Malware Analysis Report

2025-08-05 09:38

Sample ID 240607-tvbtdsca28
Target 6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe
SHA256 36af0f14f529603d7046850eff639ec28b64fda03f286c91c87e7cd2a6aefe46
Tags
persistence upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

36af0f14f529603d7046850eff639ec28b64fda03f286c91c87e7cd2a6aefe46

Threat Level: Likely malicious

The file 6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

persistence upx

Modifies Installed Components in the registry

UPX packed file

Checks computer location settings

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies Internet Explorer start page

Views/modifies file attributes

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-07 16:22

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 16:22

Reported

2024-06-07 16:26

Platform

win7-20240508-en

Max time kernel

140s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\ie.bat C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe N/A
File created C:\WINDOWS\SysWOW64\qx.bat C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0214661f7b8da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4B3052A1-24EA-11EF-9BF1-5630532AF2EE} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000573979854622c4a5b0ddcb466d3432f33fbcab334007c18f3615f5fab2c268b1000000000e80000000020000200000004e13505524a5d0f2c5db3e22ab0edd52342fe2a2a557e7680e7b06f8111ee13f900000004512ca3a1bc832a1da4695af04016d036d3ef6d07b521172f21de2ba56444b30c1d14b7533734878738dc173a4ff03d52e0c1b9dfff7b676d3571d3037afb330f520168e6044b23a6b9b1ff1fe1a2443a42d1f610d4cc41c0a3721faeef7d0d063a0c522c89db73daccc11bdf09696551f286cdf659da73b075e83202369252833568601618f8ee8577cf819b8ede6d7400000007a9f4618813e462169a4cfe4a5d6b96e35db946f8c760a913dad7492102f4b0dd696199cd140e349c762203017e6730b88d77b6c8e8583972f59a25849402c30 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423939284" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b0000000002000000000010660000000100002000000095404a1b569b19d33518aff3c838c9317498ebb677e2dcb6e1889e7a05d4cd70000000000e8000000002000020000000b85cbc2611da332e3680cb29c5918ce7a2e638e7c7c929a56d954fe4f3cbf71f2000000026b079662ebeac622b0132b9e815076c3f1dc0882ea25165140875d43b022fc64000000039d9206b90a4807718a56faefd2c727847a2bca0f4890eb82d8eeacce1be78930ff06a1df8aa25b36662d84de03d64d9758f89e233df86274ef3ffd666b2d4e2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2108 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2108 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2108 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1260 wrote to memory of 2396 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1260 wrote to memory of 2396 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1260 wrote to memory of 2396 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1260 wrote to memory of 2396 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2108 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2876 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2876 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2876 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2108 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2620 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2620 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2620 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2108 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2852 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2852 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2852 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2108 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2616 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2616 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2616 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2108 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2524 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2524 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2524 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2108 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2956 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2956 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2956 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2108 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2224 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2224 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2224 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1260 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "c:\system.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.ymtuku.com udp
US 38.14.181.142:80 www.ymtuku.com tcp
US 38.14.181.142:80 www.ymtuku.com tcp
US 8.8.8.8:53 push.zhanzhang.baidu.com udp
US 8.8.8.8:53 www.avbaisdvc85ackl.com udp
US 8.8.8.8:53 sdk.51.la udp
US 163.181.154.237:80 sdk.51.la tcp
US 163.181.154.237:80 sdk.51.la tcp
US 8.8.8.8:53 collect-v6.51.la udp
HK 122.10.35.126:443 www.avbaisdvc85ackl.com tcp
HK 122.10.35.126:443 www.avbaisdvc85ackl.com tcp
US 163.181.154.179:80 collect-v6.51.la tcp
US 163.181.154.179:80 collect-v6.51.la tcp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
HK 122.10.35.126:443 www.avbaisdvc85ackl.com tcp
HK 122.10.35.126:443 www.avbaisdvc85ackl.com tcp
HK 122.10.35.126:443 www.avbaisdvc85ackl.com tcp
HK 122.10.35.126:443 www.avbaisdvc85ackl.com tcp
US 8.8.8.8:53 rqwcfqw.app udp
US 8.8.8.8:53 mmo2350.top udp
US 8.8.8.8:53 migo011.top udp
US 8.8.8.8:53 cbsi52.cnavubi8sqcoac.com udp
US 8.8.8.8:53 uuuutp.com udp
US 8.8.8.8:53 5698tp.com udp
US 8.8.8.8:53 imagedelivery.net udp
US 8.8.8.8:53 img.1379a.xyz udp
US 192.74.227.37:443 uuuutp.com tcp
US 192.74.227.37:443 uuuutp.com tcp
US 104.18.2.36:443 imagedelivery.net tcp
US 104.18.2.36:443 imagedelivery.net tcp
US 156.225.87.4:2235 cbsi52.cnavubi8sqcoac.com tcp
US 156.225.87.4:2235 cbsi52.cnavubi8sqcoac.com tcp
KR 61.111.133.3:443 rqwcfqw.app tcp
KR 61.111.133.3:443 rqwcfqw.app tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.152:80 apps.identrust.com tcp
NL 23.63.101.152:80 apps.identrust.com tcp
US 38.34.183.158:443 5698tp.com tcp
US 38.34.183.158:443 5698tp.com tcp
HK 122.10.35.126:443 www.avbaisdvc85ackl.com tcp
US 8.8.8.8:53 www.155pic.com udp
US 8.8.8.8:53 333bbb888bbb.com udp
US 8.8.8.8:53 xxxx6686.app udp
US 8.8.8.8:53 reen101.top udp
US 8.8.8.8:53 mmo1130.top udp
US 163.181.154.237:443 sdk.51.la tcp
US 104.22.20.196:443 www.155pic.com tcp
US 104.22.20.196:443 www.155pic.com tcp
US 104.22.20.196:443 www.155pic.com tcp
US 104.22.20.196:443 www.155pic.com tcp
US 104.22.20.196:443 www.155pic.com tcp
US 104.22.20.196:443 www.155pic.com tcp
DE 142.132.201.10:443 mmo1130.top tcp
DE 142.132.201.10:443 mmo1130.top tcp
US 8.8.8.8:53 x2.c.lencr.org udp
NL 23.63.101.152:80 apps.identrust.com tcp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 repository.certum.pl udp
US 8.8.8.8:53 repository.certum.pl udp
JP 137.220.142.24:443 xxxx6686.app tcp
JP 137.220.142.24:443 xxxx6686.app tcp
NL 23.62.61.145:80 repository.certum.pl tcp
NL 23.62.61.145:80 repository.certum.pl tcp
DE 142.132.201.10:443 mmo1130.top tcp
DE 142.132.201.10:443 mmo1130.top tcp
HK 27.124.32.104:443 333bbb888bbb.com tcp
HK 27.124.32.104:443 333bbb888bbb.com tcp
HK 122.10.35.126:443 www.avbaisdvc85ackl.com tcp
DE 142.132.201.10:443 mmo1130.top tcp
DE 142.132.201.10:443 mmo1130.top tcp
DE 142.132.201.10:443 mmo1130.top tcp
DE 142.132.201.10:443 mmo1130.top tcp
US 163.181.154.237:443 sdk.51.la tcp
HK 122.10.35.126:443 www.avbaisdvc85ackl.com tcp
US 156.225.87.4:2235 cbsi52.cnavubi8sqcoac.com tcp
HK 122.10.35.126:443 www.avbaisdvc85ackl.com tcp
JP 137.220.142.24:443 xxxx6686.app tcp
JP 137.220.142.24:443 xxxx6686.app tcp
NL 23.63.101.152:80 apps.identrust.com tcp
NL 23.63.101.152:80 apps.identrust.com tcp
HK 122.10.35.126:443 www.avbaisdvc85ackl.com tcp
US 8.8.8.8:53 cs2.fovzr2.com udp
US 8.8.8.8:53 hm.baidu.com udp
HK 122.10.35.126:443 www.avbaisdvc85ackl.com tcp
HK 122.10.35.126:443 www.avbaisdvc85ackl.com tcp
NL 23.63.101.152:80 apps.identrust.com tcp
NL 23.63.101.152:80 apps.identrust.com tcp
NL 23.63.101.152:80 apps.identrust.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 110.242.68.66:443 cs2.fovzr2.com tcp
CN 110.242.68.66:443 cs2.fovzr2.com tcp
US 8.8.8.8:53 img.1379a.xyz udp
CN 182.61.201.93:80 push.zhanzhang.baidu.com tcp
CN 182.61.201.93:80 push.zhanzhang.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 39.156.66.10:443 cs2.fovzr2.com tcp
CN 39.156.66.10:443 cs2.fovzr2.com tcp
CN 182.61.201.94:80 push.zhanzhang.baidu.com tcp
CN 182.61.201.94:80 push.zhanzhang.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 110.242.68.66:443 cs2.fovzr2.com tcp
CN 110.242.68.66:443 cs2.fovzr2.com tcp
CN 182.61.244.229:80 push.zhanzhang.baidu.com tcp
CN 182.61.244.229:80 push.zhanzhang.baidu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 39.156.66.10:443 cs2.fovzr2.com tcp
CN 39.156.66.10:443 cs2.fovzr2.com tcp
CN 14.215.182.161:80 push.zhanzhang.baidu.com tcp
CN 14.215.182.161:80 push.zhanzhang.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
US 38.14.181.142:80 www.ymtuku.com tcp
US 38.14.181.142:80 www.ymtuku.com tcp

Files

memory/2108-0-0x0000000000400000-0x000000000043A000-memory.dmp

C:\WINDOWS\windows.exe

MD5 e4503f823bd30492f9d9e82f59017a40
SHA1 46133743b7de0488aef235c7bcf014f2d3432ef8
SHA256 e06dd6bb86ed6b0b6fef14156df92cd68121802eba1b0e78703dab6494d90078
SHA512 730606b411e9d064dbfb9283269b6a0617b1f0acb6709c99e168dbb2d29cc0b666c5798faa5de20ec87c8698050734f5c409e6cd7fa343319b4266080219fcc0

C:\system.exe

MD5 3463fe5b06a1e5391f1495b7f34106aa
SHA1 dab460453e26a0d69f6f58ba25cb8fd8ccae9711
SHA256 575fe4c4af5e8a551e20f88f08a6965141d23bf64a73b6c98ef2ebc91d67dc09
SHA512 0251405780155b0f7afa35630f6f6772b12fb3b59516c0b3c52c276d623fe2fa9890ffccfb4380bb99691e4d2fc8396a2eec303d962bb8b0c5cae12a2a3d7850

C:\Users\Admin\AppData\Local\Temp\Cab22CF.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar22D1.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2a2a055af9ec83bc107d0f06ab422e3
SHA1 1e7e47fce9190287833c5213e05b71560672590d
SHA256 9065ae84b29f7d7ac817622b02efd91e89ad5c0496ceecbe15b7c5837a0cab33
SHA512 c4641dbb9944121508c5816f5c9f34c228f09ea9e4d0d3949177e1c62ff0367e782d6b8d42ddb1a91b2e30b3e189cfbb49b45684d19da282bc3a3f3c1a8ebb3c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ea63c3b2ed61c540ef50e865545d87d
SHA1 e708a275cbfd158c8d10149cd9991e663537e2e7
SHA256 dd4302c4e906862acb4511f50835edb4d59f6e5370c41b4c291cbce71e6de0d1
SHA512 6cf69e65cdc548c2033626d58e54fedd9ec25f0bf1d9592c0d231cc2203e73541bb2c2f3be163048d3498c3ed61dcf9d37c13108e4aaedab609789c0a584c682

