Malware Analysis Report

2024-11-15 05:41

Sample ID 240613-j9seks1bph
Target 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe
SHA256 363b9c1d79698e5dfe0dbc430a76c424629420fa7d4bf9399df566855acc0e6c
Tags
upx persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

363b9c1d79698e5dfe0dbc430a76c424629420fa7d4bf9399df566855acc0e6c

Threat Level: Likely malicious

The file 6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

upx persistence

Modifies Installed Components in the registry

Checks computer location settings

UPX packed file

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer start page

Views/modifies file attributes

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 08:22

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 08:22

Reported

2024-06-13 08:25

Platform

win7-20240221-en

Max time kernel

121s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\ie.bat C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe N/A
File created C:\WINDOWS\SysWOW64\qx.bat C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099ee51cc9ba18e4eb359fbbe97a951a1000000000200000000001066000000010000200000008f88c6157e6463013373211b3dcc69405cd330202b6a5cd5176880e5c1d474b9000000000e8000000002000020000000549fa723646067f36ea86136e3df8aa9118c4b358012a5306bf132c2588f5d4490000000ef5ed1adb22c751044c38595f3ecb28bf7276dd56ad43b09ed5383da2aad3cc16718addf698c9dbf9bc6f7d92e2c7c8f0d92065656e65853f20d38a6680f3a462dd29d9cfb94910f590921ede56f13ac6e1cd4c626c01aa01f066af353d4bf8261c7f9a4f8b9ce6bc2bb58933d8cec7cf4029b1cab423f2cf26327112fb1c2725673bafbefd70b7c469144d1229932354000000042217b54bfa0520f36d6986e072d9c38dd07bb7dd1eb0b1810356bc9929e90d6f7508daea2459889d3015a4b3eb92fc2a74b52766386ea1fdf1a3f39dd3b5c66 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{13A732E1-295E-11EF-8414-4A4F109F65B0} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 408151016bbdda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424428818" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099ee51cc9ba18e4eb359fbbe97a951a100000000020000000000106600000001000020000000da0770658e7e96e94e2e1d50b37a1de17348b51c9afab23017fb4867f1b5b7af000000000e800000000200002000000076c575c441d56c9bc8633edd4f97febe5bbab42753ad2374bc45ed1ffc51ccb520000000a287b4978ec7bed639802aed152cc134f5a89b1ce761a14e11a1441eef8b2dcb400000009050841d4d9eabfcaf17a73617f0413a144060025602f05dd77d739503e3de6ea11a4b42380f25535e294326681a5e01ae3e10a8f096a6c05d2ab9b3d45fcb14 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3000 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3000 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3000 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2156 wrote to memory of 2516 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2156 wrote to memory of 2516 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2156 wrote to memory of 2516 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2156 wrote to memory of 2516 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3000 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2720 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2720 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2720 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3000 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2748 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2748 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2748 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3000 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2448 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2448 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2448 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3000 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2536 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2536 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2536 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3000 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2440 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2440 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2440 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3000 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2940 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2940 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2940 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3000 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2996 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2996 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2996 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "c:\system.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.ymtuku.com udp
US 38.14.181.142:80 www.ymtuku.com tcp
US 38.14.181.142:80 www.ymtuku.com tcp
US 38.14.181.142:80 www.ymtuku.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/3000-0-0x0000000000400000-0x000000000043A000-memory.dmp

C:\WINDOWS\windows.exe

MD5 0a7646ec3b42de8f1d20859722186b7e
SHA1 965789c39ef97b038abf4e7c09e5c24031730466
SHA256 ecb26fd5c7d0cbd707bcef90dd8d1d3c401eaf3e2e65343659240b860fcfd8dd
SHA512 cb558a290c2f4339ed45344fc107f0556c653d8e14a41b19cbb26c4bef01e0cdfa2ec022dd4d394552d7a9d4a77d20aad78e2290a84a0a46dc0791a48c748e81

C:\system.exe

MD5 69a912ca464521e0816fdc115df5097f
SHA1 867d0cb5c60e14b3e049a335d38f688850ef5d47
SHA256 33b5d7598d756f7b567e7278e12bf1a76b27ac4fa232e1122d25bbb787916f1c
SHA512 19553fc417e663a521377fe59ce3da9af1f6a492692ae3f78e49ce7731f4d3e727709134b960e32d7047e4c9b6f45105bb5c1de1bba72dfa67cbd7b454cada0b

memory/3000-12-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabDDB5.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarDED5.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d82701c297c67180afe0ea887171f7f
SHA1 b44717e99e4af6bad8892fd1e35dd3aabda49513
SHA256 46b7152044857dcae7e69c55ac2da444a03bfbf300f55c4c13b11ededdcb0172
SHA512 a73eb31869d2d49e47c031043d116919a77104a5c205bd402c14b080de30065067a3342622c3dabad9ad8a796a54fd47798416c38c0e0ce8373708e8b720e660

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d1c1a2f8bfdb9d2d88ec4e2c883b769
SHA1 65e3f1876d61a1f43fc7eb11bf76a5b42ca1917a
SHA256 b47c5af495be60442385feba6f00c12f684d18b17719163f398fd14149a79152
SHA512 5b771318e13209e947a8ca7435d05e0e77d6df21b8aa2b3fd4b63986a40130c92241cb6c38c890bd24f7fa73c64f1fe8b9512678a5112a99dc81e71dd74000c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5f3cd501fdae126ab3f3d0a4bd9d14d
SHA1 2ef064250979abd52d1b05bae10f86bd838f85c4
SHA256 2949914a4d7553223d98b8c6a18b3ef11f1ebdef914c08b5180a640a080b7e71
SHA512 f6496c57efb0c093e1414a6de9e87da3d2ccca880c27f56e99e154a2b809d7626baaeff29cfa2726eec4ad5b4802599d076e4d77564933efb41fa863e5547ee3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6083aef146065ac434f1202f021db1ad
SHA1 a253682941525ac4c1bde57bed77cc57cb300aed
SHA256 a80935e380b96c8d95ef04c4f1d2d333323c6c00fe13aebbafda7ce9bdf01b87
SHA512 7b045d96b81fdbd8d0fdc91cef30552a240a1a91f0378030ca92831bcbb8c1acb2e91c24eaa44c9985c45bac7e9984f5c150ef0b8a6c28f0df56bd64d2295a1f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4431a8d0b226a14db90feab016b9c7f
SHA1 0549c39927b55c9042b8c9380e401f11f9366d2c
SHA256 35be1941d0732bc04c521bee5cda52987f10f01842869060e15fb1a55a51bfe2
SHA512 6654786d08f8f011a564c698306694d9badaa7c7e18370a41b30d52247cb0a66ceb57b4a7189d313fd867c0c04ae04c4603528a1c40f9db614324bc27474537e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81c5c0d5fa16e71c550d19cbd3642ae2
SHA1 8d9305e484de1ad1777f05c582b18d5f3d916810
SHA256 61e8ad89a4d7b7e11bbf438647bdc5f5881305033ae5bff3d8fe47847b915f8a
SHA512 cf38255527d077dada05c2dc37909b17650be51f55d77f7bd8c7c74f671c9781e85900de1b5ea3507bdc5fddac0f03de7967f9e93a161c242cdd14ac7a55e0e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3d2fe150341199dc586c7cdb65aafba
SHA1 565e55f5c428c44115c4adaac8f3aefe95cc8f0e
SHA256 c3917db21acc72fee71a0c7ae6482db254d972c4a0e7e35b14c2b779a892c05f
SHA512 6087174a1a61c7b77edaad941a4f8e7232204d969825ca1373567d29ab52fb2bb3273eee5f559caa35e9a8d2be0491978cd543ac22001f47afd488b355ee79d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66b0d42d0fbbdbb91299a0d68e34931b
SHA1 13974bb85463af886bd9ee271ad90c54b5e0e7ef
SHA256 256b42fd8767c51b263ec71ba9ffd44376d764b43013590b10a09b21602fe9a8
SHA512 08b0179ec760b7916c5347f433ae6635820f2c1e6a96f9f0bdf8d1af8651a154d52faadc5b9efe29da155b8ee59bc6ffb92e236a059d0f5b3c4de8d3fa7f9b8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6380b2b5fc5dcbd6bf46832ee04b5b5f
SHA1 d0de4ed877085e987e3a70636fbfd9253a03b571
SHA256 1ffefb8f4481e770758def283ff8d41e7a38dbe3f266df9f897f445977df3459
SHA512 67e5441dfc4322d05ef512da98925f85761ffb4ab5bf380b1ad77cc8eeb14ff4ea522784dbd7855f1e351b3d6f411fd3c03606de849478e8e94873e320bd4a57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ada0706f4f9920f28db3ad1eb56fe817
SHA1 08e44997d3d20db3f368824ba52fbb53dd038e8d
SHA256 89dc38747f5bbc41573461437928dff6e48f52b11d99ebf5e6af957575159598
SHA512 90a07106ea5abebeb5271abc053bc5bf1682ddcf1f25acc97ba65e2ff30089dc8a9163e2589f80df48279f7627e8427fb7f40ef3036fd1c0b09e29f02b6a8d83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5aa252b2ad671daa25699a86fe09703
SHA1 614c5ea86544ea514db7c4bb4f8fb1c062fa0975
SHA256 7ed5826424277e32bf09453c3561ef8d43f4e9690822fac6cb840603b50b5672
SHA512 d03749101bce62797b73b62f7970b70e736d916296e7cf0413abe8962b032c398d5c8f8fa2ab4a49f309cc6a32bc19d5eecb77fe6ef8acf6d3a35669a7032874

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 edcb170a815261246138e0703fe0fb51
SHA1 4e3d52a1a5152f3cc69890e8c9e535139fa97baa
SHA256 6cb635b89f7c71df082de09b2e51d15318c497f76b14ba4222808253187bfb59
SHA512 5c52933b43c98f35b67376bfcc869d5a70421b66772fe03df24344865d2c914c4466b86b6f809a9a9b795c81da7b89d071767e004db9d8066e47d1b614d50cbd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fcb758c5f85c5b7c3a7cb11d0045dad4
SHA1 5e62672ed57470f17c88238ef499877364007d93
SHA256 eb1863520f84abb5e7868546d8da076d2752bc18ca211db9a52521eb560dd04b
SHA512 261f4301d6901dbf075b91f40db0c93db993c8043885b477708779babb94b187198c6e947e804f273d61756c264ee41eafc6b39b7d65f947ba100c7195218c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7edc1488b12b09a0d8360f87b3d9bdc6
SHA1 db45454745da8cf5d6ea2b27e448e6d256ce1400
SHA256 5b174601681ccdf43f8829c7c09a564f13a7f4051127135cfe14c1bfedadb0d6
SHA512 4e10e3afb1d2741f07daa9015cd36711adb7517e762ba0b802747d0fcf1422c33a9ac487f9d02b39e6f7821f5dcd670504b307c38a6bdb4bf34d1e05e6cb31cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e1560e4032798006bdaefd039b56d57
SHA1 123aa53292504fb784b4a0b77c4430ea7481991a
SHA256 f60a1e48a796e87a10570f25e5100a8b09d1200355d3360b6acc892e39a09ac3
SHA512 3ae94840a83bef50717de6268083ac2ca28753c800e9b2a5e09020ddd85e0db8752aaf5091ebe1452fe149a06ebe2ba976b234dcd26817c3c3b87a12256ff364

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5fcd9d66ce940cf46c2a72462f5e80aa
SHA1 b61bd0c5cec27603aa02c2ad61905ff9c582d428
SHA256 3063c8a268a06d3ba9e1b1285ade5157a88a237924c0d2535da693090bcbc20c
SHA512 01eba2a02f6b8bcf0fa2bdf4c2fe0ef241e78c2b03b4e2ec3d2460fbaa5698df92ef4f0fa0b95ea109697652de060a92b5370a03cc1c527318a3f5f71fb20325

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f349589e3ebbacaf664e3e3ec97283e
SHA1 edb0090fc0f85808c665cdaa6e27e15d474296d7
SHA256 f5900ff2119ae8d7a7085cf35a7ffeb9886556b80813cc4cd0aeee08a03533c3
SHA512 616bdcd7b03393a6439bdf740972400afefb953d07000daf79ae6cc640ad01d5f6623c4593283147bdaa81f8d084cd0e68494798b2840e3c381a8dab3e826e84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c014dc374540dcd1406c6ec56364b24
SHA1 4821db6e41d325fbf6592d0139e65e8228f9d11a
SHA256 22200c21602d44de27fd7d82a515aa020905b80628fbe2fc60082de4599b5da6
SHA512 97255a2f6abab6f91e5b536cedcad99de2a8c40f047f09e53a1ef66363a9ed2421637a66bcb2f489eefff4467c152c862570bb0a1a80ffe46ecfbd41a3160fa2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80f41712519ab4e1687634fcaa10fcac
SHA1 891eeb669872e8aa0b8a02ee1cb0af030376592b
SHA256 83aa136e960cd87ea3cbfbbdea52bd89ef06c01ccd0995248817b50a2ebb0ee6
SHA512 83cdf4e5a0781c9c5f2d298c35a138b76c953df77c20eed9f0dd56fde887420f8aca5de8714e6cd062e123502028ddb5b3a0385c80a938cac772a49078cb12fb

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 08:22

Reported

2024-06-13 08:25

Platform

win10v2004-20240611-en

Max time kernel

91s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\WINDOWS\SysWOW64\ie.bat C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe N/A
File created C:\WINDOWS\SysWOW64\qx.bat C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe N/A
File opened for modification C:\WINDOWS\windows.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425031926" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31112554" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3905864420" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10678df16abdda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f04d99f16abdda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3902583942" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3902583942" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d651e1763920bb4d949d709c9307976a00000000020000000000106600000001000020000000a372e430eaaf73bc7553021c8ea083b765ccfffee093c2e118eed9ff70c3206c000000000e8000000002000020000000cabd7dfdd7d13b51ef20d5420c64eb91767d3ca5d3c4c4cf55d2fe8a6d7c2a3320000000d204789f3441270b92797c6aef047f420f420b2c0f938b280d2fb64ee9db766c40000000abb4543e7081de863852e9ad0a70bffacc340372625df981e1ed70510aba4fb849166e2416ea4c76135289a270ae0f099f927de0a58ce5367cb3e0052568c660 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31112554" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d651e1763920bb4d949d709c9307976a0000000002000000000010660000000100002000000059188ea2ebe4c8491d9be4bcd8992b927d719c0c8e2f005db6686241583d6b57000000000e80000000020000200000009e3b12c01f764f3dd969eff2a670f7ea2eee06938575fd0dca2a964945c7d29120000000c8cc251f9111a477861d5d07787aefad6575c2f8c9af9ec7c9b6f85544f9309e40000000c388722d5a732eccde7f75dd84c3d13d2a9009b8a6371beeb16eb85536fc2f5985c9ca8582ec461b8f4da6c53282199e969cf84e96c6509b7c221cda88a07244 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1433264F-295E-11EF-B1BA-F671300AD8E0} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31112554" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3756 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3756 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3940 wrote to memory of 3196 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3940 wrote to memory of 3196 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3940 wrote to memory of 3196 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3756 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4460 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4460 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4460 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3756 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 700 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 700 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 700 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3756 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4180 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4180 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4180 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3756 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3564 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3564 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3756 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1688 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1688 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3756 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3300 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3300 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3756 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3076 wrote to memory of 656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3076 wrote to memory of 656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6c6ffe6dec9996e509c8b17333d1ed50_NeikiAnalytics.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3940 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\WINDOWS\windows.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h "c:\system.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.ymtuku.com udp
US 38.14.181.142:80 www.ymtuku.com tcp
US 38.14.181.142:80 www.ymtuku.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 38.14.181.142:80 www.ymtuku.com tcp
US 8.8.8.8:53 www.ymtuku.com udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3756-0-0x0000000000400000-0x000000000043A000-memory.dmp

C:\WINDOWS\windows.exe

MD5 e706b502a0445b3694684f6db39fd01f
SHA1 b376b23f044d1fb699a4852c0fdc2dd6309a9c4f
SHA256 a7853828680ff3550c3b6c556ae5c3fb6caab68126658f3883599592b723159b
SHA512 a0a17de6bdabbf4d939e4acf073938496e4128b11face1046d4da7cddcfa06388eb540563831205b8182d96be67fcb39b617d2057ab093879ac61c757ebfa811

C:\system.exe

MD5 c87c9b1345356d243ff802b454e2c9a3
SHA1 0a52667ad3290bc50d851245606882b9b10e144a
SHA256 ca01a3cdfa36a3ca0e9d2c5924ef3f946f2087b9ec4b8837e9f5051a3814d593
SHA512 b126709cb35297c06c37be9592185fb9549716298af430d3a9717a7cfe5a8f543d7aed5c03fda7be8b0e598b40fc4d603f8e33cda3fe7fe0bc545c541ebc7418

memory/3756-17-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V54QW64X\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee