Malware Analysis Report

2025-03-15 00:06

Sample ID 240603-17vwcsba5x
Target 0a2c9ed80ea01ad0b5bd3e120cb6c390_NeikiAnalytics.exe
SHA256 cabf54562c46780434fb94a14b80843d9d4f432575f7db1c68543bfa1a3e0f7b
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cabf54562c46780434fb94a14b80843d9d4f432575f7db1c68543bfa1a3e0f7b

Threat Level: Shows suspicious behavior

The file 0a2c9ed80ea01ad0b5bd3e120cb6c390_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 22:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 22:17

Reported

2024-06-03 22:20

Platform

win7-20240221-en

Max time kernel

150s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a2c9ed80ea01ad0b5bd3e120cb6c390_NeikiAnalytics.dll,#1

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "\"C:\\Users\\Admin\\AppData\\Roaming\\FQwN\\msdt.exe\"" N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\9535\fvenotify.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\system32\9535\fvenotify.exe C:\Windows\System32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\MSCFile\shell\open N/A N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\MSCFile\shell\open\command N/A N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\MSCFile N/A N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\MSCFile\shell\open N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\MSCFile\shell N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\MSCFile N/A N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\MSCFile\shell N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\AFG97F.cmd" N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\MSCFile\shell\open\command N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 2740 N/A N/A C:\Windows\system32\sdchange.exe
PID 1352 wrote to memory of 2740 N/A N/A C:\Windows\system32\sdchange.exe
PID 1352 wrote to memory of 2740 N/A N/A C:\Windows\system32\sdchange.exe
PID 1352 wrote to memory of 2500 N/A N/A C:\Windows\system32\msdt.exe
PID 1352 wrote to memory of 2500 N/A N/A C:\Windows\system32\msdt.exe
PID 1352 wrote to memory of 2500 N/A N/A C:\Windows\system32\msdt.exe
PID 1352 wrote to memory of 2376 N/A N/A C:\Windows\System32\cmd.exe
PID 1352 wrote to memory of 2376 N/A N/A C:\Windows\System32\cmd.exe
PID 1352 wrote to memory of 2376 N/A N/A C:\Windows\System32\cmd.exe
PID 1352 wrote to memory of 1652 N/A N/A C:\Windows\System32\cmd.exe
PID 1352 wrote to memory of 1652 N/A N/A C:\Windows\System32\cmd.exe
PID 1352 wrote to memory of 1652 N/A N/A C:\Windows\System32\cmd.exe
PID 1652 wrote to memory of 580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1652 wrote to memory of 580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1652 wrote to memory of 580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1352 wrote to memory of 1472 N/A N/A C:\Windows\system32\fvenotify.exe
PID 1352 wrote to memory of 1472 N/A N/A C:\Windows\system32\fvenotify.exe
PID 1352 wrote to memory of 1472 N/A N/A C:\Windows\system32\fvenotify.exe
PID 1352 wrote to memory of 1644 N/A N/A C:\Windows\System32\cmd.exe
PID 1352 wrote to memory of 1644 N/A N/A C:\Windows\System32\cmd.exe
PID 1352 wrote to memory of 1644 N/A N/A C:\Windows\System32\cmd.exe
PID 1352 wrote to memory of 880 N/A N/A C:\Windows\System32\eventvwr.exe
PID 1352 wrote to memory of 880 N/A N/A C:\Windows\System32\eventvwr.exe
PID 1352 wrote to memory of 880 N/A N/A C:\Windows\System32\eventvwr.exe
PID 880 wrote to memory of 1200 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 880 wrote to memory of 1200 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 880 wrote to memory of 1200 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1200 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1200 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a2c9ed80ea01ad0b5bd3e120cb6c390_NeikiAnalytics.dll,#1

C:\Windows\system32\sdchange.exe

C:\Windows\system32\sdchange.exe

C:\Windows\system32\msdt.exe

C:\Windows\system32\msdt.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\1TO.cmd

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{f88aa085-2df5-1d76-19b1-e998b140f7f3}"

C:\Windows\system32\schtasks.exe

schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{f88aa085-2df5-1d76-19b1-e998b140f7f3}"

C:\Windows\system32\fvenotify.exe

C:\Windows\system32\fvenotify.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\dar0T7p.cmd

C:\Windows\System32\eventvwr.exe

"C:\Windows\System32\eventvwr.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\AFG97F.cmd

C:\Windows\system32\schtasks.exe

schtasks.exe /Create /F /TN "Trqxvscxs" /SC minute /MO 60 /TR "C:\Windows\system32\9535\fvenotify.exe" /RL highest

Network

N/A

Files

memory/2892-6-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-4-0x0000000002740000-0x0000000002741000-memory.dmp

memory/1352-3-0x0000000077086000-0x0000000077087000-memory.dmp

memory/2892-1-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/2892-0-0x00000000003E0000-0x00000000003E7000-memory.dmp

memory/1352-7-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-8-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-33-0x0000000077191000-0x0000000077192000-memory.dmp

memory/1352-32-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-31-0x0000000001D00000-0x0000000001D07000-memory.dmp

memory/1352-24-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-23-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-22-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-21-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-20-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-19-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-18-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-17-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-16-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-15-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-14-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-13-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-12-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-11-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-10-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-9-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-48-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1352-46-0x00000000772F0000-0x00000000772F2000-memory.dmp

memory/1352-42-0x0000000140000000-0x00000001400C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1TO.cmd

MD5 aa6b3d53b7bb41399733f9c4d6fea8a8
SHA1 c394fdc46bcfe4cc049731e6c790c2fa71a38392
SHA256 bdda9666e6f1ca6e3e737d98704b9cea50147c153259af334f31c764d729a762
SHA512 4a804247166fd7ec19584f2b5a373c2fd4647def48464a63ef87e6da06dc592e54983c4a8080658758411326111190f5fbc0b772cbc303639dab44022fb4943c

C:\Users\Admin\AppData\Local\Temp\OmIADFB.tmp

MD5 e3a0bee8316858d42d6ea322de30d65e
SHA1 239b0dd994aaaf0a9f877e1728ada2c1c58d4f2c
SHA256 80a240905669b244980e61c354b90c5fd49b80807c3617f17fc505099ecdd0d4
SHA512 78fa5f34c3b5d2941a79ad5708bc164621440ff7f4317b36a05df17d525c2a5772a382548fca6232cc6c6823d23e5ce205d0f9de1dcd9895df2d9fc195fe1a2d

C:\Users\Admin\AppData\Roaming\FQwN\msdt.exe

MD5 aecb7b09566b1f83f61d5a4b44ae9c7e
SHA1 3a4a2338c6b5ac833dc87497e04fe89c5481e289
SHA256 fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5
SHA512 6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

C:\Users\Admin\AppData\Local\Temp\dar0T7p.cmd

MD5 3dc2776ec56f9a0c178ef1578cdfcf2f
SHA1 874e160dda96f5597fea76e064f1904edd36808d
SHA256 e2a51c3226daf66e718603167e212c85428227eef70b951191ed556dc7b3ddc8
SHA512 eeca2e7c0607a009f0d1faf92f671a64dbe2d7e08f25d303196f07632d8a06f4301d2e40eef2a761ecf2ae926b3c43ed4a2594658d0875871aeb270174ecfff6

C:\Users\Admin\AppData\Local\Temp\CB26F.tmp

MD5 454a8b4da3d252bad9b222fb97dc455d
SHA1 2ed2596ad0ac1f09e2ce47e4d8d846086a65b42c
SHA256 e300bf9a6a1d21b9adb9744781d0a68e0025735f85ea3722dcc8059fbb1af647
SHA512 da0d8c3df7bac5b9bad5fbb545d97d4fa34d8d290afe9f6bb14632e473aa96f03484e260531664719c2516916edf8e2cb2e0e36d799d74ce7f7102e2572d6e57

C:\Users\Admin\AppData\Local\Temp\AFG97F.cmd

MD5 bdf22a3dad1a1eadf21460e53b754fb7
SHA1 34a83a9b9f398befc83cf9c45ba72e23a109f189
SHA256 5dc89e61bbc8fefd8ac03b7df1f89329f0792556fb30c45f7f54fe6838577afd
SHA512 0a05adf5dba143592222f7e9dd3bd919224bea7b27e2c81ddbf588b913aa4f16df9561d5feeeaa6613f832638a97acd3e2144a967a6ee4b8eb06435bc66c95d8

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Uxhwu.lnk

MD5 f007ef0a8ccc2fd5bea50fa7b05a7ab3
SHA1 f19e8c3da286df1efbee6b99afd9d9109de80062
SHA256 ec16b4f5c2ed408e26cf7d81fe5aa4c73051fc2dbef851adc266795c2a2be1e3
SHA512 1041a9e755e9680259251eec4188861faaf69d5081985bc3a11a2e8360cd6de66e82cd0f6a62d55929ce037910b7c53cc4d0fd5ab4bdf06976137246ce79adc6

memory/1352-88-0x0000000077086000-0x0000000077087000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 22:17

Reported

2024-06-03 22:20

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a2c9ed80ea01ad0b5bd3e120cb6c390_NeikiAnalytics.dll,#1

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Esxju = "\"C:\\Users\\Admin\\AppData\\Roaming\\my9Mq\\ApplicationFrameHost.exe\"" N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\3177\EaseOfAccessDialog.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\system32\3177\EaseOfAccessDialog.exe C:\Windows\System32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command\DelegateExecute N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\2l1k.cmd" N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3524 wrote to memory of 4216 N/A N/A C:\Windows\system32\DeviceEject.exe
PID 3524 wrote to memory of 4216 N/A N/A C:\Windows\system32\DeviceEject.exe
PID 3524 wrote to memory of 4252 N/A N/A C:\Windows\system32\CustomInstallExec.exe
PID 3524 wrote to memory of 4252 N/A N/A C:\Windows\system32\CustomInstallExec.exe
PID 3524 wrote to memory of 4120 N/A N/A C:\Windows\system32\plasrv.exe
PID 3524 wrote to memory of 4120 N/A N/A C:\Windows\system32\plasrv.exe
PID 3524 wrote to memory of 3488 N/A N/A C:\Windows\system32\browserexport.exe
PID 3524 wrote to memory of 3488 N/A N/A C:\Windows\system32\browserexport.exe
PID 3524 wrote to memory of 2112 N/A N/A C:\Windows\system32\logagent.exe
PID 3524 wrote to memory of 2112 N/A N/A C:\Windows\system32\logagent.exe
PID 3524 wrote to memory of 3612 N/A N/A C:\Windows\system32\mavinject.exe
PID 3524 wrote to memory of 3612 N/A N/A C:\Windows\system32\mavinject.exe
PID 3524 wrote to memory of 2980 N/A N/A C:\Windows\system32\TapiUnattend.exe
PID 3524 wrote to memory of 2980 N/A N/A C:\Windows\system32\TapiUnattend.exe
PID 3524 wrote to memory of 2196 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 3524 wrote to memory of 2196 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 3524 wrote to memory of 3032 N/A N/A C:\Windows\system32\ApplicationFrameHost.exe
PID 3524 wrote to memory of 3032 N/A N/A C:\Windows\system32\ApplicationFrameHost.exe
PID 3524 wrote to memory of 3792 N/A N/A C:\Windows\System32\cmd.exe
PID 3524 wrote to memory of 3792 N/A N/A C:\Windows\System32\cmd.exe
PID 3524 wrote to memory of 1552 N/A N/A C:\Windows\System32\cmd.exe
PID 3524 wrote to memory of 1552 N/A N/A C:\Windows\System32\cmd.exe
PID 1552 wrote to memory of 1504 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1552 wrote to memory of 1504 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3524 wrote to memory of 3056 N/A N/A C:\Windows\system32\EaseOfAccessDialog.exe
PID 3524 wrote to memory of 3056 N/A N/A C:\Windows\system32\EaseOfAccessDialog.exe
PID 3524 wrote to memory of 3384 N/A N/A C:\Windows\System32\cmd.exe
PID 3524 wrote to memory of 3384 N/A N/A C:\Windows\System32\cmd.exe
PID 3524 wrote to memory of 4792 N/A N/A C:\Windows\System32\fodhelper.exe
PID 3524 wrote to memory of 4792 N/A N/A C:\Windows\System32\fodhelper.exe
PID 4792 wrote to memory of 4544 N/A C:\Windows\System32\fodhelper.exe C:\Windows\system32\cmd.exe
PID 4792 wrote to memory of 4544 N/A C:\Windows\System32\fodhelper.exe C:\Windows\system32\cmd.exe
PID 4544 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4544 wrote to memory of 3624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a2c9ed80ea01ad0b5bd3e120cb6c390_NeikiAnalytics.dll,#1

C:\Windows\system32\DeviceEject.exe

C:\Windows\system32\DeviceEject.exe

C:\Windows\system32\CustomInstallExec.exe

C:\Windows\system32\CustomInstallExec.exe

C:\Windows\system32\plasrv.exe

C:\Windows\system32\plasrv.exe

C:\Windows\system32\browserexport.exe

C:\Windows\system32\browserexport.exe

C:\Windows\system32\logagent.exe

C:\Windows\system32\logagent.exe

C:\Windows\system32\mavinject.exe

C:\Windows\system32\mavinject.exe

C:\Windows\system32\TapiUnattend.exe

C:\Windows\system32\TapiUnattend.exe

C:\Windows\system32\rdrleakdiag.exe

C:\Windows\system32\rdrleakdiag.exe

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\qwd.cmd

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{6fbc9e50-6a1b-17d9-5db5-133f618c672e}"

C:\Windows\system32\schtasks.exe

schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{6fbc9e50-6a1b-17d9-5db5-133f618c672e}"

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\8wk4z.cmd

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3980,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3628 /prefetch:8

C:\Windows\System32\fodhelper.exe

"C:\Windows\System32\fodhelper.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\2l1k.cmd

C:\Windows\system32\schtasks.exe

schtasks.exe /Create /F /TN "Lgeeulo" /SC minute /MO 60 /TR "C:\Windows\system32\3177\EaseOfAccessDialog.exe" /RL highest

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/4764-2-0x00000191FEBE0000-0x00000191FEBE7000-memory.dmp

memory/4764-0-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3524-3-0x0000000003180000-0x0000000003181000-memory.dmp

memory/3524-5-0x00007FFEA424A000-0x00007FFEA424B000-memory.dmp

memory/4764-6-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3524-15-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3524-24-0x0000000140000000-0x00000001400C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qwd.cmd

MD5 0b7e2c30d2c48bafccba17529c8ed142
SHA1 9f9761eb5be21a6047bd644008f7080559f52389
SHA256 62fef3b9741a0b820e3bf4a3cd7babc13b7628cecd932163a6af45f014487db4
SHA512 5821ded1864e15d42fdf75b6974bfd13e04a8d0b56e7d5b79d7cf382d3cb873f38239743b1d2ed723527c3b439d1230d838b92b9d752d59414f52b541bc8c9f7

memory/3524-52-0x0000000140000000-0x00000001400C6000-memory.dmp

C:\Users\Admin\AppData\Roaming\my9Mq\ApplicationFrameHost.exe

MD5 d58a8a987a8dafad9dc32a548cc061e7
SHA1 f79fc9e0ab066cad530b949c2153c532a5223156
SHA256 cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4
SHA512 93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

C:\Users\Admin\AppData\Local\Temp\IF09A.tmp

MD5 41a2187acdf55945ee4a6fb4691221f6
SHA1 1fbb810a5564456a705dd92ba78f2511aded46b6
SHA256 d1303d89d980ad9f1ea1194364ad7fc0129bce29b9abddf03befa9ed2472287b
SHA512 1784921847e1279e36a51bf2e9c0f8d2b20d4a113eac0e5efe42694ac00b1065d016e6767dc8dba221341b211bbeda43cbd9add86e0d4ebb361ef37d6d141825

memory/3524-43-0x00007FFEA5040000-0x00007FFEA5050000-memory.dmp

memory/3524-42-0x0000000003160000-0x0000000003167000-memory.dmp

memory/3524-40-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3524-31-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3524-22-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3524-23-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3524-20-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3524-21-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3524-19-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3524-18-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3524-17-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3524-16-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3524-14-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3524-13-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3524-12-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3524-11-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3524-10-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3524-9-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3524-8-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3524-7-0x0000000140000000-0x00000001400C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8wk4z.cmd

MD5 1c916fe7f303a0f5d34c6c75f1f81f3c
SHA1 f8226d709c26b9aed7c3525f0945248a7c9de63f
SHA256 a5a9ee43e42cc01046a1d826e54241ad7f52c212b111f48fcfb7bc6f880eb91f
SHA512 4fcebc04df43ad995b9a6329142d87f815d7b3fca06cfecefbf24b449a5394699996158eb1ce5959e8dbd9f7b41b2581809f6c540b51a8038cca29d718e30873

C:\Users\Admin\AppData\Local\Temp\xF56D.tmp

MD5 2b34306d297fd998f0df59894f546438
SHA1 341b6d6c8c274cef1f3ca170952347ae4a36ee66
SHA256 0d7cdceace9aaa7ed355d0452ef0a340db52f4b9817e06a72108f93bc3b7fbcf
SHA512 d65cec4d8ee02f61e499193aa335c3bfd8ac64f3d26a7e73abe50931e4376fe5f5c14c84611708fb1d63cd47aeaec6fbd89deab65a069f4c499d02fb9abc7199

C:\Users\Admin\AppData\Local\Temp\2l1k.cmd

MD5 7dfd572db8b7bf2ea2ef9ee92d9e4c35
SHA1 93e6bfcc915b943aa7116d3a9946fcb25abe37b9
SHA256 32cd6a05eec328e0b003e9e24443121891eecb7dc385137ecfb482618bb2fd60
SHA512 3ee1db9399c6290f060519649b2a398b7049a9b020c9b8621b6ab2f425e0606f3da098e09ab424a18b86711a7d9c75af5ad2955e53602ed45c933786a05fe316

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Esxju.lnk

MD5 0e36417b34b1306a193d1818c3050f1d
SHA1 bab42801b218b895bbd44e515c0fc68feda70271
SHA256 dd255716f31a92672dddc2563b40f0704e4fd446800857c1f14eb43da938cf44
SHA512 e4937eeffcc2b5819ed5f20f2a36e28924e038f63e3e7d3aa8afde993a371b63a380af8ef2cf1e4d01c7e071cb085323fd03f2eb786bd67fa5d3d1a9587d4123