d87963dfe40f497ee7d3d94e57cd5738ecc61f3cf843873133a6cbddb0a7b359

General

Target

f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
Size

455KB
MD5

f32311593d5a1f714570a7b91d9100e0
SHA1

c343c18f3f208cf7719550fa4aaec1d77840e7da
SHA256

d87963dfe40f497ee7d3d94e57cd5738ecc61f3cf843873133a6cbddb0a7b359
SHA512

794b86df535b509b2bc442fb04475b8a113f7e568e8c9b5d9ffaa54ca7b9a71db84af163189ddd75175be84214571355bdd21becffc2b3c3b909a22ba10e6b5c
SSDEEP

12288:WVEue/UNolyeWYB0kGZFdLagJdF0S/xPaG9:WVEuegLagJdF0S5PaG9

Score

9^/10

persistence ransomware spyware stealer

Malware Config

Signatures

Renames multiple (220) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 2 IoCs

Processes:

f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exeLogo1_.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exef32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe

pid process

1596 Logo1_.exe
4600 f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1596	Logo1_.exe
4600	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exeLogo1_.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\dotnet\dotnet.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\bin\servertool.exe.Exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe.Exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javac.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jhat.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe.Exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.Exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe.Exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\uninstall\rundl132.exe	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
File created	C:\Windows\Logo1_.exe	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\uninstall\rundl132.exe	Logo1_.exe
File created	C:\Windows\RichDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exeLogo1_.exe

pid	process
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe
1596	Logo1_.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exenet.exeLogo1_.exenet.exenet.exe

description	pid	process	target process
PID 1956 wrote to memory of 4628	1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe	net.exe
PID 1956 wrote to memory of 4628	1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe	net.exe
PID 1956 wrote to memory of 4628	1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe	net.exe
PID 4628 wrote to memory of 1620	4628	net.exe	net1.exe
PID 4628 wrote to memory of 1620	4628	net.exe	net1.exe
PID 4628 wrote to memory of 1620	4628	net.exe	net1.exe
PID 1956 wrote to memory of 2532	1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe	cmd.exe
PID 1956 wrote to memory of 2532	1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe	cmd.exe
PID 1956 wrote to memory of 2532	1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe	cmd.exe
PID 1956 wrote to memory of 1596	1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe	Logo1_.exe
PID 1956 wrote to memory of 1596	1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe	Logo1_.exe
PID 1956 wrote to memory of 1596	1956	f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe	Logo1_.exe
PID 1596 wrote to memory of 3856	1596	Logo1_.exe	net.exe
PID 1596 wrote to memory of 3856	1596	Logo1_.exe	net.exe
PID 1596 wrote to memory of 3856	1596	Logo1_.exe	net.exe
PID 3856 wrote to memory of 644	3856	net.exe	net1.exe
PID 3856 wrote to memory of 644	3856	net.exe	net1.exe
PID 3856 wrote to memory of 644	3856	net.exe	net1.exe
PID 1596 wrote to memory of 548	1596	Logo1_.exe	net.exe
PID 1596 wrote to memory of 548	1596	Logo1_.exe	net.exe
PID 1596 wrote to memory of 548	1596	Logo1_.exe	net.exe
PID 548 wrote to memory of 4636	548	net.exe	net1.exe
PID 548 wrote to memory of 4636	548	net.exe	net1.exe
PID 548 wrote to memory of 4636	548	net.exe	net1.exe
PID 1596 wrote to memory of 3464	1596	Logo1_.exe	Explorer.EXE
PID 1596 wrote to memory of 3464	1596	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3464

C:\Users\Admin\AppData\Local\Temp\f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe"
2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4779.bat
3⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe"
4⤵
- Executes dropped EXE
PID:4600

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:644

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe.Exe
Filesize
607KB

MD5
265b379478ad9643a25c5f8ceb0b5f45

SHA1
3dcc9a1323a98cca54def6963dbb7f81b8c9f12f

SHA256
1a07a8056a490f505eec70867306ed6a8ce8b454b287d33aa73ebeb04b70b30d

SHA512
6385bd33f208d49a358fdba79b1a12f1e379b40fc8a061db03e9bfe24304fcc7624ec0c91502341f2b6a91f74afb5d50c7c0673a9b35dc7dc26fdaab6095e02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4779.bat
Filesize
620B

MD5
064c3dff4c006bfd4fb4ba69a7fa60d7

SHA1
84d3376a27f761f24f58d21eda9dd1cfa433eb1f

SHA256
c54bb149269f358a46663947b92f685c9956cbfa7fcc3f97be2a14485acb212a

SHA512
1c48b00dec5c56ebd58dd4ba1170b83cc6eedc7dad78bb0d1917079e6237b5d74523519417987f6c7ca6466942603a2470087fa8e8e3debfbec6e6badd8e106b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f32311593d5a1f714570a7b91d9100e0_NeikiAnalytics.exe.exe
Filesize
392KB

MD5
3b08ea93371567d3fa50aa278f1e3709

SHA1
82adf83bb42b403de1ff5a151e4c9dbe3b2c1a00

SHA256
de9ef168605c01a9e684fe35e0eae916d5d6cb1d07036ed434876e2da47c684d

SHA512
63a80d2dc056363991fe6bd77ef936a5d6c15c7ef8f2cf92c1e98525aec0714a5b83d1e830b33e8e4290ba97edc2c1ed57982be3360ff47c6d578a06c6264de7

Download Submit
C:\Windows\Logo1_.exe
Filesize
63KB

MD5
8c8df5b9b78e8bff5d26257de8ef0c8d

SHA1
a947ee766bbb79cca23cc90341e8987ba1020f30

SHA256
fb4f742e543a646890ec49fab3064cdd9a896592df52b8dc37ead4851832593f

SHA512
7ed132de1a9d8425633c70e6956a4b19084bb18518d3a80044cfc2a48c4a4c9bf6dba1029032f9c82c096f5f7ce01ca2492412829e06d84c7c63ea7a6fbcbea7

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
memory/1596-10-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1596-18-0x0000000000510000-0x0000000000550000-memory.dmp

Filesize
256KB

Download
memory/1596-22-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1596-23-0x0000000000510000-0x0000000000550000-memory.dmp

Filesize
256KB

Download
memory/1956-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1956-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1956-1-0x0000000000510000-0x0000000000530000-memory.dmp

Filesize
128KB

Download
memory/4600-16-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads