Malware Analysis Report

2025-08-10 12:16

Sample ID 240610-118tmssejh
Target 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe
SHA256 55b85639624459549a2488e4c0c98626c24b034e9f89c2ad5b52ba7c68b5ee7e
Tags
upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

55b85639624459549a2488e4c0c98626c24b034e9f89c2ad5b52ba7c68b5ee7e

Threat Level: Shows suspicious behavior

The file 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx

UPX packed file

Executes dropped EXE

Loads dropped DLL

Deletes itself

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: CmdExeWriteProcessMemorySpam

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 22:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 22:08

Reported

2024-06-10 22:10

Platform

win7-20240221-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\kernel64.dll C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\kernel64.dll C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2372 set thread context of 2792 N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe C:\Windows\SysWOW64\svchost.exe
PID 1636 set thread context of 2752 N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\wininit.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA C:\Windows\SysWOW64\wininit.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\wininit.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs5.ini C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFss1.ini C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs1.ini C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\1D11D1B123.IMD C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs1.ini C:\Windows\SysWOW64\wininit.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFmain.ini C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFmain.ini C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\1D11D1B123.IMD C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\$$.tmp C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs5.ini C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\ok.txt C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs5.ini C:\Windows\SysWOW64\wininit.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\wininit.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\$$.tmp C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\web\606C646364636479.tmp C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\web\606C646364636479.tmp C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A
N/A N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A
N/A N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A
N/A N/A C:\Windows\SysWOW64\wininit.exe N/A
N/A N/A C:\Windows\SysWOW64\wininit.exe N/A
N/A N/A C:\Windows\SysWOW64\wininit.exe N/A
N/A N/A C:\Windows\SysWOW64\wininit.exe N/A
N/A N/A C:\Windows\SysWOW64\wininit.exe N/A
N/A N/A C:\Windows\SysWOW64\wininit.exe N/A
N/A N/A C:\Windows\SysWOW64\wininit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\wininit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\wininit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\wininit.exe N/A
N/A N/A C:\Windows\SysWOW64\wininit.exe N/A
N/A N/A C:\Windows\SysWOW64\wininit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\wininit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\wininit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\wininit.exe N/A
N/A N/A C:\Windows\SysWOW64\wininit.exe N/A
N/A N/A C:\Windows\SysWOW64\wininit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe C:\Windows\SysWOW64\svchost.exe
PID 2372 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe C:\Windows\SysWOW64\svchost.exe
PID 2372 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe C:\Windows\SysWOW64\svchost.exe
PID 2372 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe C:\Windows\SysWOW64\svchost.exe
PID 2372 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe C:\Windows\SysWOW64\svchost.exe
PID 2372 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe C:\Windows\SysWOW64\svchost.exe
PID 1980 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg
PID 1980 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg
PID 1980 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg
PID 1980 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg
PID 1636 wrote to memory of 2752 N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\wininit.exe
PID 1636 wrote to memory of 2752 N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\wininit.exe
PID 1636 wrote to memory of 2752 N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\wininit.exe
PID 1636 wrote to memory of 2752 N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\wininit.exe
PID 1636 wrote to memory of 2752 N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\wininit.exe
PID 1636 wrote to memory of 2752 N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\wininit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F565840 0

C:\Windows\system32\cmd.exe

cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F565840

C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg

"C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F565840

C:\Windows\SysWOW64\wininit.exe

C:\Windows\System32\wininit.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F565840 0

Network

Country Destination Domain Proto
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.lfmpw.com udp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.bjbflt.com udp
N/A 127.0.0.1:8080 tcp
CN 123.56.127.108:80 www.bjbflt.com tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.web35370.bjl002.vhost007.cn udp
N/A 127.0.0.1:8080 tcp
CN 114.118.11.2:80 www.web35370.bjl002.vhost007.cn tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
CN 123.56.127.108:80 www.bjbflt.com tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
CN 114.118.11.2:80 www.web35370.bjl002.vhost007.cn tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
CN 123.56.127.108:80 www.bjbflt.com tcp
CN 123.56.127.108:80 www.bjbflt.com tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
CN 114.118.11.2:80 www.web35370.bjl002.vhost007.cn tcp
CN 114.118.11.2:80 www.web35370.bjl002.vhost007.cn tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
CN 123.56.127.108:80 www.bjbflt.com tcp
N/A 127.0.0.1:8080 tcp
CN 123.56.127.108:80 www.bjbflt.com tcp
N/A 127.0.0.1:8080 tcp
CN 114.118.11.2:80 www.web35370.bjl002.vhost007.cn tcp
N/A 127.0.0.1:8080 tcp
CN 114.118.11.2:80 www.web35370.bjl002.vhost007.cn tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
CN 123.56.127.108:80 www.bjbflt.com tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
CN 114.118.11.2:80 www.web35370.bjl002.vhost007.cn tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
CN 123.56.127.108:80 www.bjbflt.com tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
CN 114.118.11.2:80 www.web35370.bjl002.vhost007.cn tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
CN 123.56.127.108:80 www.bjbflt.com tcp
N/A 127.0.0.1:8080 tcp
CN 123.56.127.108:80 www.bjbflt.com tcp
N/A 127.0.0.1:8080 tcp
CN 114.118.11.2:80 www.web35370.bjl002.vhost007.cn tcp
N/A 127.0.0.1:8080 tcp
CN 114.118.11.2:80 www.web35370.bjl002.vhost007.cn tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
CN 123.56.127.108:80 www.bjbflt.com tcp
N/A 127.0.0.1:8080 tcp

Files

memory/2372-5-0x0000000001C80000-0x0000000001CD5000-memory.dmp

memory/2372-2-0x0000000001C80000-0x0000000001CD5000-memory.dmp

memory/2372-3-0x0000000001C80000-0x0000000001CD5000-memory.dmp

memory/2372-13-0x0000000001C80000-0x0000000001CD5000-memory.dmp

memory/2372-11-0x0000000001C80000-0x0000000001CD5000-memory.dmp

memory/2372-9-0x0000000001C80000-0x0000000001CD5000-memory.dmp

memory/2372-7-0x0000000001C80000-0x0000000001CD5000-memory.dmp

memory/2372-16-0x0000000001C80000-0x0000000001CD5000-memory.dmp

memory/2372-29-0x0000000001C80000-0x0000000001CD5000-memory.dmp

memory/2372-27-0x0000000001C80000-0x0000000001CD5000-memory.dmp

memory/2372-25-0x0000000001C80000-0x0000000001CD5000-memory.dmp

memory/2372-23-0x0000000001C80000-0x0000000001CD5000-memory.dmp

memory/2372-21-0x0000000001C80000-0x0000000001CD5000-memory.dmp

memory/2372-19-0x0000000001C80000-0x0000000001CD5000-memory.dmp

memory/2372-17-0x0000000001C80000-0x0000000001CD5000-memory.dmp

memory/2372-31-0x0000000001C80000-0x0000000001CD5000-memory.dmp

memory/2372-33-0x0000000001C80000-0x0000000001CD5000-memory.dmp

memory/2372-32-0x0000000001C80000-0x0000000001CD5000-memory.dmp

\Windows\SysWOW64\kernel64.dll

MD5 9b98d47916ead4f69ef51b56b0c2323c
SHA1 290a80b4ded0efc0fd00816f373fcea81a521330
SHA256 96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b
SHA512 68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFmain.ini

MD5 5b85700764c7f8ed2db3d99aba090ff3
SHA1 89521db8d1abb29e082628efdd23c547fa54ef44
SHA256 ade5e3636e8684f5845c18666a04a6b22d7a0f2631ea268a1aec910857c42e24
SHA512 00600e12dc1067eba53760eedfc4f408e88053a87462d55f01478887a9b4095138d471cc186684f0c14f4c2559da978e0ef3f78341910ecf1ca8caac9f67a642

memory/2792-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2792-70-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2792-74-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2792-71-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2792-75-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA

MD5 f697e0c5c1d34f00d1700d6d549d4811
SHA1 f50a99377a7419185fc269bb4d12954ca42b8589
SHA256 1eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16
SHA512 d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202

memory/2792-76-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2792-85-0x0000000000180000-0x00000000001D5000-memory.dmp

memory/2792-89-0x0000000000180000-0x00000000001D5000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\ok.txt

MD5 210b2e0534748b2d3eb039c0cbfe6085
SHA1 a4207dad717b078bee96a374368918cad614fc53
SHA256 060da3d03be3dbf45836c359a4923057311c9b0b76fa0b433e9d9b5d3cb8b1ca
SHA512 fe2ea1f203d58fbf7eec9acc6f7dcb662b3263674d81076fcbb88e95c909f4597d0884ec47c849e21e9fbb700c52e3f9256da9500c9d6b5543b3af681b6ddd7c

C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFss1.ini

MD5 a4ef93de80711124d4b7e080ccf42edb
SHA1 f4530f5e6d362781fa6dfa4982d25f3ad15dbf99
SHA256 9a09d2a2b23760cbc02ab362728b30783f943d90beebbdbd03c4e8b288492d24
SHA512 707c5a1a84a1cd490e3e0109c30b32724a69d27021653265bbd838065458e1eea20b470f145612f9ea5486711c47a59dcb515f9625829e63689a89af75901fa2

memory/2792-101-0x0000000000180000-0x00000000001D5000-memory.dmp

memory/2792-100-0x0000000000180000-0x00000000001D5000-memory.dmp

memory/2792-97-0x0000000000180000-0x00000000001D5000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\1D11D1B123.IMD

MD5 f2c01524c9a6e57e8a24d1ca29a4371a
SHA1 fc5d56128057eb2815afecb61dd4b21f8be803d4
SHA256 6b8df77b1d17d05fea3dd1b74a9c9f7b7d229e0da1529c8645a3111d0e879543
SHA512 f14a8cf535f5f90acc5dcdc6ac3ef60e75d19ba71879d3a4dc9e816556491ebf5fcd98c51235500c45c52433c8b7ab0f54d1e090e3003e7f88f762821d1bfde6

memory/2792-95-0x0000000000180000-0x00000000001D5000-memory.dmp

memory/2792-94-0x0000000000180000-0x00000000001D5000-memory.dmp

memory/2792-91-0x0000000000180000-0x00000000001D5000-memory.dmp

memory/2792-87-0x0000000000180000-0x00000000001D5000-memory.dmp

memory/2792-83-0x0000000000180000-0x00000000001D5000-memory.dmp

memory/2792-81-0x0000000000180000-0x00000000001D5000-memory.dmp

memory/2792-79-0x0000000000180000-0x00000000001D5000-memory.dmp

memory/2792-78-0x0000000000180000-0x00000000001D5000-memory.dmp

C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg

MD5 29b418d3afc1ee4fc1fa2ac315c13f0b
SHA1 cc6724a388aa477cf434ff45662e743a88e0265b
SHA256 20fc73a45b72f3863aa138bd83b743c49d861c5f3f92f14739c7983050346736
SHA512 d6b7eaa4e9f36c43ab988c3d17d07cac0809d2803574691c025e60ad9e943d13002b985279a59168f4d027edb2e848ea61ba4c4e799a9687ff3c54a9578b6470

memory/2752-173-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2792-223-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2752-224-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 22:08

Reported

2024-06-10 22:10

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\kernel64.dll C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\kernel64.dll C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2016 set thread context of 1660 N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe C:\Windows\SysWOW64\svchost.exe
PID 4728 set thread context of 1616 N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\svchost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\1D11D1B123.IMD C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\1D11D1B123.IMD C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs5.ini C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs5.ini C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFss1.ini C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFmain.ini C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFmain.ini C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A
File opened for modification C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\ok.txt C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs1.ini C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\$$.tmp C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\1D11D1B123.IMD C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs5.ini C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\web\606C646364636479.tmp C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\web\606C646364636479.tmp C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A
N/A N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A
N/A N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A
N/A N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A
N/A N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A
N/A N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe C:\Windows\SysWOW64\svchost.exe
PID 2016 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe C:\Windows\SysWOW64\svchost.exe
PID 2016 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe C:\Windows\SysWOW64\svchost.exe
PID 2016 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe C:\Windows\SysWOW64\svchost.exe
PID 2016 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe C:\Windows\SysWOW64\svchost.exe
PID 2016 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe C:\Windows\SysWOW64\svchost.exe
PID 2016 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe C:\Windows\SysWOW64\svchost.exe
PID 2016 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe C:\Windows\SysWOW64\svchost.exe
PID 3316 wrote to memory of 4728 N/A C:\Windows\system32\cmd.exe C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg
PID 3316 wrote to memory of 4728 N/A C:\Windows\system32\cmd.exe C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg
PID 3316 wrote to memory of 4728 N/A C:\Windows\system32\cmd.exe C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg
PID 4728 wrote to memory of 1616 N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\svchost.exe
PID 4728 wrote to memory of 1616 N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\svchost.exe
PID 4728 wrote to memory of 1616 N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\svchost.exe
PID 4728 wrote to memory of 1616 N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\svchost.exe
PID 4728 wrote to memory of 1616 N/A C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F565840 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F565840 0

C:\Windows\system32\cmd.exe

cmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F565840

C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg

"C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F565840

C:\Windows\SysWOW64\svchost.exe

C:\Windows\System32\svchost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F565840 0

Network

Country Destination Domain Proto
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.lfmpw.com udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.bjbflt.com udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.web35370.bjl002.vhost007.cn udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.lfmpw.com udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.lfmpw.com udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.bjbflt.com udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.web35370.bjl002.vhost007.cn udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.lfmpw.com udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.bjbflt.com udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.web35370.bjl002.vhost007.cn udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.lfmpw.com udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.bjbflt.com udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.web35370.bjl002.vhost007.cn udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.lfmpw.com udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.bjbflt.com udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.web35370.bjl002.vhost007.cn udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.lfmpw.com udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.bjbflt.com udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.web35370.bjl002.vhost007.cn udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.lfmpw.com udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
US 8.8.8.8:53 www.bjbflt.com udp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp

Files

memory/2016-2-0x00000000008D0000-0x0000000000925000-memory.dmp

memory/2016-7-0x00000000008D0000-0x0000000000925000-memory.dmp

memory/2016-13-0x00000000008D0000-0x0000000000925000-memory.dmp

memory/2016-19-0x00000000008D0000-0x0000000000925000-memory.dmp

memory/2016-27-0x00000000008D0000-0x0000000000925000-memory.dmp

memory/2016-31-0x00000000008D0000-0x0000000000925000-memory.dmp

C:\Windows\SysWOW64\kernel64.dll

MD5 eccf28d7e5ccec24119b88edd160f8f4
SHA1 98509587a3d37a20b56b50fd57f823a1691a034c
SHA256 820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6
SHA512 c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

memory/2016-33-0x00000000008D0000-0x0000000000925000-memory.dmp

memory/2016-32-0x00000000008D0000-0x0000000000925000-memory.dmp

memory/2016-30-0x00000000008D0000-0x0000000000925000-memory.dmp

memory/2016-25-0x00000000008D0000-0x0000000000925000-memory.dmp

memory/2016-23-0x00000000008D0000-0x0000000000925000-memory.dmp

memory/2016-21-0x00000000008D0000-0x0000000000925000-memory.dmp

memory/2016-17-0x00000000008D0000-0x0000000000925000-memory.dmp

memory/2016-15-0x00000000008D0000-0x0000000000925000-memory.dmp

memory/2016-11-0x00000000008D0000-0x0000000000925000-memory.dmp

memory/2016-9-0x00000000008D0000-0x0000000000925000-memory.dmp

memory/2016-5-0x00000000008D0000-0x0000000000925000-memory.dmp

memory/2016-3-0x00000000008D0000-0x0000000000925000-memory.dmp

C:\Program Files\Common Files\microsoft shared\MSInfo\1D11D1B\KVEIFmain.ini

MD5 ef02f73a8b0f99eb942c12dd73a32be0
SHA1 2b5ca20fe32b31fd6b129968f93b3afe7ce6c657
SHA256 29d56872d6ef7a47ccdaa8f794c3ccbc067199fafb4c85529c07d4171708313c
SHA512 5331102a9eb364a097d233f564a1ad675352a135aaffc7795189b12d4a2332ddb0e77255d94c6c3b3dccbe13625a84a7e581484c5fac523b07395bc2efa7511f

C:\Program Files\Common Files\microsoft shared\MSInfo\1D11D1B\KVEIFmain.ini

MD5 059cc39dd7faa4fbf3a57fbc232b63d2
SHA1 ad2c25f4f3e9bac4faeba1013c6a66b2c8ee8cb0
SHA256 053806dd7769edb7b6c8973a5be23bff6351f9bff1a0a1a5fd37e53029a05952
SHA512 c055c370c932286233308c0bb10c3d0569b49c6c1cdf6f01c681919bc3d1bf63a0004e65384afd5ec59f6ee249942da00afe6de21459801821ab6df4ba44d452

C:\Windows\Web\606C646364636479.tmp

MD5 f697e0c5c1d34f00d1700d6d549d4811
SHA1 f50a99377a7419185fc269bb4d12954ca42b8589
SHA256 1eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16
SHA512 d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202

memory/1660-97-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1660-100-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1660-101-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1660-103-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1660-115-0x00000000028A0000-0x00000000028F5000-memory.dmp

memory/1660-131-0x00000000028A0000-0x00000000028F5000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\ok.txt

MD5 210b2e0534748b2d3eb039c0cbfe6085
SHA1 a4207dad717b078bee96a374368918cad614fc53
SHA256 060da3d03be3dbf45836c359a4923057311c9b0b76fa0b433e9d9b5d3cb8b1ca
SHA512 fe2ea1f203d58fbf7eec9acc6f7dcb662b3263674d81076fcbb88e95c909f4597d0884ec47c849e21e9fbb700c52e3f9256da9500c9d6b5543b3af681b6ddd7c

C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFss1.ini

MD5 a4ef93de80711124d4b7e080ccf42edb
SHA1 f4530f5e6d362781fa6dfa4982d25f3ad15dbf99
SHA256 9a09d2a2b23760cbc02ab362728b30783f943d90beebbdbd03c4e8b288492d24
SHA512 707c5a1a84a1cd490e3e0109c30b32724a69d27021653265bbd838065458e1eea20b470f145612f9ea5486711c47a59dcb515f9625829e63689a89af75901fa2

memory/1660-129-0x00000000028A0000-0x00000000028F5000-memory.dmp

memory/1660-127-0x00000000028A0000-0x00000000028F5000-memory.dmp

memory/1660-123-0x00000000028A0000-0x00000000028F5000-memory.dmp

memory/1660-121-0x00000000028A0000-0x00000000028F5000-memory.dmp

memory/1660-119-0x00000000028A0000-0x00000000028F5000-memory.dmp

memory/1660-117-0x00000000028A0000-0x00000000028F5000-memory.dmp

memory/1660-113-0x00000000028A0000-0x00000000028F5000-memory.dmp

memory/1660-111-0x00000000028A0000-0x00000000028F5000-memory.dmp

memory/1660-109-0x00000000028A0000-0x00000000028F5000-memory.dmp

memory/1660-125-0x00000000028A0000-0x00000000028F5000-memory.dmp

memory/1660-107-0x00000000028A0000-0x00000000028F5000-memory.dmp

memory/1660-105-0x00000000028A0000-0x00000000028F5000-memory.dmp

memory/1660-104-0x00000000028A0000-0x00000000028F5000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg

MD5 493b581f993a2d3eb0cbdb5246187ba3
SHA1 30edb0aadb51439cd34c2c6c97763ec54d8c100b
SHA256 f19bd75595d93cd85f31945b63e96af6121caf8f83a983c107a54f93e0e3dbce
SHA512 8fb35f808128b621ae6fbad9a50f2d7d89a7223595c712c98ade251f1f6434671c92b151ae5bc083aa789f609fe4442b027a72f058b6d7bf7b977b37f18e473e

C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg

MD5 0ee4ee15bcaa8e465691e4004f1744c5
SHA1 97f15f79e7f5523e8265fddd6e61a3442a6bd3d5
SHA256 6f303f761ec33fe4b69c3db7570ac0701685427506fdaa8223df9bfd5c797ff8
SHA512 225a7edf20650cdfa3517ac6051d38d50d219d2a214380820d24d9a5042803d7ae6f5e472d86e76e9870af5291d411926ff85f40355e7db90c9943e7994f58d4

C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\1D11D1B123.IMD

MD5 20b11923d7c83eaa725121821b76435c
SHA1 bd7145bd52425ee178f8bf96295bffdcd9110e24
SHA256 d75ba91e658670f66c335e0a0ba3d58061287a33b5962a507b2aac95e1266796
SHA512 39c1cd34fb5a43edf77199c14506f06df3426ef8f33e996ccc3d9c993e321cf3fd52f83e56bcd38829e363721857e9c9de17c7b5bda3d3350bfd5a095c936e7f

memory/1616-197-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1660-245-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1616-246-0x0000000000400000-0x000000000042D000-memory.dmp