Malware Analysis Report

2024-09-09 13:22

Sample ID 240613-fe873aybrp
Target 5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe
SHA256 0413c9f614a312dd40fb834255e2ae48056903c975249be3bd43b44879c67b79
Tags
collection discovery persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0413c9f614a312dd40fb834255e2ae48056903c975249be3bd43b44879c67b79

Threat Level: Shows suspicious behavior

The file 5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery persistence spyware stealer upx

Reads local data of messenger clients

Executes dropped EXE

UPX packed file

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Accesses Microsoft Outlook accounts

Looks up external IP address via web service

Checks installed software on the system

Suspicious use of SetThreadContext

AutoIT Executable

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:48

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:48

Reported

2024-06-13 04:50

Platform

win7-20240508-en

Max time kernel

145s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A bot.whatismyipaddress.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr119.exe N/A
File opened for modification C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr119.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe N/A
File created C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 2980 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 2980 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 2980 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 1756 wrote to memory of 2776 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1756 wrote to memory of 2776 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1756 wrote to memory of 2776 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1756 wrote to memory of 2776 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1756 wrote to memory of 2776 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1756 wrote to memory of 2776 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1756 wrote to memory of 2776 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1756 wrote to memory of 2776 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1756 wrote to memory of 2776 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1756 wrote to memory of 2672 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2672 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2672 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2672 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2824 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2824 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2824 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2824 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2564 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2564 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2564 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2564 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 3016 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 3016 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 3016 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 3016 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 2904 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr119.exe
PID 2872 wrote to memory of 2904 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr119.exe
PID 2872 wrote to memory of 2904 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr119.exe
PID 2872 wrote to memory of 2904 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr119.exe
PID 1756 wrote to memory of 3036 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 3036 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 3036 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 3036 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2488 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2488 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2488 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2488 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2244 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2244 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2244 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2244 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2732 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2732 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2732 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2732 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 1592 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 1592 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 1592 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 1592 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 1528 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 1528 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 1528 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 1528 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2056 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2056 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2056 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2056 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2076 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2076 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2076 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe"

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

0

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\system32\taskeng.exe

taskeng.exe {F957AC33-FB5D-428E-8821-3AC4C66E6045} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]

C:\ProgramData\winmgr119.exe

C:\ProgramData\winmgr119.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp513C.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp5217.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp6615.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\ProgramData\winmgr119.exe

C:\ProgramData\winmgr119.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 curlmyip.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 smtp.mail.me.com udp
US 8.8.8.8:53 smtp.mail.me.com udp
US 8.8.8.8:53 smtp.mail.me.com udp
US 8.8.8.8:53 smtp.mail.me.com udp
US 8.8.8.8:53 smtp.mail.me.com udp

Files

\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

MD5 be8db666025182b6912a305890ae8eb5
SHA1 ab85fc2a774418ac1e65320b068002263ae397e1
SHA256 e63ef0c1fac0dd6b85ca5f2bf8ee278974be97523b4207c6a7c2f15965706388
SHA512 d93e3f5dcfb219f3717773b4a87949cf6ff7f6f02755717d395d6e91047d91028a28ab58fc3d8f2fd80ccd6e8b70237c7ea9202e69bc9eae58e890e398f0f91a

C:\ProgramData\winmgr119.exe

MD5 d3bc4daecfc1f262f318ad24c43fa5d8
SHA1 0f6209288d9d34360dc2822ba9a42cbcaa22586f
SHA256 8ac32d3c00d54304c436b6a72af3f73881fe305507aa2055bf54fecf8d723a06
SHA512 efa2a8d2fe9d97416ec33211a956e2acbdc180e9651a304519d94791d9eb12c07ae5a09546b177d686b269b13de988f9f22738a0ea6b60cbb0d8dd3c9ed6dd41

memory/2776-13-0x0000000000250000-0x000000000031A000-memory.dmp

memory/2776-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2776-15-0x0000000000250000-0x000000000031A000-memory.dmp

memory/2776-10-0x0000000000250000-0x000000000031A000-memory.dmp

memory/2776-17-0x0000000000250000-0x000000000031A000-memory.dmp

memory/2776-18-0x0000000074472000-0x0000000074474000-memory.dmp

memory/2776-21-0x0000000074472000-0x0000000074474000-memory.dmp

memory/1700-27-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1700-28-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1700-29-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1700-26-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1700-34-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp513C.tmp

MD5 e4bf4f7accc657622fe419c0d62419ab
SHA1 c2856936dd3de05bad0da5ca94d6b521e40ab5a2
SHA256 b32fa68b79c5a7ceaa89e8e537efe33a963c499666202611329944bd2c09318e
SHA512 85dc223e39a16ddeba53a4b3d6c9eff14d30ec67dfda1e650da2c9057f640edd033a31868915a31caac0d325d240a7f634f62cd52fbd2adc68bd1d9cb6281431

memory/628-38-0x0000000000400000-0x0000000000491000-memory.dmp

memory/628-39-0x0000000000400000-0x0000000000491000-memory.dmp

memory/628-40-0x0000000000400000-0x0000000000491000-memory.dmp

memory/628-44-0x0000000000400000-0x0000000000491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5217.tmp

MD5 de4e5ff058882957cf8a3b5f839a031f
SHA1 0b3d8279120fb5fa27efbd9eee89695aa040fc24
SHA256 ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49
SHA512 a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

memory/540-47-0x0000000000400000-0x000000000043C000-memory.dmp

memory/540-48-0x0000000000400000-0x000000000043C000-memory.dmp

memory/540-50-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6615.tmp

MD5 3525ea58bba48993ea0d01b65ea71381
SHA1 1b917678fdd969e5ee5916e5899e7c75a979cf4d
SHA256 681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2
SHA512 5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

C:\ProgramData\khaxFMfI\2c945db753d341ef9b0f02d75d493749

MD5 d294863310558e8912e398479a4578c8
SHA1 58ed3122af3787386d55610b663ab0795ed2a478
SHA256 843c2750518e9e780fddec808330248f29ac9b4085b16aca33447064b147d2b2
SHA512 6b952fa880be0473b1e19ec2618bc41e5330b09249f0d0af48a12736491f2183bc4dc05892790d917cba50ab9fcab882cd91c18478d00486aaec5f42ab20b1dc

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:48

Reported

2024-06-13 04:50

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe N/A
File created C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
File created C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr119.exe N/A
File opened for modification C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr119.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3656 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 3656 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 3656 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 1472 wrote to memory of 4364 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1472 wrote to memory of 4364 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1472 wrote to memory of 4364 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1472 wrote to memory of 4364 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1472 wrote to memory of 4364 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1472 wrote to memory of 1600 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 1600 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 1600 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4364 wrote to memory of 5084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 5084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 5084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 5084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 5084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 5084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 5084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 4292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 4292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 4292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 4292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 4292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 4292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 4292 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4364 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1472 wrote to memory of 3844 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 3844 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 3844 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 3384 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 3384 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 3384 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 2304 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 2304 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 2304 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 2020 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 2020 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 2020 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 4612 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 4612 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 4612 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 2784 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 2784 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 2784 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 3648 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 3648 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 3648 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 3244 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 3244 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 3244 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 5024 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 5024 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 5024 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 4448 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 4448 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 4448 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 5016 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 5016 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 5016 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe"

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

0

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpAA99.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpAAF7.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\ProgramData\winmgr119.exe

C:\ProgramData\winmgr119.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\ProgramData\winmgr119.exe

C:\ProgramData\winmgr119.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp

Files

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

MD5 3e3a68df8785852f214a8449f74fb1ef
SHA1 2c9ce46dbde7b5ac513aa301cfd4ea53aae4b731
SHA256 3076a48c7d0031c1668c126d942f2118cd554a0c90d1eba591db2f9bc9576488
SHA512 fb651b00e77eea0df6e396b864377c68ff91e17974a3178155c061f71f098446181eb20e77cd399c767359654d8bc554cf481c9a97b5c2613ff2e6155f765b9d

memory/4364-8-0x00000000009A0000-0x0000000000A6A000-memory.dmp

memory/4364-9-0x0000000073472000-0x0000000073473000-memory.dmp

memory/4364-10-0x0000000073470000-0x0000000073A21000-memory.dmp

memory/4364-11-0x0000000073470000-0x0000000073A21000-memory.dmp

memory/5084-15-0x0000000000400000-0x000000000048E000-memory.dmp

memory/5084-16-0x0000000000400000-0x000000000048E000-memory.dmp

memory/5084-17-0x0000000000400000-0x000000000048E000-memory.dmp

memory/5084-22-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp

MD5 b0cc2e6f2d8036c9b5fef218736fa9c9
SHA1 64fd3017625979c95ba09d7cbea201010a82f73f
SHA256 997aceeb78143e057d4ea0ed699db3cc1c723f699b4532663b7b85c83baa5c50
SHA512 a1fe80b2971c4d1141a594f27eaea61500bf701cd1b8fbdb5ac2204a63c8ef862344f8c30f65ce769f0acf2b0718ed33a02744dd1a152c4a62a5318333d29b9b

memory/4292-26-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4292-29-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4292-28-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4292-33-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1376-36-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAA99.tmp

MD5 de4e5ff058882957cf8a3b5f839a031f
SHA1 0b3d8279120fb5fa27efbd9eee89695aa040fc24
SHA256 ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49
SHA512 a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

memory/1376-37-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1376-39-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAAF7.tmp

MD5 3525ea58bba48993ea0d01b65ea71381
SHA1 1b917678fdd969e5ee5916e5899e7c75a979cf4d
SHA256 681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2
SHA512 5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

C:\ProgramData\winmgr119.exe

MD5 c2026ee678c9dbb2012ee7e8e97ff766
SHA1 a68abc487117a376238c1e8b33e505dc1fa1d609
SHA256 a27911937a5867c716e83c7751537cbc85e7d32d122bd8ba362a526baa3d9a06
SHA512 96f97b1639122953eb422655d7084d5650a4c22fe907507b3e0dd1b1cbd2346cace01e3250b37d67ed72c0223287f2e71ff1e1c92c10427a53638293e878a0a9

memory/4364-48-0x0000000073472000-0x0000000073473000-memory.dmp

memory/4364-49-0x0000000073470000-0x0000000073A21000-memory.dmp

C:\ProgramData\khaxFMfI\2c945db753d341ef9b0f02d75d493749

MD5 ecd43d04f2aea3d11b53e69b02484b7c
SHA1 fee832b2fd399614449884c40cf8e5bca953cc30
SHA256 59fdeaced9b5129008b16d99e2862d71befe6eb989328482ce39b3e2e04fbf18
SHA512 416951101a44242e0f827a26a915e2fb8510a7249124fc0778f3d70da203c32630501947fdec22ff4bc043fbc1be198c3b36536902768fb90e600640b9bb2b0a