Malware Analysis Report

2025-08-10 23:54

Sample ID 240517-wfs58sbc98
Target 11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe
SHA256 aaa6e04bbbc7b6df02648da93524a190bd796dc17b2160a5e10a94b24b7d8e5d
Tags
collection discovery persistence spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aaa6e04bbbc7b6df02648da93524a190bd796dc17b2160a5e10a94b24b7d8e5d

Threat Level: Known bad

The file 11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

collection discovery persistence spyware stealer upx

UPX packed file

Reads local data of messenger clients

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

AutoIT Executable

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 17:52

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 17:52

Reported

2024-05-17 17:54

Platform

win7-20240221-en

Max time kernel

149s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe N/A
File created C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
File created C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr119.exe N/A
File opened for modification C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr119.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 2944 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 2944 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 2944 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 2356 wrote to memory of 2664 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2356 wrote to memory of 2664 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2356 wrote to memory of 2664 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2356 wrote to memory of 2664 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2356 wrote to memory of 2664 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2356 wrote to memory of 2664 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2356 wrote to memory of 2664 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2356 wrote to memory of 2664 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2356 wrote to memory of 2664 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2356 wrote to memory of 2752 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 2752 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 2752 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 2752 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2664 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2448 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2976 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2976 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2976 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2976 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2976 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2976 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2976 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2976 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2356 wrote to memory of 3004 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 3004 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 3004 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 3004 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2664 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2664 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2356 wrote to memory of 1476 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 1476 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 1476 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 1476 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 1116 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 1116 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 1116 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 1116 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2236 wrote to memory of 1732 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr119.exe
PID 2236 wrote to memory of 1732 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr119.exe
PID 2236 wrote to memory of 1732 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr119.exe
PID 2236 wrote to memory of 1732 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr119.exe
PID 2356 wrote to memory of 2620 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 2620 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 2620 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 2620 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 1852 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 1852 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 1852 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 1852 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe"

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

0

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp8BCB.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp8C49.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpA04F.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\system32\taskeng.exe

taskeng.exe {F077E9DC-6E8D-479B-92D3-FB2B942A3C40} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]

C:\ProgramData\winmgr119.exe

C:\ProgramData\winmgr119.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\ProgramData\winmgr119.exe

C:\ProgramData\winmgr119.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

0

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpFD14.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpFDE0.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpFE10.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:80 ipinfo.io tcp
US 8.8.8.8:53 smtp.mail.me.com udp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:80 ipinfo.io tcp

Files

\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

MD5 00fdefae0eeb41e238a31f129d55f20f
SHA1 8c106ef33db72ccd60b008897dfb1ec72aa5ba7c
SHA256 6c1470d3a8dfc943a840edf9fedfaa0aabae0c1a72a1bce82811aa5f1d01619d
SHA512 979e5badfb1e093af29c6f457778a5efc568ed90fdea935a54cf285254ebea74f445a4539dc87deee2ed10a6d4398a007b331bf73366e9f4998d178e0ae15531

C:\ProgramData\winmgr119.exe

MD5 4cb3643980d2659d41e289961e968c1a
SHA1 a47d5c317f8a7a53d482e11e005f8b32bf4af2b6
SHA256 c7f797f7bfb6a23b171245588830c3139dc9bf45d538c295574a79a9e6654350
SHA512 8bdcd51006074234368f66ef429f30aa193164999dd9157bc2c9f7a1abc7befa50fde164d987a044124702ac58187ed7eb84f87034de58a2ee9cab59d76f1d49

memory/2664-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2664-10-0x0000000000140000-0x000000000020A000-memory.dmp

memory/2664-12-0x0000000000140000-0x000000000020A000-memory.dmp

memory/2664-16-0x0000000000140000-0x000000000020A000-memory.dmp

memory/2664-14-0x0000000000140000-0x000000000020A000-memory.dmp

memory/2664-17-0x00000000741A2000-0x00000000741A4000-memory.dmp

memory/2448-21-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2448-23-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2448-22-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8BCB.tmp