C:\Users\Admin\AppData\Local\Temp\Tar2364.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 23d98032ff5b436bba32a934d76d4cdd
SHA1 ad47eee67524cc50abf246c50f2a2e1d1288ec1f
SHA256 05d7d1f95056d6071180f34be1cce4f149f06fd69223d0c51217412c763ed299
SHA512 43b7f3d2e8c9816f682a32dca75da2a24695980580a92d8ac35eac9b5d0a3c46efa6f94135b2bee0901840a756655e8583c84d334610cd42ee2b7a833b6b15c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 bd98c4b5dfd14062be980b767fcf4a3c
SHA1 20e0e2547a7d560ade98ab0d255fac0f42e72e61
SHA256 bfb7edfac54cd5f438334247eb50b62c0c0a2170b9ee9f9d1a19c0742bd42c75
SHA512 c0a4b7d159059289984e21cc8b1a95c8125b98531293b8a596eba719378617af5094b19384510c8201c782c374313844e72a01f927ff4d47db63d50ed4309811

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 e84e516961f3adb9612d984432a9f622
SHA1 c4001671154952729e70e53f8be1314f6950cf23
SHA256 95c46f98f4537d3e8351528fb9cd088ff6fc1b375c5c0431b7aca7310f0a162a
SHA512 b0b5e585ea2e6ffecc7171cecdeaaf14d881a34717b944f0b9e540ff0dedd1a90e47ebfc3acaa0d25234a081fc3d2b0a6ede004aea2e058bdcf19d9225d585f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 981ce13145b3decd5647072a297bc68a
SHA1 c157c116de30d460ffa43b82badaccb7ee68da68
SHA256 14a251cca182ae4e40ebe67c4da490ca009a3f2eaa7fe5e754c0696c8d3e42c9
SHA512 e0d0c981e94dee5194da5e5f79f0a2a7ec483ac72f6c03997155b067a180de63cd97523f075073ad02b753511f5eb0fe956caaa907e808dd939d524f30ca302f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6538dc4d2a5974420cff4303d43ceae1
SHA1 d699ad5dcd00f807de8f05c279f93383169751cb
SHA256 575cdff76990172006bf7a93b03c680f3bac4200601a3f841190852aa67945f2
SHA512 13259241303b1d78cf9f3da4482cf4320bc726d669ac8c75422229c459472a13c7bd73783179afeca4b59b0c24f2bd884cbad9accdcad73aec15361dd419123d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5eabe3d5463b0236611b3fdf18c0616
SHA1 cc5b41fbdcedb1561a461163f3c5be1b0c6cfe23
SHA256 4308b5ae2133d4407b96cc641e0039521a03b0fd38be9894dd2dd9f91c35a3f8
SHA512 5251249032c60ae2f753de870ea16cd9b2a8e05c47388acbf68ea517ea5b46b037d15ab684041fe08bc589bcb52a7c4a20856239a50bb434d59f5f4e13b353c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7c5f4e55b08119f32e48bc474d65149
SHA1 c299283896e2c28673b03b80ef3daec8d30e2846
SHA256 486615576e0fb52df4da3180f226480e616a80caa6c0b3c7260b3ba5b709a858
SHA512 51362f53482c3482af6e069afedf3e08fc26d11ab5c7558b763f3a2f314f80f7a1db586a5a3dc96e1dc67f26549a75c74cabbf79cf7329be24ac70a8164bcb10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 209552260770215bb99c09200ee79a2c
SHA1 6622443e9f5ed8570ffd19cd5dab7549520ee36e
SHA256 a7e89eb0d88e7a6b1335829c255ff45eaf6e849ee05372115bb317de6d8e91a0
SHA512 841a133bff2e6c4cdeee65fd98a06e89143cdfdd3bd7640bf07032742e8aa207786af89a0a4d0d516ca84b73ae5f7df6bcd4c0e6b48557090312e8b21e4684f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c8611c73a1b8cb69811b7e68c75a3338
SHA1 48928040053609d76df05d0641252c8ca2c3f532
SHA256 52ef2e1c23f6d2c33bd534712c87e2e94d1ec7b07fc577fffcf7ca2f3a830153
SHA512 47a7ff6f009c2ef640de4fd762d4ff7ab8391f01ea93271ec61468aac1e195d2ce74a5469dc432d643876820c897c5d5a4b372d9a6029b58dd644dea951d81f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad321e7234aedb55575e8b7d387e04ce
SHA1 bb59fede6f8714a0060039dfc7a6b3f27f6db520
SHA256 f3fa289eef3abe18f577a1c7997f4f92980d173d26772a6a6554db07e5aabf62
SHA512 1f55d54d3f5e2b09e70239f5057f1050632319331d7459d604d9b24e26a9e45660ba7980694e29cd414ae700e158dab49af6a8505c9a851350fbb62682e97319

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dcc345ef62216f7dce3fd7f9fb54659d
SHA1 0f02b01bc7d631770ac23d867eb1f4bf67e8610a
SHA256 380c5ed9f12c18b2041ca256b91f4ac56ccfe79b3817e3f901c123a64f37a73d
SHA512 2b3e85c6cdd9c0df513e4ba968b304d0131a30a5a8a93821811676e6778ebb36763e15878f0c9ba0a3d92e99a401cff873409b70a49e50cf32ac2128b5d1fd82

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F

MD5 074e2659465dc71a4cb8e5bbf983376e
SHA1 0a67d1d358ec27b999782fdad8606e282204610e
SHA256 19a0bc6fec1a70111dc75578d83d70991539ecf9de2faf5a356068ef2590b1e7
SHA512 a2b4106058dd5c157b20c0a75d1a9b2b87088f51e42e680956e57716b9ebca06cdec4ac89f427316cec4f599b3639e1a8f21ddd6c02f36c5415cc275d6841826

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee63fbc8557f2da297ad6a9257dd2477
SHA1 f9426309c446266626c360db66ee34099a0ab2d4
SHA256 16268186b613f7bcf99c9dc21192ec876834039dbedc220d1ee057bddf6f7e5f
SHA512 7b30cc6d34bb825339d47e3bc09ebf85ee462ed196442c0e444961410a4b8aaef483472cf9ac337f06655f2958dd2e74aebeab680f0d814a0236c5756bb5095d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F

MD5 d5e98140c51869fc462c8975620faa78
SHA1 07e032e020b72c3f192f0628a2593a19a70f069e
SHA256 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e
SHA512 9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce5a21d9d9f7b5ca44b364ce31c4a5c7
SHA1 56d061c1238f1835be9dd54dd561b4d9d48e64a5
SHA256 f391558d942fea088bb1f183c962f7e2262fbe69c5a50a1fa536491168e26df5
SHA512 e4adf781305a4d3e20178beeb659e1d3b69b387b542f709ed8e5a49eb40cadb3cb7a5cd029120080fa81295f8f19dda00fec569e95d5ec830649ef6c99995ff5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ddf478a4f6d5bc03bd64bada50263f8
SHA1 1276f7ddf260dd5c409d9933198dddd990ebf09a
SHA256 4662af2497bf2409a3ff4d94468418b755d31f8fb962d9088cd26683c3161b17
SHA512 28e37183bf764b6ce6ba920b4e4555c26c37e8f21c0b8969ab5843b72a6774017b74c76e9b5fec3e6e197ad36056c9eb05bdbe48564c338130a16b903dae7d0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8619fb42b623d3f737fee02cae9874c0
SHA1 a13cd06d21c4c789bbd0ff0ccf8f7aef082266df
SHA256 6c0f77ee5df627aa1f8dca2b234b380aeebea52e6b0b3e78462d3a520753b752
SHA512 cb92890c1387ef8921b375b57a0eda75508b9dede588fe63eecd07c8d2c59b48ba344ac21c27dd20913996eb4169942667d34a81c9fc651e84702e093f4063c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e72f2cb6cc96811962a2cf462617232
SHA1 0babe2201a48d4e2e0d1b45bd177e3fc25d365b9
SHA256 694d3c5aaae7cea7155e4f04824c63665cef53156a5f5e28f26fa2f49f6cbe3c
SHA512 aefff0fd1c41a3062fe6b36a9d51fd21aa72098e46b2d790308bdac668d1622573c2db30d671cbc05c7623130e33360ef855732e02b04fe635d67a1e1c25a6fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98a255c1c1dfb87bfb41b2ccc8791d46
SHA1 4be2943754a8188723a5e5c0a8e962440a8ac990
SHA256 994c9d2c6a7e93aee67e26843bb469e66ebc2486bc76544ad61f4753832e72bb
SHA512 d6a02d623a997d7b0a0b33c43e84c59f31a6fada6dd899031f6eb230e004666cbaa3d0c4b1041adee0c781dc9d8a326f64daa5ef5a6c3d030d098750551c4ca8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a206f3065678f992dd43033eb55da7e
SHA1 ce2bae812c36f5be246a591840e2a84f705d7352
SHA256 1788968bf2e69991d8ed6080c39aaf7509d53823a933dc810f2959901047d95f
SHA512 bda610ee3eb79bfef19dcf840139ab2d8ee4d02a428a09830efdbeb93f19306618a9af615221f8b72c75458d33ef30aca7d3ce55fa7c1138be245d7d905b4fdb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A4B782275DC1682E4DC39E697A49B151

MD5 235a8a25c7418400d72d35a530c9e4ca
SHA1 6d9600c99f9dd6a7151c75dc68e164fe835af3b3
SHA256 7213e1fb15aadbd84a2964b866ff9ffcc0e3c8ea13cc151f6d5c968b0bcbacc1
SHA512 02637eb11f6d66de1327a46a57342208ecac8be858f26c83ac82fb8cf8bc23c71749aad06323dca975cfe0aee3ec437d40e3b833303ae9c7a582d53dab67e11d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 517f7449cd8ccd66f8b4beb8b3ea2ad1
SHA1 b6acf45847f0e6b4a7a69ed59d05fb478fc225a5
SHA256 51e189e3813eaae9059bbb903d1694d6ed0eb9d7b32052dc6a69b51614f0955b
SHA512 b2fdeb0936e9abf1c2117590e430eeb29f70ced1723258a8dfd821b7b4def90050e89b02b1512c12009b2861ca394a10c355ece3f6b5a5c6274d4db0083bb906

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 972fa0865d7739de6a05b9465b4d9355
SHA1 c54bdea0bb67ed0f8f7afc9e3098893fc534f2f4
SHA256 f76d3d969aaf822c73bf3309ddb93ae47e713f120ab1ba598eb95a38cd70511c
SHA512 aabe0cae618777d4b2ab6c2cea3696ecfefda63848d8e53be11f363ddbf7335324d4dad7326b251af7d7b3f3792eecdb204e4c36ee8bd47fb5d18c58a6c7b239

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A4B782275DC1682E4DC39E697A49B151

MD5 96c25031bc0dc35cfba723731e1b4140
SHA1 27ac9369faf25207bb2627cefaccbe4ef9c319b8
SHA256 973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6
SHA512 42c5b22334cd08c727fdec4aca8df6ec645afa8dd7fc278d26a2c800c81d7cff86fc107e6d7f28f1a8e4faf0216fd4d2a9af22d69714ca9099e457d1b2d5188a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c5178f493156f67449297f1aea116d7
SHA1 6bc2905a897765e3b03e14370b8c2213d2c5780d
SHA256 f2f8a587051c01f92de75f6d454f1a5db840cd085d56ecf25df2e23f736ff315
SHA512 6a063d9790224a5653f5b4f960b39b1cd5b27624921a9f90f6a184942606dd9434c8d20b4b14fde3529749d2c272f8cd5c44798f1d67e4cd5be18b46e6a62a51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b29f99bd16da758c5494da3bdd135b6c
SHA1 deafccb83e7216951f47136307e5c2a5cd44f30b
SHA256 2f845dafb1286069c5db7179204607e2a8ba4c11888fb5d675fdbe6c05a3afc4
SHA512 3bd44d073657f6f5ce63a91a41b9ff53aafe2ad87b6a0ebaa227b4402af9d098d0689600efaceda78711ff1e9b919ae04e9fb7e61a51f7bf4ae1f88ec00a55f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63bf4f02207f6edc2f6ea4964edaa76a
SHA1 ff8b84cfe6d0b4372ae0106df4188eb4ecbdae3a
SHA256 4342d2fcddd98ffb219764bbf4a9671cc5402aeedf2320715e5d641e8125dc59
SHA512 ef83a0320533f44c6e25dfbff5aed911355fc78d74b9e98d8d14a46be8b9144976d0d6386668444c6d61045a8f0f3bb348059249a6410896d62039300913fc70

memory/2108-1420-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 670db39b3845a4a7ef6de7513a1fff4c
SHA1 04ed4d5e9b2769d86f41a75f4d41540f284b0c1e
SHA256 49efc3b379437fcf868f1fa663e930a306cd7dc15083f75850a40291549659ba
SHA512 18115078208c8bfc49664122cdcc3d3ce4f409e8a20a4a158ae6a3ae9de7dfadb40af38dd5dd2a86cd6274007cda71a8a027047ff82b8a7dc55baf228bb7243e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb5db44349de0322b22a39aae988ce6f
SHA1 7e9c0b54084c2b66cdbc52a6e2032f4dae03ae80
SHA256 e9796a2ba01e8aa6ab1ca41579d8e4bca0e546839ed5a5cc9d2b01822cba1118
SHA512 40674150cfef940f3fad7d9f8c95b5a7e344217f0fa192bf07256e7729b97352551aec05d1717c13bbd42a0d886c0257e1f721e58ebd28a9c92be2d4776583a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 0758078d0303750c37b5949070d15a39
SHA1 cd4ac4a9d708409636d2fe940ac00da225a45fba
SHA256 f31d18c47de0c350e020a8469b9c059bc1ec07d613f48ae3ffdeacdd4baa8c04
SHA512 8918b21dc9ed1040c7683afa69efee62305016204c4751f8c311a0848cafe8ed57a353bce07294ef4b6aa4f39b630ce34561b96165206538c5c25b7340674f72

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 663058ce2cd8b4f6249d44f2f2deb06e
SHA1 58ef3026b3a66b88de538d8a467229c00e526ebd
SHA256 6a79f78f16fdf36350074f4c6ffb03b25043df8dd4ac55ff8312d3995b018b25
SHA512 d252b470ade29bc005ff117af823ae79528c71dd78ac3c08b7151a880e230432a05725ff4c62ad4e718bbf48ea92db8b1de9328fea7d0212034a300efadb5434

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6bffa539628fdcfc3d62412092ec2206
SHA1 920b662284fbaf6ea57027814a437de074a4888d
SHA256 3e55c746964d74a6bae3c8211a61497e90d0662b61c545947550205ecbdec32f
SHA512 0551ca2afe046a07d6d466ba8abb157ab88c75cc00c6bfb6a8b3459d3cd3f1de7574b7a27ba9f4e0e093d83a6b8d3cef9307a1b63f84d7ac546dd947e6ec602b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a99908b3c5f8ce0fddc8ba5f17aaf05
SHA1 ad41da6d3749ffc8042413c640c0e65b04bf5ba5
SHA256 0ffc28479e422ad8b9106c89d2122ccfdc7a9956ddebc4263c96fbec11e14d64
SHA512 a735fd3775b3282866f0f07b7beb1eaa0a15f22bf986bc95fef5919c5fd38f38616db2b0e4effdfa54e3035d441ab0af631ef53657500399795a99e1720c5c6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fff700f63a59659213a52273d81305df
SHA1 1d994cf0ac72fef30bbaa853e7336f109626181d
SHA256 b9049866bb26b6383a83c498d2d51ed3a8693647998bb13e554772f5849bc15d
SHA512 179f3857b8cc7db35d317a17b0de141b8041a28ffd75b3f0a60e7385448be43dd85429766029f7f664438d63d65d6a250fcaccc8db1d30820757a9b394497522

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ea043d5044b3ca27248f8aae2da12af
SHA1 c4d4073e11649a0f8229f933bb21c8556aa6dfb4
SHA256 cb10ad4703bf72241b90be5314909a47ff16d7d3fede7a1148e618cd2ea9c325
SHA512 d93c4b4ae02fffa22735845c20a1a42904a883cc842568c89ebbf265da9903f1fdaf1bec605cb3def41c409355e87e4073b3bb467182ec7d0e14870931336d11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 9e61e918433164a85d641cbe2c329b07
SHA1 dce2ee274990f98cffd94427517541235c9752e5
SHA256 c8db9f3577ebe2ecd9c10125dc9e59b3ea69343e5fbeb3da71653afdf7d6d883
SHA512 ce14e63241ab17afde1de61ee8ff47369239731c91792cc370609959784bb84012785a7c3f5f3b6ae7d4b16969c71da5d4f20c9d8e9c8f0f56fb9573bc21ad68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b41716e9b951b46d131bc22064e7b6c
SHA1 0ff8ea7909ccfd7544e3c199a4896d0a23454520
SHA256 25bc011cc9cb03f6b6babe0735fbd543d9a8d876ab067682c72de39c7f005e6d
SHA512 6f41cf2b65ca785e001cda96a0c60d02e247019f753a36b35250699fa39f00ba18afdfee5de2875d28139ee5f3158d312023d347b89d3e4ced52271b5a616b55

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf55ff5de7e15336f3e0186dab7d1098
SHA1 45d0dd6ae27511e148c8deb94e13c2392d96dcb4
SHA256 27e399d58955ffe9b3627c1bfc06618352667ca1206df34df7cf2561f272c6de
SHA512 71d9b094a6226f5e230dd93814b8f551c49d49efbd609bc3becb93f525dbf2729247818ff1d5e6ac608d89771d2822974fd10c182a050f885f8141b039f0b45c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IO0LJX84\favicon[1].htm

MD5 0542ad8156f4dfca7ddcfcb62a6cb452
SHA1 485282ba12fc0daf6f6aed96f1ababb8f91a6324
SHA256 c90cdefdb6d7ad5a9a132e0d3b74ecdb5b0d5b442da482129ba67925a2f47e8f
SHA512 0b41affa129277bf4b17d3e103dc4c241bc2ac338858cc17c22e172ec2ac65539b63e802246efb462cd134d99907d9c5ed9bc03937cadcca3155b703ac6e3195

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73256449f17ba16c73607bd239738bdc
SHA1 eb4a43289889ba47e29ee9c559e2880302c52483
SHA256 05dc2eafb6c4cbbfc6b816ea237585ab77a76d0d51f23c4de380544ed5d6e464
SHA512 175f06adf588a23bbdeacfb7bdc71c51e9927cd3e7d45e5ba42a4c415f2d8d17b8b32037cc64b1d37f4f170e5f562866a08b65ac4826ceeb09707cc8b46e8586

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dde7c20fe75068ed2a882967b407fb01
SHA1 0c138123b83ac577c00a297aaafd3ff95ca04c1f
SHA256 5c1d69dde07c0b6a0075d13fe05c692aad22e1d2af18971f25c0a86a25e36842
SHA512 a126912c1e34ab8e32164803db85fd23f340da8108e22b7a10fb75619332d5c622c1eda6a52584c91c0105f15e8fe9cff646b13f0d8fb8ab3267bb05f0c2ef5d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f7f8312a929d6244e08a72d232a67f0
SHA1 2de33d1a9ab1c7adb88700b8f23c64d65f2a27f5
SHA256 3f8f9f53182d2f26b9ebd0679b8a36056933fe88c84f5df7c168b7a98c875881
SHA512 7ab64edd1d42ec29b380e7144fb3901e6018b6aed854c261b3d1d6beec2094e43e86d93bb9aab1de66ec8cce8edfbb64e091661002811f5d7f2aacb9bf7eb917

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ba6e8c63ce4a9cb518687bd6857f4cb
SHA1 7570d5a93ddca74c97b1275fb0b57b0d6cc81ff3
SHA256 52feee7f7a6c959b547b7b0201a93fd508f4f97cb32ccf403e2b881bd2b119d8
SHA512 367dfdc7361483a233e80c35150a150861c4c676dc87b58af48a0719e876ce3dc39a18ab48456eaf65a1dbf1ad76d8a3d783838ab4e90c48e271bb8f567a308f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e27b56039764a63a4d3c649924b2d6ec
SHA1 8efca6a282f6d8d43093bab50627831e7a6aa173
SHA256 5c28891eeafb8c92e36820056cae38df40274552c2f94079606d42a84cd0c38e
SHA512 ac1ac2a12664fb58a39d84e35aca55a4692c4c45fb1ef7d1618d4215247348f3c897701d08725ecb69d2b5d30c7eb5498cb2ecf6ef36fac43efcbead093136ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b8b970b8940fe9b4b110309ee5ea87a
SHA1 9b9a26be04e01ea81d124be8a23f3f5c3a9e8289
SHA256 94f145b5b4625a731503980761f67c87d2d9ab40b100172840e4982329bdb634
SHA512 bc44579561aba55ec0fc6fe2746e0af28ca7a1701b8e2a4b0a34b90325fc14cf472564f9f74c5dcdc6a1e4932e797bcd8d237f6e76594f5fc21137e55c341bf7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12dcc1263e89b628336c76a7ab18b9c1
SHA1 edf82caba7e5caa1e5f7de32c2ca1ef6961cc390
SHA256 f3a97ffee5073b04ef29fd9774b5e73508a31972be71e58079f2a80140fb8296
SHA512 18480563df49846f08e2e3a3d3754fc32cd9771aa99a17105e22f7d45d701a02b3751f9c024a0af6bdfda4e4210fefd203bf4c2d03a797e8579879f52f4b197a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8cfb44d50eabda4d0b82e64e9b80e682
SHA1 717b7ec85e04e8d2aab72c4a1a2ad9a060dfd21d
SHA256 c19947c7c1ec9493c61cf4f29fb573f3f7390fac4deeb7b8621a820a2e81790c
SHA512 79679377b044de0075036f2842c2ca581eac07c98ab91f37416cb4c6c632181c68f10fdc289348dae4d8068c55e8ad82dc23e7236ced8c79bc0f35651502df2a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 53791f9789dadee2d6fc74e3aa7a6c48
SHA1 679d84532f33ce91dbdb9ea010507db33ae8ca07
SHA256 5590bb2d0702c8bf3d8ff046b0066a9b6c15fb83813e971ac8baa2d8d437a6c9
SHA512 76dbb136356b044f63989314b6665a5a554382c3b6cdb7b09651796baf1276a8aaa3f05c714a19b0c747397377d6c54ff47d6f3e3f9bc4aedde8464a37ee31e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bbea4ef0206ce445f854d979b5d006c4
SHA1 4aa75c415fb6a5218d77f447597f396a70593854
SHA256 0e27db1c4d0fd0e03db68936ba2993658dbadaf5a6bb331d7eeebb1d15e53266
SHA512 a60e695cb2b680c063fe795c7473afc03d280b665d22495735ca2d7e78853aa1242d467a6abe3ee60c8b6032779757be2ce6d54de692a8f2e645bfed5204879d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-07 16:22

Reported

2024-06-07 16:26

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\ie.bat C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe N/A
File created C:\WINDOWS\SysWOW64\qx.bat C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4C5872C9-24EA-11EF-A084-DAD58692AE8D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31111415" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31111415" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "550209992" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000006633b135c95c54191e4d28dd78c83740000000002000000000010660000000100002000000045ae9909f6a3bbec4f768bec2a8680b0fe2f37365e1b4afa7fa324fe84688f21000000000e8000000002000020000000de6666c1a9f89d2cb9f3d5490244d14892e40a791ffd91359fdfa8d22e0b40312000000042e3742c4a82796868ca47d48289afccde3f14ce687c5ed989e4726c55b84211400000003ea8c1237aa2040ed34884a992347811556d97b5eca7fc87f0ceca01ead423a0b01401c343b58279059cf0643bb146941b49312c570587ac462eeaea9714eedc C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31111415" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424542393" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0ebff38f7b8da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "548803243" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0a1fd38f7b8da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "548803243" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000006633b135c95c54191e4d28dd78c837400000000020000000000106600000001000020000000abc0553c6c63041ab8c30b4e1dbea29c97bfe8679cbcff4e1268623d021f92d5000000000e8000000002000020000000e530a6304eb3b12816f8ba968941ed30201d2c6c942ca10670678ed61488218920000000155756a6c2f15ed014f557528532059f6e3254be00567799f594a30338de8a7c400000004abc246dbc8bfa84e69a3fd2b5bde5551a0f58c23e061734d0492f58a5ec4dfa3151dc70e74e0c42c22b8d505f5cc6bec598f869eb109e700b198b1aa94c3e8e C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4924 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4924 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2600 wrote to memory of 4904 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2600 wrote to memory of 4904 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2600 wrote to memory of 4904 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4924 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2972 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2972 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4924 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3320 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3320 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4924 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4920 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4920 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4924 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 4056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2296 wrote to memory of 4056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2296 wrote to memory of 4056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4924 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1988 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1988 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4924 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2208 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2208 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4924 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\servicing\TrustedInstaller.exe
PID 4924 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\servicing\TrustedInstaller.exe
PID 4924 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe C:\Windows\servicing\TrustedInstaller.exe
PID 1380 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1380 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1380 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6bea8ef3668d7c8dbffc79735771d080_NeikiAnalytics.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "c:\system.exe"

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.ymtuku.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 38.14.181.142:80 www.ymtuku.com tcp
US 38.14.181.142:80 www.ymtuku.com tcp
US 8.8.8.8:53 push.zhanzhang.baidu.com udp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
US 8.8.8.8:53 www.avbaisdvc85ackl.com udp
US 8.8.8.8:53 sdk.51.la udp
HK 122.10.35.126:443 www.avbaisdvc85ackl.com tcp
HK 122.10.35.126:443 www.avbaisdvc85ackl.com tcp
US 8.8.8.8:53 142.181.14.38.in-addr.arpa udp
US 163.181.154.234:80 sdk.51.la tcp
US 163.181.154.234:80 sdk.51.la tcp
US 8.8.8.8:53 collect-v6.51.la udp
US 163.181.154.179:80 collect-v6.51.la tcp
US 163.181.154.179:80 collect-v6.51.la tcp
US 8.8.8.8:53 234.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 126.35.10.122.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 179.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 152.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 rqwcfqw.app udp
US 8.8.8.8:53 mmo2350.top udp
US 8.8.8.8:53 migo011.top udp
US 8.8.8.8:53 cbsi52.cnavubi8sqcoac.com udp
US 8.8.8.8:53 uuuutp.com udp
US 8.8.8.8:53 5698tp.com udp
US 8.8.8.8:53 imagedelivery.net udp
US 8.8.8.8:53 img.1379a.xyz udp
US 8.8.8.8:53 www.155pic.com udp
US 192.74.227.37:443 uuuutp.com tcp
US 192.74.227.37:443 uuuutp.com tcp
KR 115.91.26.71:443 rqwcfqw.app tcp
KR 115.91.26.71:443 rqwcfqw.app tcp
US 8.8.8.8:53 333bbb888bbb.com udp
US 104.18.2.36:443 imagedelivery.net tcp
US 104.18.2.36:443 imagedelivery.net tcp
US 156.225.87.4:2235 cbsi52.cnavubi8sqcoac.com tcp
US 156.225.87.4:2235 cbsi52.cnavubi8sqcoac.com tcp
US 8.8.8.8:53 xxxx6686.app udp
US 8.8.8.8:53 mmo1130.top udp
US 8.8.8.8:53 reen101.top udp
US 163.181.154.234:443 sdk.51.la tcp
US 172.67.31.6:443 www.155pic.com tcp
US 172.67.31.6:443 www.155pic.com tcp
US 172.67.31.6:443 www.155pic.com tcp
US 172.67.31.6:443 www.155pic.com tcp
US 172.67.31.6:443 www.155pic.com tcp
US 172.67.31.6:443 www.155pic.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
DE 142.132.201.10:443 mmo1130.top tcp
DE 142.132.201.10:443 mmo1130.top tcp
US 38.145.218.108:443 5698tp.com tcp
US 38.145.218.108:443 5698tp.com tcp
KR 115.91.26.69:443 xxxx6686.app tcp
KR 115.91.26.69:443 xxxx6686.app tcp
HK 134.122.135.194:443 333bbb888bbb.com tcp
HK 134.122.135.194:443 333bbb888bbb.com tcp
DE 142.132.201.10:443 mmo1130.top tcp
DE 142.132.201.10:443 mmo1130.top tcp
US 8.8.8.8:53 36.2.18.104.in-addr.arpa udp
US 8.8.8.8:53 6.31.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 4.87.225.156.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 71.26.91.115.in-addr.arpa udp
US 8.8.8.8:53 10.201.132.142.in-addr.arpa udp
US 8.8.8.8:53 146.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 108.218.145.38.in-addr.arpa udp
US 8.8.8.8:53 dvcasha2.ocsp-certum.com udp
US 8.8.8.8:53 cs2.fovzr2.com udp
NL 23.62.61.146:80 dvcasha2.ocsp-certum.com tcp
US 8.8.8.8:53 hm.baidu.com udp
DE 142.132.201.10:443 mmo1130.top tcp
DE 142.132.201.10:443 mmo1130.top tcp
US 8.8.8.8:53 69.26.91.115.in-addr.arpa udp
US 8.8.8.8:53 194.135.122.134.in-addr.arpa udp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 23.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 37.227.74.192.in-addr.arpa udp
US 163.181.154.179:443 collect-v6.51.la tcp
CN 111.45.11.83:443 tcp
CN 111.45.11.83:443 tcp
CN 182.61.201.93:80 push.zhanzhang.baidu.com tcp
CN 182.61.201.93:80 push.zhanzhang.baidu.com tcp
DE 142.132.201.10:443 mmo1130.top tcp
CN 39.156.66.10:443 tcp
CN 39.156.66.10:443 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
CN 110.242.68.66:443 tcp
CN 110.242.68.66:443 tcp
CN 183.240.98.228:443 tcp
CN 183.240.98.228:443 tcp
CN 182.61.201.94:80 push.zhanzhang.baidu.com tcp
CN 182.61.201.94:80 push.zhanzhang.baidu.com tcp
CN 39.156.66.10:443 tcp
CN 39.156.66.10:443 tcp
CN 14.215.182.140:443 tcp
CN 14.215.182.140:443 tcp
DE 142.132.201.10:443 mmo1130.top tcp
CN 182.61.244.229:80 push.zhanzhang.baidu.com tcp
CN 182.61.244.229:80 push.zhanzhang.baidu.com tcp
CN 110.242.68.66:443 tcp
CN 110.242.68.66:443 tcp
CN 14.215.183.79:443 tcp
CN 14.215.183.79:443 tcp
CN 14.215.182.161:80 push.zhanzhang.baidu.com tcp
CN 14.215.182.161:80 push.zhanzhang.baidu.com tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
CN 111.45.3.198:443 tcp
CN 111.45.3.198:443 tcp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4924-0-0x0000000000400000-0x000000000043A000-memory.dmp

C:\system.exe

MD5 ecfed6d12a63ba09bbc71c3d2fe56ef0
SHA1 e3bef29ffe53aa4c1006a87ffe7d8fcea42061bd
SHA256 3d83f57a12772488bb24fca5c4cbbba0b9652b2932877aa5ccac72fd9f7c6928
SHA512 648f93392e66dcbb6c20f462434c75a2471021811d91569ca7e9abb2e6b32593d918e5f151e681a12fe62db3cda76c6442e5e9ee63e0c88217eaf80c0113452f

C:\WINDOWS\windows.exe

MD5 35e5ca3f533198464154c48a4c23afc7
SHA1 6f54418e1964881c72b5a759370bbd62fc23e698
SHA256 f12888b3e1db565eac882abcf67ac2ecc3cacb6c8443b1654428b813807ee183
SHA512 a8c38fc989f0e6cdcfb1dbcf3f38c509df74da27d56ab7c13e179e880624017b844abb499a9a6a4f89a57b2aea878e39ad5160d57754dbd2e6f472cc2c49f340

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DL7YY2B9\js-sdk-pro.min[1].js

MD5 24bb520e9517f2ed3ed987b46aeaf723
SHA1 846723563d7dd2bff3954f93633b11af0103adc8
SHA256 d1f1bfe698f2ffb7b3e7a885a301d58f9554d45df0a31c3e8b53c84b33c80d27
SHA512 31afbcd2ee87c84cc3e56355da8ddc741a69d918c2687984265745d8046deb18c494cbca6aaf8d4eae6b035e888e6f7cf9b0d59a255f2714963d7b3edbb3c87f

memory/4924-169-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 b342fb24d6c7d9215731a17e94743502
SHA1 0e6ef1eca8b3c7bda6da7f1f792919a5fdc71a34
SHA256 7be1369161dae7ccbe4b699b2682bdd28141761e6afed9451ffa8626bf812cd1
SHA512 963af63ab70072c83ca49a658735b7d6b76d09081e8b97eb1a23b2e5ef131a83a4ab5903edcc53596f216ee1eb6b2c68e48f2a102e2b6eca672a99b71b51eb40

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 f517ee4a7b0317abcf4d618b44c17683
SHA1 02caa5a48378931e898c347b808ef38a00a3c3d9
SHA256 5867c256a76c099b3092a47b0e8d5f56667545ba8c4a15675bbb95cbcdedd4ff
SHA512 766f62fc93dbced430d0837f2d12eeb1b811d77c5ec6824f2bb377d8f069913f15c235b0ae35a770e460e9a87596f3c38aa1f1cb67b3d526e3f4838b6301edc4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\favicon[1].htm

MD5 0542ad8156f4dfca7ddcfcb62a6cb452
SHA1 485282ba12fc0daf6f6aed96f1ababb8f91a6324
SHA256 c90cdefdb6d7ad5a9a132e0d3b74ecdb5b0d5b442da482129ba67925a2f47e8f
SHA512 0b41affa129277bf4b17d3e103dc4c241bc2ac338858cc17c22e172ec2ac65539b63e802246efb462cd134d99907d9c5ed9bc03937cadcca3155b703ac6e3195

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee