Malware Analysis Report

2024-09-11 15:21

Sample ID 240612-bztwnaxhjq
Target 1542d41a00f9cabd0dfeb5b30f5629f0_NeikiAnalytics.exe
SHA256 6dde7aa8e81b1a58dc3732ae1a3542bf89d725b2c2c0dcb75b439cddaefafe1a
Tags
stealc vidar discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6dde7aa8e81b1a58dc3732ae1a3542bf89d725b2c2c0dcb75b439cddaefafe1a

Threat Level: Known bad

The file 1542d41a00f9cabd0dfeb5b30f5629f0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

stealc vidar discovery spyware stealer

Detect Vidar Stealer

Vidar

Stealc

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Reads data files stored by FTP clients

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Enumerates processes with tasklist

Checks processor information in registry

Modifies system certificate store

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Process Discovery
T1057
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-12 01:35

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 01:35

Reported

2024-06-12 01:37

Platform

win10v2004-20240508-en

Max time kernel

55s

Max time network

58s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1542d41a00f9cabd0dfeb5b30f5629f0_NeikiAnalytics.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1542d41a00f9cabd0dfeb5b30f5629f0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\1542d41a00f9cabd0dfeb5b30f5629f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\1542d41a00f9cabd0dfeb5b30f5629f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\1542d41a00f9cabd0dfeb5b30f5629f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1336 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1336 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1336 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1336 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1336 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1336 wrote to memory of 3624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1336 wrote to memory of 3624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1336 wrote to memory of 3624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1336 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1336 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1336 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1336 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 3508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1336 wrote to memory of 3508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1336 wrote to memory of 3508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1336 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif
PID 1336 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif
PID 1336 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif
PID 1336 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1336 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1336 wrote to memory of 1412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2080 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif C:\Windows\SysWOW64\cmd.exe
PID 3468 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3468 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3468 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1542d41a00f9cabd0dfeb5b30f5629f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1542d41a00f9cabd0dfeb5b30f5629f0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Fruits Fruits.cmd & Fruits.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 829400

C:\Windows\SysWOW64\findstr.exe

findstr /V "KINGSTONRUBYIMENCOURAGED" Excel

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Identification + Karma + Placement 829400\Q

C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif

829400\Ears.pif 829400\Q

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif" & rd /s /q "C:\ProgramData\ECGDAAFIIJDA" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 IMLWiSaaOrKMKz.IMLWiSaaOrKMKz udp
US 8.8.8.8:53 t.me udp

Files

C:\Users\Admin\AppData\Local\Temp\Fruits

MD5 eb3fae8a683a15fd933ebbab324bfe19
SHA1 d1d18c482db02b636c207ca12a539dff7d9af044
SHA256 b312c5cf2a734c3aa449d22ad12702ae9240fd73c2c005ced6decbb99873808c
SHA512 8c7c366f3805cc608b966e6a193fdd843a6647f7bbb1b01cc89bb0e4e31a8849aa278e432703197491c7bdddb6231dd3d39198ee159cf648e4002325821a843a

C:\Users\Admin\AppData\Local\Temp\Excel

MD5 603a561fdbbf8d4156266ea623906d7b
SHA1 af6b10e966a2526bdd704d3d2ea905daacad6593
SHA256 95ddd75eb156133d532e98db1d9363dbf5d3c4c954bf79cc2cd22e2ba4ce0c07
SHA512 7baf297d6ab9495177cab8c8ffc4a0a0500868b55c19646393d4c74e22899aa64b97a9229091270a343f016dcfdf59af41cb4e0b58fbbcaaff48d7cfd63a5648

C:\Users\Admin\AppData\Local\Temp\Victory

MD5 59f3822052e7cba0be525bc111fb3fdb
SHA1 6e7de3fa1f961dcdf5c6776b062d4b56bc1aafe3
SHA256 8b38b16e30661583d65094daace272247898743f340784f394e44ae502f314bc
SHA512 e088844b60209d0033c0ab61421980c9756a92ce49fbc0c37e017e2b8553f1fdfd09d6dc5069037dc0558f0fbb04bf9d69d26d8744a624fc672dcc2a90c866d8

C:\Users\Admin\AppData\Local\Temp\Metro

MD5 d0daf180e0c9add89aaf18c545ccb4e2
SHA1 916a961390f21b52e48e0c90d6104d5c7aedbfb3
SHA256 f5eef3d6715298787c8fd6f41f42266c48ce0f360358e0426b598051badbbe90
SHA512 6bad9420298e403d2a08b32c9a11d662e9a20d84c89bb186254f70eebc6a630f68e77eca40061435f7be0a9eaf8980fa85f6507f519d9dec6b0544d40d9076ef

C:\Users\Admin\AppData\Local\Temp\Ta

MD5 8d84b6f82c3f7693657d58879dbd55f2
SHA1 bb503b7863e082b709aaef55b188999a8a839a67
SHA256 f55a2f5fffa66e476d4f55752d53f4e5470d1b8d1b6bf25d962664f8b0a8b4f7
SHA512 f9432eca257a3b75104f6812f78a274361777c493f2d6ef1896c359fe35b88958b9039f579df36bdbd87d31be53fd0136e82997fd54fd6a37ec55230e7fd4001

C:\Users\Admin\AppData\Local\Temp\Diamond

MD5 d7355f89b15d12b16cd57fe1fa961551
SHA1 e8551fdd15ccd83a0d5f96060c1ee47635cd13f7
SHA256 ede25565ec8f71b02ffc2b9c1b77f0057ad63d055f65ffe02e708d5e97b4de12
SHA512 54d0dbc445340d98c5aff57e6110a7528b643ea7299fdca4ebcaf42317c2475e1c2859f60b52212b77b77ec554eda607fc719ee48bd6353126fbbba24d446e57

C:\Users\Admin\AppData\Local\Temp\Reports

MD5 315885ae450888961c4fb66aeacff362
SHA1 b1d72a3c6c5d064c80b544312ff71118f976817b
SHA256 f34e7ecbe63ed7ec34597a69c6a6248ffd8c5c31039f72b474f8a3296dd39160
SHA512 5f9e94dffe60acad4d7e6d6bf984e6a7d1744b88590d10c88a30e1103b3c31bc5d39fa3f2b9dd10ec64d672f0d901dda4ddfa69c0e12f1acfa3cf648ed0daf93

C:\Users\Admin\AppData\Local\Temp\Fix

MD5 1b7141d02e6245378e2cccfdc0768478
SHA1 8af8f42b7d7630f787c151a880aac71bc6b973c8
SHA256 f1eaf783ffe33b90b8b23609d6bb34dcb3b9f8603a23d4e9ecd126d4b094398c
SHA512 9c8fdb9fdce136ad49bc40abe00173f58df6165c4a8f8d1996bd98dd0dd98186e6023e1a023c49e684dd7173f0a11a9344b8479b14f978d9306506c6f1e7046e

C:\Users\Admin\AppData\Local\Temp\Chrome

MD5 556ea5e19f552ad6bb7a7d3bf3531ca9
SHA1 c679d57445b2439f06a8e3435a9b25ba2581b871
SHA256 9ce664bc4d40c6db59ff011f1dd261e3fc18ce4ded4d82b59c5426103cb6de01
SHA512 2d681f43748f0a7538b30079ce84a4db98923ae09b9ebf3b24a104e54da1a7b8bb95b70b7a23291b42fc182742c9efc667897d47d36fa170b46a53258a4090c4

C:\Users\Admin\AppData\Local\Temp\Forecast

MD5 4d74ac13bc7dc8ed5a56ac29e4d50644
SHA1 93dc6d2e23754f83323c88f80a6dbd836b01125f
SHA256 df083a30a1f7c3e617be3cc00effa83992ffbe7a4aa2f3ead2bd79981a76e431
SHA512 dbaf4431976a1f80c8b92decda539c22cde5edc028150711d2f2fbc79a13137659733964d32ec3e497790184edade8e84ce1ed777cdb968092668ad056a8cf9d

C:\Users\Admin\AppData\Local\Temp\Situated

MD5 e7913ee9fab09cf8152cd8524f77f2f1
SHA1 8309cc75eeeeb0746043aaf0c8d46c3d5c959f50
SHA256 82209562198562588b474a03a6a322218da2d10d0826bb513c44b1cd88089ff2
SHA512 fe9cbf26095b50589bfb91e8b4dd3b4b429afd25c3b05fddfa402b32435e52baec016fdef795c390d4e8296cbf3981375a4e579ef10c2ff1c466477111b2102f

C:\Users\Admin\AppData\Local\Temp\Man

MD5 58352144e2dd44ebad608221de80a6ff
SHA1 313a9aca069782a4f3cb8a03d246b52779151672
SHA256 29f667de80e7e60626d3aeb288b0167f8b1427ed2bd9bdab6c4a5e55e52af378
SHA512 2e166bc1ed1ba0a55db0592e227e125fa045b0a1e8fc39b980cff90b08cc4e0a5041b68d29cabeefc30fb4b34a867dcc90e792f590b7e77d4cc51e651a18113a

C:\Users\Admin\AppData\Local\Temp\Tom

MD5 1f70b4c6a06a214e8b5bd193a2016cde
SHA1 44c23b6bb2ae695fdc2a9970cd9382c12a909138
SHA256 cb20ecd86ee0f75692f67cc39096a79fbe3ae50399a8723af4d5e6b15adbe978
SHA512 4ba3cef34fa0a68046a8170cd6f67cc16b98245f9d84d33a512381466617901523cb329219fd6fe1e5935817baa7cd8f8c44ab4e2b6616d29ad78e5c0f20a11b

C:\Users\Admin\AppData\Local\Temp\Peripherals

MD5 056d45c3b4ef3724063671b1789c6e32
SHA1 6b77ae1dab501603279af2a6e9d89662246ef31b
SHA256 937964351c5fd56d7671d883fae7ebbd0f5ec67cbaa29065e7507795b08a2958
SHA512 03e53f7e7978870c59c1cb13aa2c63ea6e0b80954e23227108224cf94c4cba2545af39936d2f21e7b9a2d45d001305fb329a6552496f4da4c3ac4ae1216f5883

C:\Users\Admin\AppData\Local\Temp\Sunrise

MD5 595fca08ec604954fe78b07b94ed9ecb
SHA1 cdb6b1dbaeaa50f072d1d4faf7e6da25c4f54d4a
SHA256 a6f280510a7dc0e644fcc4d83e3b2fe38af645f646707a5bcff3bf332c1bd188
SHA512 b9a82caa57fd8f8d9cda6327c11344ac9b1c787002f1f7ea446003a0b350c18e469b76623d5ae1f64cbda9cd4b2d82c4d900aa01fdbba2199d07a6bcde2306e0

C:\Users\Admin\AppData\Local\Temp\Hunger

MD5 1eb3e14d362a71e2e36fda1fc4889055
SHA1 a82ff07e9c68a830babf2532968a90916e487101
SHA256 a1905e85ed55f08746b133fbd56ff9e019eae9cd883c764311b2eaebba82cb6f
SHA512 379bb7cb9d9851530c4315b1eaaa4a6e6b8b985e3e548ea0ceae5e05fdc0c199eb80ad653e0cc818394cffb672989d24bebd544fe5b3cbc348cd8b145e33fcc7

C:\Users\Admin\AppData\Local\Temp\Deferred

MD5 29ed5da37edc2beae615504c9dc383cc
SHA1 ed82638feb5765eadfb70e7830f2cc64fd7f3270
SHA256 0aa3abd19dd3a68e9b092e6806cb5896b03c0b293f311c64344c00c67f56f768
SHA512 8a9026e4252cb5fa65a16eaae44b88d2bf29a16ede3e68516c085b3b26d8e76e194e4fe8ae591d688189a8c1593870b6d03c3063ff6b702819ded77efd6cfedc

C:\Users\Admin\AppData\Local\Temp\Lawyers

MD5 cd926a2bea569ae4b974717425b32a35
SHA1 ab0accb9f67064333250d7d73f76412f77ef469b
SHA256 09b06e8c0db3bd321b59eaecd0064a9ccbcee473d7a31bcb313ac4b77706ff24
SHA512 a0c49dc44fe3a53aa5c1803f43620ef18fdc1372b3eb12bf3095693c685b5826206abf0cf1cad276296fb667969e9ff0855f76af214e7e02da3864487e503d64

C:\Users\Admin\AppData\Local\Temp\Villa

MD5 fba070d61c3bb6da80a7c3f37c6ea530
SHA1 792b4f2c18808796bd08fc2692080808d7793778
SHA256 629bdf92919c74d1aae2b1ade44f6b73d3984b3a34ce07932f551cbedf5918ce
SHA512 2a51651d379edadb9c3039f66ddc2784b0406403020479f11093c4df965ac3b08addbe538b546cdb0d0366d67b517a6f9bdab63b7791c38715c74750fe9e2868

C:\Users\Admin\AppData\Local\Temp\Portraits

MD5 4f9018fc7608336c9f99e6ed9c69415f
SHA1 bedb514a17d7c1e7067a48f8c9278ed939acadfc
SHA256 48b6b3c37e131436d7a7fea15b37710c8168907d0fb7dbf43bf86680972fec2b
SHA512 23270318e7af92be8c59bc0fe4417e13750a2ec96487282b60a3350d151ccb94da617067be50f37371ada60f8a57e4bd3b304ddf83230b5c6af87172a518b20a

C:\Users\Admin\AppData\Local\Temp\Samuel

MD5 2c400c280e251a9cf9c20c104f6f67c6
SHA1 a2a537402a82be431b387bb9d3550425246b35ce
SHA256 bb3753b3070c799b0cfdb42b51bc488a9c14e34ceba6d77d263456e90345e2ec
SHA512 9490c6a4d03292431aad783bd231717c6c6dfe08c4255113e37b5414c748937041241b35030eb3b4dc70d8dfd9c2788910c78578b260b7c64d4fe2d89df92d8d

C:\Users\Admin\AppData\Local\Temp\Galaxy

MD5 dd24039c4f8ea988c24e468979f68ae1
SHA1 ec64268042668ab8ed528dba54ae76638347c0f4
SHA256 2fbb12d3cf6f536ba2b2ca8494de248c6f5b068239d10891a910a6da5957b692
SHA512 b72d117a4bb45a4f093561b1c6f6ea3122091ed393edbfb00858f473b8514febb44cffd77554c5be02dfb4f52607a5cf91cd644c264f76d25d25afe7ac82847a

C:\Users\Admin\AppData\Local\Temp\Sd

MD5 0694fc346abafffba8ac24bb52d5db96
SHA1 a3d8ee877736e6692c80c5294a84a432c142fde9
SHA256 2593057821bc3f50578f4df1795668da858616e8283a33c6d070050f06f3f906
SHA512 fd934c1eb4cc06538f32fbb0fbdaef9cc4a86725ca4d2b922a272dbbb3c0b2fe29e5f9db9658df999f600db6a90a0314753e24af4e14fb0ba548f2216f0cbf7f

C:\Users\Admin\AppData\Local\Temp\Purchasing

MD5 5561a3c84f082a48b22345c65bdbb212
SHA1 1c0d792e5295342215def18ffbce2cd81f76fb17
SHA256 af45402e08dfed8a4e245427a02033226bd30e5b917af556c47c967b45b5fb5c
SHA512 e9fac53f7c3e84a12ff4654ae452434966a27008a7bad5fdefa73406b4feb8050d2d3d6b23bbab502208257b15c4b7fc93cd3b241fcf3c6a98d4d082bd470a5f

C:\Users\Admin\AppData\Local\Temp\Benjamin

MD5 2780fee8af52bf356cf0c47089d14eb1
SHA1 fae68418f8c48e463ff3edbdb819cabc819648d0
SHA256 50ba73f42b45ec45888da37aa523148a0d81dc646df57970dba731118c4f4ab5
SHA512 31dfd2cfd42ac57bea7845f4e710c7f118b373b4c7be1204fdd9721380c92adec4f9381a2dc78820b5856dba7e56e2e856966fdca615dc30e5e86ceacb1b6e78

C:\Users\Admin\AppData\Local\Temp\Demonstrates

MD5 4fd3283879b1c902950aa73281ae5017
SHA1 9cb92719fdfb80677b3329556336521dbea377f7
SHA256 efb6d2935b50e615690790f4e4608c53082ffb0f232ce2da3aff4bb9a2ffe616
SHA512 657a0776d5217e61fbe81e7dd3d78b23a6cc03e41291407b53fab13c0a5a4af38383ac314ec233b1aa3c0cc5c1f615c8a191d62a67d4b12d238f80676cf28071

C:\Users\Admin\AppData\Local\Temp\Identification

MD5 70f06101df60a2db21d8affae624bb1d
SHA1 70cb22602badfd4da801c80dc774af36bff92a44
SHA256 49f4b8666ae3a9e155190e634e5780748fac401f31d1e4d7cd2a6287e0bf4685
SHA512 f58f4dd383e3afd101dd7c44e99e36b68280c3d52e317f9eca58c43576107038c8d23492afc2c511929d8157cc175bae2a3e58e94864f9c493d1b076495653d6

C:\Users\Admin\AppData\Local\Temp\Karma

MD5 53c1fae2d238de07a67271c003142125
SHA1 8d7f08c8b927f632f3692f7c1443deb99521d377
SHA256 c894ec7afc82a47e686e1143051f8a91ebe0eabb5052634c2dbc28a3a38676b4
SHA512 87248500255e6b8cbddeee54d381f3983cff67be7b8bc52d2b982f03540d5cbc5185e9eeb40cfb42135ec6bbe48854e42816ac00697d5745fb8d1d8b559751e1

C:\Users\Admin\AppData\Local\Temp\Placement

MD5 714ba7108c19d2ab0ace9a695190e55a
SHA1 8dcdafb12052f2093f1ec40d7bdf6331a989064c
SHA256 49fc65c9c6b4dc16a109904aeef5afce804667805be154f66a3ef8947018a281
SHA512 c284bcf053dced196516e6625b4733b71bdf3d0718aa925ebd9d1af051dbefd91b8faf2963dd69bc68f43aae1b697d92116844e51b2e3850d6759a0a6b535ea3

C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Temp\829400\Q

MD5 b44d047091100466ccf7e4c689e69efc
SHA1 bd0b026f80520a1f8846a85e4920c90512a40262
SHA256 4f1dafad2aad37233886751f17eb44f67aa2f55ce583a8412e360aa424e16d18
SHA512 5e3ace52a922c1842cf8cf895b5f7929b3196a8e1507aa8bf44288803f23a9b042c697657294696f3861eb265c576f06621ab065d2af8e13714c60249b2dbc4e

memory/2080-280-0x0000000004E30000-0x0000000005078000-memory.dmp

memory/2080-281-0x0000000004E30000-0x0000000005078000-memory.dmp

memory/2080-282-0x0000000004E30000-0x0000000005078000-memory.dmp

memory/2080-283-0x0000000004E30000-0x0000000005078000-memory.dmp

memory/2080-284-0x0000000004E30000-0x0000000005078000-memory.dmp

memory/2080-286-0x0000000004E30000-0x0000000005078000-memory.dmp

memory/2080-285-0x0000000004E30000-0x0000000005078000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 01:35

Reported

2024-06-12 01:37

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1542d41a00f9cabd0dfeb5b30f5629f0_NeikiAnalytics.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1542d41a00f9cabd0dfeb5b30f5629f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1542d41a00f9cabd0dfeb5b30f5629f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1542d41a00f9cabd0dfeb5b30f5629f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\1542d41a00f9cabd0dfeb5b30f5629f0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2604 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2604 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2604 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2604 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2604 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2604 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2604 wrote to memory of 2172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2604 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2604 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2604 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2604 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2604 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2604 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2604 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2604 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2604 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2604 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2604 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2604 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2604 wrote to memory of 1188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif
PID 2604 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif
PID 2604 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif
PID 2604 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif
PID 2604 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2604 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2604 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2604 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3008 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif C:\Windows\SysWOW64\cmd.exe
PID 980 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 980 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 980 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 980 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1542d41a00f9cabd0dfeb5b30f5629f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1542d41a00f9cabd0dfeb5b30f5629f0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Fruits Fruits.cmd & Fruits.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 829400

C:\Windows\SysWOW64\findstr.exe

findstr /V "KINGSTONRUBYIMENCOURAGED" Excel

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Identification + Karma + Placement 829400\Q

C:\Users\Admin\AppData\Local\Temp\829400\Ears.pif

829400\Ears.pif 829400\Q

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FIDAFCAFCBKE" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 IMLWiSaaOrKMKz.IMLWiSaaOrKMKz udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
BE 104.68.92.92:443 steamcommunity.com tcp
FI 95.217.135.112:443 95.217.135.112 tcp
FI 95.217.135.112:443 95.217.135.112 tcp
FI 95.217.135.112:443 95.217.135.112 tcp
FI 95.217.135.112:443 95.217.135.112 tcp
FI 95.217.135.112:443 95.217.135.112 tcp
FI 95.217.135.112:443 95.217.135.112 tcp
FI 95.217.135.112:443 95.217.135.112 tcp
FI 95.217.135.112:443 95.217.135.112 tcp
FI 95.217.135.112:443 95.217.135.112 tcp
FI 95.217.135.112:443 tcp
FI 95.217.135.112:443 tcp
FI 95.217.135.112:443 tcp
FI 95.217.135.112:443 tcp
FI 95.217.135.112:443 tcp
FI 95.217.135.112:443 tcp
FI 95.217.135.112:443 95.217.135.112 tcp
FI 95.217.135.112:443 95.217.135.112 tcp
FI 95.217.135.112:443 95.217.135.112 tcp
FI 95.217.135.112:443 95.217.135.112 tcp
FI 95.217.135.112:443 95.217.135.112 tcp
FI 95.217.135.112:443 95.217.135.112 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Fruits

MD5 eb3fae8a683a15fd933ebbab324bfe19
SHA1 d1d18c482db02b636c207ca12a539dff7d9af044
SHA256 b312c5cf2a734c3aa449d22ad12702ae9240fd73c2c005ced6decbb99873808c
SHA512 8c7c366f3805cc608b966e6a193fdd843a6647f7bbb1b01cc89bb0e4e31a8849aa278e432703197491c7bdddb6231dd3d39198ee159cf648e4002325821a843a

C:\Users\Admin\AppData\Local\Temp\Excel

MD5 603a561fdbbf8d4156266ea623906d7b
SHA1 af6b10e966a2526bdd704d3d2ea905daacad6593
SHA256 95ddd75eb156133d532e98db1d9363dbf5d3c4c954bf79cc2cd22e2ba4ce0c07
SHA512 7baf297d6ab9495177cab8c8ffc4a0a0500868b55c19646393d4c74e22899aa64b97a9229091270a343f016dcfdf59af41cb4e0b58fbbcaaff48d7cfd63a5648

C:\Users\Admin\AppData\Local\Temp\Demonstrates

MD5 4fd3283879b1c902950aa73281ae5017
SHA1 9cb92719fdfb80677b3329556336521dbea377f7
SHA256 efb6d2935b50e615690790f4e4608c53082ffb0f232ce2da3aff4bb9a2ffe616
SHA512 657a0776d5217e61fbe81e7dd3d78b23a6cc03e41291407b53fab13c0a5a4af38383ac314ec233b1aa3c0cc5c1f615c8a191d62a67d4b12d238f80676cf28071

C:\Users\Admin\AppData\Local\Temp\Benjamin

MD5 2780fee8af52bf356cf0c47089d14eb1
SHA1 fae68418f8c48e463ff3edbdb819cabc819648d0
SHA256 50ba73f42b45ec45888da37aa523148a0d81dc646df57970dba731118c4f4ab5
SHA512 31dfd2cfd42ac57bea7845f4e710c7f118b373b4c7be1204fdd9721380c92adec4f9381a2dc78820b5856dba7e56e2e856966fdca615dc30e5e86ceacb1b6e78

C:\Users\Admin\AppData\Local\Temp\Purchasing

MD5 5561a3c84f082a48b22345c65bdbb212
SHA1 1c0d792e5295342215def18ffbce2cd81f76fb17
SHA256 af45402e08dfed8a4e245427a02033226bd30e5b917af556c47c967b45b5fb5c
SHA512 e9fac53f7c3e84a12ff4654ae452434966a27008a7bad5fdefa73406b4feb8050d2d3d6b23bbab502208257b15c4b7fc93cd3b241fcf3c6a98d4d082bd470a5f

C:\Users\Admin\AppData\Local\Temp\Sd

MD5 0694fc346abafffba8ac24bb52d5db96
SHA1 a3d8ee877736e6692c80c5294a84a432c142fde9
SHA256 2593057821bc3f50578f4df1795668da858616e8283a33c6d070050f06f3f906
SHA512 fd934c1eb4cc06538f32fbb0fbdaef9cc4a86725ca4d2b922a272dbbb3c0b2fe29e5f9db9658df999f600db6a90a0314753e24af4e14fb0ba548f2216f0cbf7f

C:\Users\Admin\AppData\Local\Temp\Galaxy

MD5 dd24039c4f8ea988c24e468979f68ae1
SHA1 ec64268042668ab8ed528dba54ae76638347c0f4
SHA256 2fbb12d3cf6f536ba2b2ca8494de248c6f5b068239d10891a910a6da5957b692
SHA512 b72d117a4bb45a4f093561b1c6f6ea3122091ed393edbfb00858f473b8514febb44cffd77554c5be02dfb4f52607a5cf91cd644c264f76d25d25afe7ac82847a

C:\Users\Admin\AppData\Local\Temp\Samuel

MD5 2c400c280e251a9cf9c20c104f6f67c6
SHA1 a2a537402a82be431b387bb9d3550425246b35ce
SHA256 bb3753b3070c799b0cfdb42b51bc488a9c14e34ceba6d77d263456e90345e2ec
SHA512 9490c6a4d03292431aad783bd231717c6c6dfe08c4255113e37b5414c748937041241b35030eb3b4dc70d8dfd9c2788910c78578b260b7c64d4fe2d89df92d8d

C:\Users\Admin\AppData\Local\Temp\Portraits

MD5 4f9018fc7608336c9f99e6ed9c69415f
SHA1 bedb514a17d7c1e7067a48f8c9278ed939acadfc
SHA256 48b6b3c37e131436d7a7fea15b37710c8168907d0fb7dbf43bf86680972fec2b
SHA512 23270318e7af92be8c59bc0fe4417e13750a2ec96487282b60a3350d151ccb94da617067be50f37371ada60f8a57e4bd3b304ddf83230b5c6af87172a518b20a

C:\Users\Admin\AppData\Local\Temp\Villa

MD5 fba070d61c3bb6da80a7c3f37c6ea530
SHA1 792b4f2c18808796bd08fc2692080808d7793778
SHA256 629bdf92919c74d1aae2b1ade44f6b73d3984b3a34ce07932f551cbedf5918ce
SHA512 2a51651d379edadb9c3039f66ddc2784b0406403020479f11093c4df965ac3b08addbe538b546cdb0d0366d67b517a6f9bdab63b7791c38715c74750fe9e2868

C:\Users\Admin\AppData\Local\Temp\Lawyers

MD5 cd926a2bea569ae4b974717425b32a35
SHA1 ab0accb9f67064333250d7d73f76412f77ef469b
SHA256 09b06e8c0db3bd321b59eaecd0064a9ccbcee473d7a31bcb313ac4b77706ff24
SHA512 a0c49dc44fe3a53aa5c1803f43620ef18fdc1372b3eb12bf3095693c685b5826206abf0cf1cad276296fb667969e9ff0855f76af214e7e02da3864487e503d64

C:\Users\Admin\AppData\Local\Temp\Deferred

MD5 29ed5da37edc2beae615504c9dc383cc
SHA1 ed82638feb5765eadfb70e7830f2cc64fd7f3270
SHA256 0aa3abd19dd3a68e9b092e6806cb5896b03c0b293f311c64344c00c67f56f768
SHA512 8a9026e4252cb5fa65a16eaae44b88d2bf29a16ede3e68516c085b3b26d8e76e194e4fe8ae591d688189a8c1593870b6d03c3063ff6b702819ded77efd6cfedc

C:\Users\Admin\AppData\Local\Temp\Hunger

MD5 1eb3e14d362a71e2e36fda1fc4889055
SHA1 a82ff07e9c68a830babf2532968a90916e487101
SHA256 a1905e85ed55f08746b133fbd56ff9e019eae9cd883c764311b2eaebba82cb6f
SHA512 379bb7cb9d9851530c4315b1eaaa4a6e6b8b985e3e548ea0ceae5e05fdc0c199eb80ad653e0cc818394cffb672989d24bebd544fe5b3cbc348cd8b145e33fcc7

C:\Users\Admin\AppData\Local\Temp\Sunrise

MD5 595fca08ec604954fe78b07b94ed9ecb
SHA1 cdb6b1dbaeaa50f072d1d4faf7e6da25c4f54d4a
SHA256 a6f280510a7dc0e644fcc4d83e3b2fe38af645f646707a5bcff3bf332c1bd188
SHA512 b9a82caa57fd8f8d9cda6327c11344ac9b1c787002f1f7ea446003a0b350c18e469b76623d5ae1f64cbda9cd4b2d82c4d900aa01fdbba2199d07a6bcde2306e0

C:\Users\Admin\AppData\Local\Temp\Peripherals

MD5 056d45c3b4ef3724063671b1789c6e32
SHA1 6b77ae1dab501603279af2a6e9d89662246ef31b
SHA256 937964351c5fd56d7671d883fae7ebbd0f5ec67cbaa29065e7507795b08a2958
SHA512 03e53f7e7978870c59c1cb13aa2c63ea6e0b80954e23227108224cf94c4cba2545af39936d2f21e7b9a2d45d001305fb329a6552496f4da4c3ac4ae1216f5883

C:\Users\Admin\AppData\Local\Temp\Tom

MD5 1f70b4c6a06a214e8b5bd193a2016cde
SHA1 44c23b6bb2ae695fdc2a9970cd9382c12a909138
SHA256 cb20ecd86ee0f75692f67cc39096a79fbe3ae50399a8723af4d5e6b15adbe978
SHA512 4ba3cef34fa0a68046a8170cd6f67cc16b98245f9d84d33a512381466617901523cb329219fd6fe1e5935817baa7cd8f8c44ab4e2b6616d29ad78e5c0f20a11b

C:\Users\Admin\AppData\Local\Temp\Man

MD5 58352144e2dd44ebad608221de80a6ff
SHA1 313a9aca069782a4f3cb8a03d246b52779151672
SHA256 29f667de80e7e60626d3aeb288b0167f8b1427ed2bd9bdab6c4a5e55e52af378
SHA512 2e166bc1ed1ba0a55db0592e227e125fa045b0a1e8fc39b980cff90b08cc4e0a5041b68d29cabeefc30fb4b34a867dcc90e792f590b7e77d4cc51e651a18113a

C:\Users\Admin\AppData\Local\Temp\Situated

MD5 e7913ee9fab09cf8152cd8524f77f2f1
SHA1 8309cc75eeeeb0746043aaf0c8d46c3d5c959f50
SHA256 82209562198562588b474a03a6a322218da2d10d0826bb513c44b1cd88089ff2
SHA512 fe9cbf26095b50589bfb91e8b4dd3b4b429afd25c3b05fddfa402b32435e52baec016fdef795c390d4e8296cbf3981375a4e579ef10c2ff1c466477111b2102f

C:\Users\Admin\AppData\Local\Temp\Forecast

MD5 4d74ac13bc7dc8ed5a56ac29e4d50644
SHA1 93dc6d2e23754f83323c88f80a6dbd836b01125f
SHA256 df083a30a1f7c3e617be3cc00effa83992ffbe7a4aa2f3ead2bd79981a76e431
SHA512 dbaf4431976a1f80c8b92decda539c22cde5edc028150711d2f2fbc79a13137659733964d32ec3e497790184edade8e84ce1ed777cdb968092668ad056a8cf9d

C:\Users\Admin\AppData\Local\Temp\Chrome

MD5 556ea5e19f552ad6bb7a7d3bf3531ca9
SHA1 c679d57445b2439f06a8e3435a9b25ba2581b871
SHA256 9ce664bc4d40c6db59ff011f1dd261e3fc18ce4ded4d82b59c5426103cb6de01
SHA512 2d681f43748f0a7538b30079ce84a4db98923ae09b9ebf3b24a104e54da1a7b8bb95b70b7a23291b42fc182742c9efc667897d47d36fa170b46a53258a4090c4

C:\Users\Admin\AppData\Local\Temp\Fix

MD5 1b7141d02e6245378e2cccfdc0768478
SHA1 8af8f42b7d7630f787c151a880aac71bc6b973c8
SHA256 f1eaf783ffe33b90b8b23609d6bb34dcb3b9f8603a23d4e9ecd126d4b094398c
SHA512 9c8fdb9fdce136ad49bc40abe00173f58df6165c4a8f8d1996bd98dd0dd98186e6023e1a023c49e684dd7173f0a11a9344b8479b14f978d9306506c6f1e7046e

C:\Users\Admin\AppData\Local\Temp\Reports

MD5 315885ae450888961c4fb66aeacff362
SHA1 b1d72a3c6c5d064c80b544312ff71118f976817b
SHA256 f34e7ecbe63ed7ec34597a69c6a6248ffd8c5c31039f72b474f8a3296dd39160
SHA512 5f9e94dffe60acad4d7e6d6bf984e6a7d1744b88590d10c88a30e1103b3c31bc5d39fa3f2b9dd10ec64d672f0d901dda4ddfa69c0e12f1acfa3cf648ed0daf93

C:\Users\Admin\AppData\Local\Temp\Diamond

MD5 d7355f89b15d12b16cd57fe1fa961551
SHA1 e8551fdd15ccd83a0d5f96060c1ee47635cd13f7
SHA256 ede25565ec8f71b02ffc2b9c1b77f0057ad63d055f65ffe02e708d5e97b4de12
SHA512 54d0dbc445340d98c5aff57e6110a7528b643ea7299fdca4ebcaf42317c2475e1c2859f60b52212b77b77ec554eda607fc719ee48bd6353126fbbba24d446e57

C:\Users\Admin\AppData\Local\Temp\Ta

MD5 8d84b6f82c3f7693657d58879dbd55f2
SHA1 bb503b7863e082b709aaef55b188999a8a839a67
SHA256 f55a2f5fffa66e476d4f55752d53f4e5470d1b8d1b6bf25d962664f8b0a8b4f7
SHA512 f9432eca257a3b75104f6812f78a274361777c493f2d6ef1896c359fe35b88958b9039f579df36bdbd87d31be53fd0136e82997fd54fd6a37ec55230e7fd4001

C:\Users\Admin\AppData\Local\Temp\Metro

MD5 d0daf180e0c9add89aaf18c545ccb4e2
SHA1 916a961390f21b52e48e0c90d6104d5c7aedbfb3
SHA256 f5eef3d6715298787c8fd6f41f42266c48ce0f360358e0426b598051badbbe90
SHA512 6bad9420298e403d2a08b32c9a11d662e9a20d84c89bb186254f70eebc6a630f68e77eca40061435f7be0a9eaf8980fa85f6507f519d9dec6b0544d40d9076ef

C:\Users\Admin\AppData\Local\Temp\Victory

MD5 59f3822052e7cba0be525bc111fb3fdb
SHA1 6e7de3fa1f961dcdf5c6776b062d4b56bc1aafe3
SHA256 8b38b16e30661583d65094daace272247898743f340784f394e44ae502f314bc
SHA512 e088844b60209d0033c0ab61421980c9756a92ce49fbc0c37e017e2b8553f1fdfd09d6dc5069037dc0558f0fbb04bf9d69d26d8744a624fc672dcc2a90c866d8

C:\Users\Admin\AppData\Local\Temp\Identification

MD5 70f06101df60a2db21d8affae624bb1d
SHA1 70cb22602badfd4da801c80dc774af36bff92a44
SHA256 49f4b8666ae3a9e155190e634e5780748fac401f31d1e4d7cd2a6287e0bf4685
SHA512 f58f4dd383e3afd101dd7c44e99e36b68280c3d52e317f9eca58c43576107038c8d23492afc2c511929d8157cc175bae2a3e58e94864f9c493d1b076495653d6

C:\Users\Admin\AppData\Local\Temp\Karma

MD5 53c1fae2d238de07a67271c003142125
SHA1 8d7f08c8b927f632f3692f7c1443deb99521d377
SHA256 c894ec7afc82a47e686e1143051f8a91ebe0eabb5052634c2dbc28a3a38676b4
SHA512 87248500255e6b8cbddeee54d381f3983cff67be7b8bc52d2b982f03540d5cbc5185e9eeb40cfb42135ec6bbe48854e42816ac00697d5745fb8d1d8b559751e1

C:\Users\Admin\AppData\Local\Temp\Placement

MD5 714ba7108c19d2ab0ace9a695190e55a
SHA1 8dcdafb12052f2093f1ec40d7bdf6331a989064c
SHA256 49fc65c9c6b4dc16a109904aeef5afce804667805be154f66a3ef8947018a281
SHA512 c284bcf053dced196516e6625b4733b71bdf3d0718aa925ebd9d1af051dbefd91b8faf2963dd69bc68f43aae1b697d92116844e51b2e3850d6759a0a6b535ea3

\Users\Admin\AppData\Local\Temp\829400\Ears.pif

MD5 b06e67f9767e5023892d9698703ad098
SHA1 acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA256 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA512 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

C:\Users\Admin\AppData\Local\Temp\829400\Q

MD5 b44d047091100466ccf7e4c689e69efc
SHA1 bd0b026f80520a1f8846a85e4920c90512a40262
SHA256 4f1dafad2aad37233886751f17eb44f67aa2f55ce583a8412e360aa424e16d18
SHA512 5e3ace52a922c1842cf8cf895b5f7929b3196a8e1507aa8bf44288803f23a9b042c697657294696f3861eb265c576f06621ab065d2af8e13714c60249b2dbc4e

memory/3008-282-0x0000000003500000-0x0000000003748000-memory.dmp

memory/3008-283-0x0000000003500000-0x0000000003748000-memory.dmp

memory/3008-284-0x0000000003500000-0x0000000003748000-memory.dmp

memory/3008-285-0x0000000003500000-0x0000000003748000-memory.dmp

memory/3008-286-0x0000000003500000-0x0000000003748000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab8F66.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar8F88.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4c60907d0ae56ffcb2e8afd7a9c9740
SHA1 0be8fd0477dbebc89580a1c0d43f7a6b67c9eac4
SHA256 f2a79956a0327b9a2d397073e20a810d037764dafc901e6e99f441c575265ec4
SHA512 b162d46bfc51e92592a20feb537996e0da962af1314bc6dd7a9543a8f92420b2b443bd226f4d3cc8df462fddfd62af394b52bd6bf02d3b8e5b527c2bbc95c704

memory/3008-420-0x0000000003500000-0x0000000003748000-memory.dmp

memory/3008-439-0x0000000003500000-0x0000000003748000-memory.dmp

memory/3008-459-0x0000000010000000-0x000000001025F000-memory.dmp

memory/3008-466-0x0000000003500000-0x0000000003748000-memory.dmp

memory/3008-487-0x0000000003500000-0x0000000003748000-memory.dmp

memory/3008-493-0x0000000003500000-0x0000000003748000-memory.dmp

memory/3008-537-0x0000000003500000-0x0000000003748000-memory.dmp

memory/3008-668-0x0000000003500000-0x0000000003748000-memory.dmp

memory/3008-687-0x0000000003500000-0x0000000003748000-memory.dmp