MD5 e4bf4f7accc657622fe419c0d62419ab
SHA1 c2856936dd3de05bad0da5ca94d6b521e40ab5a2
SHA256 b32fa68b79c5a7ceaa89e8e537efe33a963c499666202611329944bd2c09318e
SHA512 85dc223e39a16ddeba53a4b3d6c9eff14d30ec67dfda1e650da2c9057f640edd033a31868915a31caac0d325d240a7f634f62cd52fbd2adc68bd1d9cb6281431

memory/2448-30-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2976-33-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2976-34-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2976-35-0x0000000000400000-0x0000000000491000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar9315.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/2976-74-0x0000000000400000-0x0000000000491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8C49.tmp

MD5 de4e5ff058882957cf8a3b5f839a031f
SHA1 0b3d8279120fb5fa27efbd9eee89695aa040fc24
SHA256 ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49
SHA512 a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

memory/2856-78-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2856-79-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2856-81-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA04F.tmp

MD5 3525ea58bba48993ea0d01b65ea71381
SHA1 1b917678fdd969e5ee5916e5899e7c75a979cf4d
SHA256 681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2
SHA512 5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

memory/2664-87-0x00000000741A2000-0x00000000741A4000-memory.dmp

C:\ProgramData\khaxFMfI\2c945db753d341ef9b0f02d75d493749

MD5 dec3a465561beb6fb39c71e129e70cd4
SHA1 4f18b981bedf9086e9108fdfdc0c138e53db2293
SHA256 09edd6ea3fa87005f5328de8f3f4aa60281d9a4455c31b2020abf88f57c283bf
SHA512 6c71e74f0b400f401ad5d0a1254616b7ecd9c627fcd380ec18e4bb8c77517d3a57500b517cbe33a0a982ebccd1da10b283efd601b497117301bb9d30865d14cf

memory/2460-99-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2460-100-0x0000000000090000-0x000000000015A000-memory.dmp

memory/2460-101-0x0000000000090000-0x000000000015A000-memory.dmp

memory/2460-102-0x0000000000090000-0x000000000015A000-memory.dmp

C:\ProgramData\khaxFMfI\009276b996b04917a9a60a951037d8a6

MD5 1f5946c8f04bb34f9ab08514002d3b2c
SHA1 2bcedf7c848953711b03e32d9c8d64399fcb2c2e
SHA256 43438697b4eb8b708068b454efc8d4f5d452d2966c1f314630ad1bf4ee325f60
SHA512 ac3326e915dff6db5ee3b7e8a9aa9a8b453ee45fb4e3e2397a38376c7c64b2d47e4ad9573e3ae5401d266dcc160caf59e929b4910ca3b566a0638c9df295f9a8

C:\ProgramData\khaxFMfI\189d625f98324bab87032800e1e7f084

MD5 bf7db567ebf50a863401d43a5705bff1
SHA1 66a6e1e516c4774dbfafc013eb0aa398b37b0bd8
SHA256 58758ee9a59edb45d73a9737f652605d4178bfea2d3d1f4dc776e94980cfbd66
SHA512 212df73685f6d2806104d314db6bd8da260500e33071277dec7791503a656d752894ddffa4810e5d282ba5ca35088daacf419d1079bdbcc043d94147b1b3fa8e

C:\ProgramData\khaxFMfI\47928f366bbf48c9ad07f8d6a7670eaf

MD5 0b187cb1c7efffd179c1b9d14c64f7c9
SHA1 fe491fe4acbc3b8c43d0993bdaabdafde99b7be5
SHA256 0c59e31bae265ee8bb01eca33a59de8b1fc44403fa5979b9bc21a6d8460eb6c8
SHA512 df643da2f9e6b90b70e2144360657b0c2b9b4b0a552aba14a4f1c73b5e3b882b5d51c6373f91f5975454b3f9857e01cce8c0c02548e94add3ab8368fcf641f09

memory/3004-115-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2712-124-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2816-130-0x0000000000400000-0x000000000043C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 17:52

Reported

2024-05-17 17:54

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe N/A
File created C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
File created C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr119.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3640 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 3640 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 3640 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 4536 wrote to memory of 512 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4536 wrote to memory of 512 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4536 wrote to memory of 512 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4536 wrote to memory of 512 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4536 wrote to memory of 512 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4536 wrote to memory of 2060 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 2060 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 2060 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 512 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 512 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 512 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 512 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 512 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 512 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 512 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 512 wrote to memory of 4052 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 512 wrote to memory of 4052 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 512 wrote to memory of 4052 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 512 wrote to memory of 4052 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 512 wrote to memory of 4052 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 512 wrote to memory of 4052 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 512 wrote to memory of 4052 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 512 wrote to memory of 3724 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 512 wrote to memory of 3724 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 512 wrote to memory of 3724 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 512 wrote to memory of 3724 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 512 wrote to memory of 3724 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 512 wrote to memory of 3724 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4536 wrote to memory of 208 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 208 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 208 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 452 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 452 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 452 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 4420 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 4420 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 4420 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 3512 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 3512 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 3512 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 4788 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 4788 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 4788 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 2400 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 2400 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 2400 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 1612 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 1612 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 1612 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 2804 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 2804 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 2804 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 428 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 428 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 428 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 2096 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 2096 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 2096 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 64 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 64 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 64 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe"

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

0

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpB9BB.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpBC9A.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpBD47.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\ProgramData\winmgr119.exe

C:\ProgramData\winmgr119.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 224.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:80 ipinfo.io tcp
US 8.8.8.8:53 smtp.mail.me.com udp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 28.155.57.17.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

MD5 351169fa81e8ee758fce45270f1919df
SHA1 95df6a219aad60b853d67d88dd1fb106bec2a50f
SHA256 1b37371d8c49865d2c29a57d18b32b8606ac58453137410f15295a8a57154cd8
SHA512 fb01062807f20d0a8bc02a82218d38d1aeaf822499f10040096ce9e1edfe2e12af967ea93cb2f9b0154b10b0245f0717ce3e830bc047a7e62d14f612f3251e7a

memory/512-8-0x0000000000B00000-0x0000000000BCA000-memory.dmp

memory/512-9-0x0000000073282000-0x0000000073283000-memory.dmp

memory/512-10-0x0000000073280000-0x0000000073831000-memory.dmp

memory/512-11-0x0000000073280000-0x0000000073831000-memory.dmp

memory/3048-15-0x0000000000400000-0x000000000048E000-memory.dmp

memory/3048-17-0x0000000000400000-0x000000000048E000-memory.dmp

memory/3048-16-0x0000000000400000-0x000000000048E000-memory.dmp

memory/3048-24-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB9BB.tmp

MD5 b0cc2e6f2d8036c9b5fef218736fa9c9
SHA1 64fd3017625979c95ba09d7cbea201010a82f73f
SHA256 997aceeb78143e057d4ea0ed699db3cc1c723f699b4532663b7b85c83baa5c50
SHA512 a1fe80b2971c4d1141a594f27eaea61500bf701cd1b8fbdb5ac2204a63c8ef862344f8c30f65ce769f0acf2b0718ed33a02744dd1a152c4a62a5318333d29b9b

memory/4052-27-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4052-28-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4052-29-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4052-31-0x0000000000400000-0x0000000000491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBC9A.tmp

MD5 de4e5ff058882957cf8a3b5f839a031f
SHA1 0b3d8279120fb5fa27efbd9eee89695aa040fc24
SHA256 ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49
SHA512 a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

memory/3724-35-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3724-36-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3724-38-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBD47.tmp

MD5 3525ea58bba48993ea0d01b65ea71381
SHA1 1b917678fdd969e5ee5916e5899e7c75a979cf4d
SHA256 681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2
SHA512 5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

memory/512-42-0x0000000073282000-0x0000000073283000-memory.dmp

memory/512-43-0x0000000073280000-0x0000000073831000-memory.dmp

memory/512-44-0x0000000073280000-0x0000000073831000-memory.dmp

C:\ProgramData\winmgr119.exe

MD5 279e87bfbd3c0c7e6281297ea51ea70c
SHA1 660040ac00699c8a449fb2b6d76e0a0a47d8ed71
SHA256 5d6c55c1f2daceb0f18b416200acc95e0bbf7fe67ea81ae1895945a50ba2cbf4
SHA512 2ab7fa2b08806786bd732682fc778d17966897b446d4aa16e72e797d211fa2cf640305c71bcb38fdf0014a4d930c1fdb4fbeb0ec1c1eb998d84b7e0135f8868a