Malware Analysis Report

2024-09-09 13:22

Sample ID 240613-kf67ba1eka
Target 6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe
SHA256 96df69ec34e0de1462cc29f66103c6eb095b6549cc0975131cff3a86746249f4
Tags
collection discovery persistence spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96df69ec34e0de1462cc29f66103c6eb095b6549cc0975131cff3a86746249f4

Threat Level: Known bad

The file 6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

collection discovery persistence spyware stealer upx

Executes dropped EXE

UPX packed file

Reads local data of messenger clients

Reads user/profile data of web browsers

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Accesses Microsoft Outlook accounts

Checks installed software on the system

AutoIT Executable

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

NTFS ADS

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 08:33

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 08:33

Reported

2024-06-13 08:36

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe N/A
File created C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
File created C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr119.exe N/A
File opened for modification C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr119.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 1272 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 1272 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 1868 wrote to memory of 1392 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1868 wrote to memory of 1392 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1868 wrote to memory of 1392 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1868 wrote to memory of 1392 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1868 wrote to memory of 1392 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1868 wrote to memory of 4828 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 4828 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 4828 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1392 wrote to memory of 5016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 5016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 5016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 5016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 5016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 5016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 5016 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 4564 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 4564 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 4564 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 4564 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 4564 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 4564 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 4564 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 2152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 2152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 2152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 2152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 2152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1392 wrote to memory of 2152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1868 wrote to memory of 4496 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 4496 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 4496 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 3396 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 3396 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 3396 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 2104 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 2104 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 2104 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 2064 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 2064 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 2064 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 4508 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 4508 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 4508 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 4616 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 4616 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 4616 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 4492 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 4492 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 4492 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 5064 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 5064 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 5064 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 3900 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 3900 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 3900 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 2648 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 2648 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 2648 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 4124 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 4124 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1868 wrote to memory of 4124 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe"

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

0

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpC072.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpC0C2.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\ProgramData\winmgr119.exe

C:\ProgramData\winmgr119.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\ProgramData\winmgr119.exe

C:\ProgramData\winmgr119.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:80 ipinfo.io tcp
US 8.8.8.8:53 smtp.mail.me.com udp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 28.155.57.17.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 17.57.155.28:587 smtp.mail.me.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

MD5 ab66cecca191c87dc73f4392aeb386a4
SHA1 281b25ee73f54e63d92bca17452909e02fce17d5
SHA256 48752764d3d4d7b5810df52c55e2420358b684aab20d1d27c792063748f61731
SHA512 6dff3dfb485a574e7434e5a1862a83ee346a74c874938a36ae0b313ceabd8af09ea94b08f4e0ff1a6423967cc61cd6838a1f2c54a64cd12fae33eab7fe2c745c

memory/1392-8-0x0000000000B30000-0x0000000000BFA000-memory.dmp

memory/1392-9-0x00000000734E2000-0x00000000734E3000-memory.dmp

memory/1392-10-0x00000000734E0000-0x0000000073A91000-memory.dmp

memory/1392-11-0x00000000734E0000-0x0000000073A91000-memory.dmp

memory/5016-15-0x0000000000400000-0x000000000048E000-memory.dmp

memory/5016-16-0x0000000000400000-0x000000000048E000-memory.dmp

memory/5016-17-0x0000000000400000-0x000000000048E000-memory.dmp

memory/5016-24-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBD83.tmp

MD5 b0cc2e6f2d8036c9b5fef218736fa9c9
SHA1 64fd3017625979c95ba09d7cbea201010a82f73f
SHA256 997aceeb78143e057d4ea0ed699db3cc1c723f699b4532663b7b85c83baa5c50
SHA512 a1fe80b2971c4d1141a594f27eaea61500bf701cd1b8fbdb5ac2204a63c8ef862344f8c30f65ce769f0acf2b0718ed33a02744dd1a152c4a62a5318333d29b9b

memory/4564-27-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4564-29-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4564-28-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4564-31-0x0000000000400000-0x0000000000491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC072.tmp

MD5 de4e5ff058882957cf8a3b5f839a031f
SHA1 0b3d8279120fb5fa27efbd9eee89695aa040fc24
SHA256 ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49
SHA512 a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

memory/2152-35-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2152-36-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2152-38-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC0C2.tmp

MD5 3525ea58bba48993ea0d01b65ea71381
SHA1 1b917678fdd969e5ee5916e5899e7c75a979cf4d
SHA256 681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2
SHA512 5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

memory/1392-42-0x00000000734E2000-0x00000000734E3000-memory.dmp

memory/1392-43-0x00000000734E0000-0x0000000073A91000-memory.dmp

memory/1392-44-0x00000000734E0000-0x0000000073A91000-memory.dmp

C:\ProgramData\winmgr119.exe

MD5 88509f1d2d5f75546a06838b5332c6e8
SHA1 834f04b4bb56298cd0186f314de604d8095efbac
SHA256 957de8988e72b3fe0a2b7c79af453751ed334f02b3a7f761e271d2f35571b8f0
SHA512 cccee08e6fa5d5e476bbdd7501d7bc79dd762e18f52c87187ec907e23d2be0a90f9e8af552ac97c68f2087f23f22a9702d1dd99b0001788412d5fb9c364941bf

C:\ProgramData\khaxFMfI\2c945db753d341ef9b0f02d75d493749

MD5 ac4e990b7bb3e887fd791b4bdde09992
SHA1 53c6baf2aaf0dda5fb23fdf0487e978965a05bc7
SHA256 ca32e79dabad2b5af610b84e207d6a0028e21e77b4bfd51d98e314082bd9d003
SHA512 94543998426ae91474c21c3497ea8d7c903aacb83a6eea35eafc986055f63885c566a3f440c39754ef688a9f21a1fb5b7827cd5409d48b6b15e057b2e07252d0

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 08:33

Reported

2024-06-13 08:36

Platform

win7-20240508-en

Max time kernel

148s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A bot.whatismyipaddress.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe N/A
File created C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
File created C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr119.exe N/A
File opened for modification C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr119.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 1924 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 1924 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 1924 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 2560 wrote to memory of 3004 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2560 wrote to memory of 3004 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2560 wrote to memory of 3004 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2560 wrote to memory of 3004 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2560 wrote to memory of 3004 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2560 wrote to memory of 3004 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2560 wrote to memory of 3004 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2560 wrote to memory of 3004 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2560 wrote to memory of 3004 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2560 wrote to memory of 2484 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2484 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2484 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2484 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2016 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2016 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2016 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2016 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2900 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2900 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2900 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2900 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 1496 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 1496 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 1496 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 1496 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 1460 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 1460 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 1460 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 1460 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2748 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2748 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2748 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2748 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2108 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2108 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2108 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2108 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 1720 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 1720 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 1720 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 1720 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 1132 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 1132 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 1132 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 1132 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 1324 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 1324 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 1324 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 1324 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2912 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2912 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2912 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2912 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 1196 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr119.exe
PID 2176 wrote to memory of 1196 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr119.exe
PID 2176 wrote to memory of 1196 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr119.exe
PID 2176 wrote to memory of 1196 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr119.exe
PID 2560 wrote to memory of 2064 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2064 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2064 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6d21ea703659409cdfe182ee808c6210_NeikiAnalytics.exe"

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

0

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\system32\taskeng.exe

taskeng.exe {1DA55215-76CA-433C-84AB-54C0B29360F4} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]

C:\ProgramData\winmgr119.exe

C:\ProgramData\winmgr119.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp49FB.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp4AB7.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp5EC5.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\ProgramData\winmgr119.exe

C:\ProgramData\winmgr119.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 curlmyip.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 smtp.mail.me.com udp
US 8.8.8.8:53 smtp.mail.me.com udp
US 8.8.8.8:53 smtp.mail.me.com udp
US 8.8.8.8:53 smtp.mail.me.com udp
US 8.8.8.8:53 smtp.mail.me.com udp

Files

\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

MD5 d0e279236b6d7026a78eb4b058b32745
SHA1 152c08dea04cec3c50498e1ee522bc5507492fa3
SHA256 22d7a5ff1c187ff1f1265a77b812a6a95d5cd9958f4ef9443bdd68d5de6d3f1d
SHA512 e285da37019da0efe2891dd17eba337cdfb12fb1879f259885088c5fc73f25688df548972476dc683ca57ea700eb8e2566a001bc84da1e22a4edd2fb051db52e

C:\ProgramData\winmgr119.exe

MD5 0aaed672ddf5abd14ec3e8c506d34d10
SHA1 6563dd926cf277ec963471ffdf9efb5bf48c23f0
SHA256 d9a1071522ccfe556c3b89c7c847a2c2ceb91b478716cac1044d7c2f335aa690
SHA512 f9f1cfacc8792eb3a0387e789e1eab4d3e871cd82583618d6deddc0308944edcf5a060d822a3aba263c4b761ccefce735205c2ba82ab9a33e36ab5ec39bcc103

memory/3004-10-0x0000000000090000-0x000000000015A000-memory.dmp

memory/3004-13-0x0000000000090000-0x000000000015A000-memory.dmp

memory/3004-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3004-15-0x0000000000090000-0x000000000015A000-memory.dmp

memory/3004-17-0x0000000000090000-0x000000000015A000-memory.dmp

memory/3004-18-0x00000000744D2000-0x00000000744D4000-memory.dmp

memory/3004-19-0x00000000744D2000-0x00000000744D4000-memory.dmp

memory/2812-26-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2812-28-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2812-27-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp49FB.tmp

MD5 e4bf4f7accc657622fe419c0d62419ab
SHA1 c2856936dd3de05bad0da5ca94d6b521e40ab5a2
SHA256 b32fa68b79c5a7ceaa89e8e537efe33a963c499666202611329944bd2c09318e
SHA512 85dc223e39a16ddeba53a4b3d6c9eff14d30ec67dfda1e650da2c9057f640edd033a31868915a31caac0d325d240a7f634f62cd52fbd2adc68bd1d9cb6281431

memory/2812-35-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2068-38-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2068-39-0x0000000000400000-0x0000000000491000-memory.dmp

memory/2068-40-0x0000000000400000-0x0000000000491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4AB7.tmp

MD5 de4e5ff058882957cf8a3b5f839a031f
SHA1 0b3d8279120fb5fa27efbd9eee89695aa040fc24
SHA256 ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49
SHA512 a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

memory/2068-44-0x0000000000400000-0x0000000000491000-memory.dmp

memory/1572-47-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1572-48-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1572-50-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5EC5.tmp

MD5 3525ea58bba48993ea0d01b65ea71381
SHA1 1b917678fdd969e5ee5916e5899e7c75a979cf4d
SHA256 681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2
SHA512 5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

C:\ProgramData\khaxFMfI\2c945db753d341ef9b0f02d75d493749

MD5 af381f08a587fb76f7ae0da721dcb675
SHA1 cfad3b6a679dd55392ec12fdb5f1f1401b933f31
SHA256 f15467996a852b489ca1cd3c92e1b2abada2703a5bbf35504f4a1850a354a0bd
SHA512 5f537d77a9fa165a06c158009b780535cdba4718a89593aee27547f33342d9b5c5232887d016070c02be838082d08d8362c4dc18db4e0c4426b10dbfde3fd82e