Malware Analysis Report

2025-01-22 12:25

Sample ID 240516-shdxjsad88
Target e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics
SHA256 3f3c8a2b9d1298a72c337887bfe68d66aeecdb9c3ca72dc7f9550f702c31f03f
Tags
aspackv2 bootkit persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3f3c8a2b9d1298a72c337887bfe68d66aeecdb9c3ca72dc7f9550f702c31f03f

Threat Level: Likely malicious

The file e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 bootkit persistence spyware stealer

Blocklisted process makes network request

Checks computer location settings

ASPack v2.12-2.42

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 15:07

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 15:07

Reported

2024-05-16 15:09

Platform

win7-20240508-en

Max time kernel

129s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\ettmtcigc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\ettmtcigc.exe N/A
N/A N/A C:\wiseman.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wiseman = "C:\\wiseman.exe" C:\wiseman.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\skkmkldhn\\rvkmwvg.dll\",GetWindowClass" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\ettmtcigc.exe N/A
N/A N/A C:\wiseman.exe N/A
N/A N/A C:\wiseman.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1932 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1932 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1932 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1932 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\ettmtcigc.exe
PID 1932 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\ettmtcigc.exe
PID 1932 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\ettmtcigc.exe
PID 1932 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\ettmtcigc.exe
PID 2604 wrote to memory of 1252 N/A \??\c:\ettmtcigc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 1252 N/A \??\c:\ettmtcigc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 1252 N/A \??\c:\ettmtcigc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 1252 N/A \??\c:\ettmtcigc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 1252 N/A \??\c:\ettmtcigc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 1252 N/A \??\c:\ettmtcigc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2604 wrote to memory of 1252 N/A \??\c:\ettmtcigc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1252 wrote to memory of 1240 N/A \??\c:\windows\SysWOW64\rundll32.exe C:\wiseman.exe
PID 1252 wrote to memory of 1240 N/A \??\c:\windows\SysWOW64\rundll32.exe C:\wiseman.exe
PID 1252 wrote to memory of 1240 N/A \??\c:\windows\SysWOW64\rundll32.exe C:\wiseman.exe
PID 1252 wrote to memory of 1240 N/A \??\c:\windows\SysWOW64\rundll32.exe C:\wiseman.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\ettmtcigc.exe "C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\ettmtcigc.exe

c:\ettmtcigc.exe "C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\skkmkldhn\rvkmwvg.dll",GetWindowClass c:\ettmtcigc.exe

C:\wiseman.exe

"C:\wiseman.exe"

Network

Country Destination Domain Proto
US 107.163.241.229:6520 tcp
US 107.163.241.233:12354 tcp
US 107.163.241.233:12354 tcp
US 8.8.8.8:53 api.wisemansupport.com udp
KR 3.35.144.12:80 api.wisemansupport.com tcp
US 107.163.241.233:12354 tcp
US 107.163.241.233:12354 tcp
US 107.163.241.229:6520 tcp
US 107.163.241.229:6520 tcp
US 107.163.241.229:6520 tcp
US 107.163.241.229:6520 tcp

Files

memory/2116-0-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2116-1-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2116-3-0x0000000000400000-0x000000000047F000-memory.dmp

\??\c:\ettmtcigc.exe

MD5 66591434e28048deeedf744275975fe3
SHA1 a581c2ec69bcd8c2c5c2fb14864ca8e077190b5d
SHA256 ce9d4c803e65310070648f9505f98704e031d71a65970259a3d0912535faa3cc
SHA512 063b38d90f6636199fb1e8f666487109abb6cf1ac47e7bb87927911ed2842e76d61fde5bf60a8be106f4a5b436857d00612daf6ee3180d3d07e576d158172959

memory/2604-6-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2604-7-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2604-11-0x0000000000400000-0x000000000047F000-memory.dmp

\??\c:\skkmkldhn\rvkmwvg.dll

MD5 10eb9b069e53509dfe5652372437858d
SHA1 f5b7b4d4f4afe9439d78f43c1915cb3bd07fc620
SHA256 c8c3ce80cc170f0a7a3a1ca9120e8279a3f323604b50478ad81869c4131f6315
SHA512 6105b5547aa7754183471d395de4fabda8780b5000db2dc4d799bf3af27fca546a0548e6dcc4f435bee5f39e291cae400d7b8efd0d1d7034d31c4e92891b4051

memory/1252-17-0x0000000010000000-0x000000001004A000-memory.dmp

memory/1252-18-0x0000000010044000-0x0000000010045000-memory.dmp

memory/1252-19-0x0000000010000000-0x000000001004A000-memory.dmp

C:\wiseman.exe

MD5 8f242369cf14f2b26ced131d7dd67144
SHA1 d4f2f0f3047300ff5f36af6119ad5e109258fcd0
SHA256 03505198d487e04a8ec82c627d34e4d9145f211140c4c8793b4461621e6bf6ce
SHA512 4516b3fa2f68e64baf166bc7731ba3bb0ca53d36d71ff8fa78b1f211d7c14fc4442af50bd637d0c3f11913583c9c66996101d6e8738592a053e82a78bbd771f5

memory/1252-22-0x0000000010000000-0x000000001004A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 15:07

Reported

2024-05-16 15:09

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation \??\c:\windows\SysWOW64\rundll32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\ldydc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\ldydc.exe N/A
N/A N/A C:\wiseman.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wiseman = "C:\\wiseman.exe" C:\wiseman.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\phvbv\\hcthct.dll\",GetWindowClass" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\ldydc.exe N/A
N/A N/A C:\wiseman.exe N/A
N/A N/A C:\wiseman.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 224 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 3188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3144 wrote to memory of 3188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3144 wrote to memory of 3188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3144 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\ldydc.exe
PID 3144 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\ldydc.exe
PID 3144 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\ldydc.exe
PID 2396 wrote to memory of 1760 N/A \??\c:\ldydc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2396 wrote to memory of 1760 N/A \??\c:\ldydc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2396 wrote to memory of 1760 N/A \??\c:\ldydc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1760 wrote to memory of 692 N/A \??\c:\windows\SysWOW64\rundll32.exe C:\wiseman.exe
PID 1760 wrote to memory of 692 N/A \??\c:\windows\SysWOW64\rundll32.exe C:\wiseman.exe
PID 1760 wrote to memory of 692 N/A \??\c:\windows\SysWOW64\rundll32.exe C:\wiseman.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\ldydc.exe "C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\ldydc.exe

c:\ldydc.exe "C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\phvbv\hcthct.dll",GetWindowClass c:\ldydc.exe

C:\wiseman.exe

"C:\wiseman.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
NL 23.62.61.163:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 163.61.62.23.in-addr.arpa udp
US 107.163.241.229:6520 tcp
US 107.163.241.233:12354 tcp
US 107.163.241.233:12354 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 api.wisemansupport.com udp
KR 3.35.144.12:80 api.wisemansupport.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 107.163.241.233:12354 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 107.163.241.229:6520 tcp
US 107.163.241.229:6520 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 107.163.241.229:6520 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 107.163.241.229:6520 tcp

Files

memory/224-0-0x0000000000400000-0x000000000047F000-memory.dmp

memory/224-1-0x0000000000400000-0x000000000047F000-memory.dmp

memory/224-4-0x0000000000400000-0x000000000047F000-memory.dmp

\??\c:\ldydc.exe

MD5 9409e622677c3427417264289a1caf19
SHA1 f4b2faeb46078b15f13794b47ec33b6ebf8d599a
SHA256 46e8af7be70a9387444b2a42b795866ffa6a08eb14d9b265cedfa6523417e83e
SHA512 859b54f2330cd146a04611e90495cbcae0628fb5d26c53dc2a4e7fc099d81c545c10c50c709911f50fa2bfcafc1ea5ee9de3d8b587cbaa3140fcd20b3ecb3003

memory/2396-8-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2396-12-0x0000000000400000-0x000000000047F000-memory.dmp

\??\c:\phvbv\hcthct.dll

MD5 10eb9b069e53509dfe5652372437858d
SHA1 f5b7b4d4f4afe9439d78f43c1915cb3bd07fc620
SHA256 c8c3ce80cc170f0a7a3a1ca9120e8279a3f323604b50478ad81869c4131f6315
SHA512 6105b5547aa7754183471d395de4fabda8780b5000db2dc4d799bf3af27fca546a0548e6dcc4f435bee5f39e291cae400d7b8efd0d1d7034d31c4e92891b4051

memory/1760-15-0x0000000010000000-0x000000001004A000-memory.dmp

memory/1760-16-0x0000000010001000-0x0000000010034000-memory.dmp

C:\wiseman.exe

MD5 8f242369cf14f2b26ced131d7dd67144
SHA1 d4f2f0f3047300ff5f36af6119ad5e109258fcd0
SHA256 03505198d487e04a8ec82c627d34e4d9145f211140c4c8793b4461621e6bf6ce
SHA512 4516b3fa2f68e64baf166bc7731ba3bb0ca53d36d71ff8fa78b1f211d7c14fc4442af50bd637d0c3f11913583c9c66996101d6e8738592a053e82a78bbd771f5

memory/1760-19-0x0000000010000000-0x000000001004A000-memory.dmp

memory/1760-20-0x0000000010001000-0x0000000010034000-memory.dmp