b455a2025be4fb1c3155cb75fe04a6b6611
SHA512 768ed2b070485f3bbcf457aefdc0ef8f1737ad8ac4a2703e2feaff424f9a2c69a2f5928a3be898932ef4976a44ea829a099d090bd9941a24d045d5c8ac8b7b43

C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\stub_common.js

MD5 efce3dce0165b3f6551db47e5c0ac8d6
SHA1 1e15f6bb688e3d645092c1aa5ee3136f8de65312
SHA256 dab39cbae31848cce0b5c43fddd2674fef4dea5b7a3dacdaabdc78a8a931817e
SHA512 cec12da07f52822aaed340b1b751153efa43e5c3d747fa39f03bb2800bf53e9416020d654a818a6088acb2cf5581714433d818537f04af150e6bfb6861c03988

C:\Users\Admin\AppData\Local\Temp\nsp78EA.tmp\profile_cleanup.js

MD5 d845e8f4c0edb3cab17e6a30090ac5b8
SHA1 654f058570f0868f0acc5f0595147f3385a9c265
SHA256 1adcfdd9768242c6c639b10e4f0bcda24f6a957a169c1dede265e40336ecbd4f
SHA512 401d800c484b74401b90c3285d8b6cc0018baf4979d6ec7bb174f7810d3f60adfa6b4cebeafcee20d5a7c3597447f755af19c5fecf1863e2438fe427dbdf9fed

memory/4948-75-0x0000000000400000-0x0000000000446000-memory.dmp