Malware Analysis Report

2024-09-09 12:56

Sample ID 240614-glywcaxdnc
Target a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe
SHA256 65820acb2aed10b813ebdadf051c0d21b6a31b229fb0259e867d7e149336587f
Tags
collection discovery persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

65820acb2aed10b813ebdadf051c0d21b6a31b229fb0259e867d7e149336587f

Threat Level: Shows suspicious behavior

The file a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery persistence spyware stealer upx

UPX packed file

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Reads local data of messenger clients

Looks up external IP address via web service

Accesses Microsoft Outlook accounts

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Enumerates physical storage devices

NTFS ADS

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 05:54

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 05:54

Reported

2024-06-14 05:56

Platform

win7-20240508-en

Max time kernel

145s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A icanhazip.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr119.exe N/A
File opened for modification C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr119.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe N/A
File created C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 3008 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 3008 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 3008 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 2600 wrote to memory of 2832 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2600 wrote to memory of 2832 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2600 wrote to memory of 2832 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2600 wrote to memory of 2832 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2600 wrote to memory of 2832 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2600 wrote to memory of 2832 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2600 wrote to memory of 2832 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2600 wrote to memory of 2832 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2600 wrote to memory of 2832 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2600 wrote to memory of 2676 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2676 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2676 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2676 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2444 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2444 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2444 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2444 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2572 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2572 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2572 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2572 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2164 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2164 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2164 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2164 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 352 wrote to memory of 1636 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr119.exe
PID 352 wrote to memory of 1636 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr119.exe
PID 352 wrote to memory of 1636 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr119.exe
PID 352 wrote to memory of 1636 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr119.exe
PID 2600 wrote to memory of 2764 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2764 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2764 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2764 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 1232 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 1232 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 1232 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 1232 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 676 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 676 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 676 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 676 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 1296 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 1296 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 1296 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 1296 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 688 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 688 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 688 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 688 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 624 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 624 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 624 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 624 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 1616 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 1616 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 1616 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 1616 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2280 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2280 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2600 wrote to memory of 2280 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe"

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

0

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\system32\taskeng.exe

taskeng.exe {A4A6A060-AC78-4E64-81F3-1AA991EAF594} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]

C:\ProgramData\winmgr119.exe

C:\ProgramData\winmgr119.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp5792.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp586E.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp6C7B.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\ProgramData\winmgr119.exe

C:\ProgramData\winmgr119.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 curlmyip.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 smtp.mail.me.com udp
US 8.8.8.8:53 smtp.mail.me.com udp
US 8.8.8.8:53 smtp.mail.me.com udp
US 8.8.8.8:53 smtp.mail.me.com udp
US 8.8.8.8:53 smtp.mail.me.com udp

Files

\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

MD5 470dd23412df622fbfe64fbfc9fbe5c7
SHA1 f93b7ef0ae40bbbfe88fd4d8874167524a36ba7b
SHA256 4a07525743699ab30a2838691a9b6dffa983fbc6f692298a5339db10d6381d2b
SHA512 4f83549dbbfb328d5490bf3096f5e6407f0ae86afb6f988ff597fd2176870263d93febf869405378f0be3bccff3ff8ab11e4d9fc2e9a3634daffd1cece4c4f6c

C:\ProgramData\winmgr119.exe

MD5 355deb7f78a12487a6418c575bf665e1
SHA1 10367e46fcc1c476a157d8c381de1172ba2f7e34
SHA256 c896c116e852db96bec58ddbd331af4aef9039ffab6c6990a22db0cd6545beb6
SHA512 8a20fcb5d7c9022ece6162a62e0c4a7dc2b20ce6f356b30774defe6d176541c27082f013980c13eb0e9ec1e54d4868f5430fc159428a56b477660487a69d1fd3

memory/2832-17-0x0000000000150000-0x000000000021A000-memory.dmp

memory/2832-15-0x0000000000150000-0x000000000021A000-memory.dmp

memory/2832-13-0x0000000000150000-0x000000000021A000-memory.dmp

memory/2832-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2832-10-0x0000000000150000-0x000000000021A000-memory.dmp

memory/2832-18-0x0000000073CC2000-0x0000000073CC4000-memory.dmp

memory/2832-21-0x0000000073CC2000-0x0000000073CC4000-memory.dmp

memory/1084-26-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1084-27-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1084-28-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1084-33-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5792.tmp

MD5 e4bf4f7accc657622fe419c0d62419ab
SHA1 c2856936dd3de05bad0da5ca94d6b521e40ab5a2
SHA256 b32fa68b79c5a7ceaa89e8e537efe33a963c499666202611329944bd2c09318e
SHA512 85dc223e39a16ddeba53a4b3d6c9eff14d30ec67dfda1e650da2c9057f640edd033a31868915a31caac0d325d240a7f634f62cd52fbd2adc68bd1d9cb6281431

memory/800-37-0x0000000000400000-0x0000000000491000-memory.dmp

memory/800-39-0x0000000000400000-0x0000000000491000-memory.dmp

memory/800-38-0x0000000000400000-0x0000000000491000-memory.dmp

memory/800-43-0x0000000000400000-0x0000000000491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp586E.tmp

MD5 de4e5ff058882957cf8a3b5f839a031f
SHA1 0b3d8279120fb5fa27efbd9eee89695aa040fc24
SHA256 ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49
SHA512 a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

memory/1648-46-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1648-47-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1648-49-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6C7B.tmp

MD5 3525ea58bba48993ea0d01b65ea71381
SHA1 1b917678fdd969e5ee5916e5899e7c75a979cf4d
SHA256 681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2
SHA512 5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

C:\ProgramData\khaxFMfI\2c945db753d341ef9b0f02d75d493749

MD5 8af7d20d7e5d09dc7714a6193c250ff1
SHA1 7cb5dd0de2b85f1b6cab0c0819fc78682977884e
SHA256 cd6f1e11e799f709b5a7a068e846c5be4dc1055d8d7677db2f91201210eb2e41
SHA512 14255350d71afc44bcd6166d6077674d92cec3e908173f569e2d92c83ca3304477b420f9e4c1f4850b51f4ec2f7fdf08c49820a8e9a6fe3072f86a4525461503

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 05:54

Reported

2024-06-14 05:56

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe N/A
File created C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
File created C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr119.exe N/A
File opened for modification C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr119.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\winmgr119.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4076 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 4076 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 4076 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
PID 3872 wrote to memory of 4724 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3872 wrote to memory of 4724 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3872 wrote to memory of 4724 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3872 wrote to memory of 4724 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3872 wrote to memory of 4724 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3872 wrote to memory of 1708 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 1708 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 1708 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4724 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 4620 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 4620 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 4620 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 4620 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 4620 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 4620 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 4620 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 3300 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 3300 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 3300 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 3300 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 3300 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 3300 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3872 wrote to memory of 1092 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 1092 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 1092 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 3368 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 3368 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 3368 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 1520 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 1520 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 1520 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 116 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 116 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 116 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 2156 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 2156 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 2156 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 2400 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 2400 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 2400 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 2060 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 2060 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 2060 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 2464 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 2464 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 2464 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 888 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 888 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 888 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 4076 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 4076 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 4076 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 4140 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 4140 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 4140 N/A C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a7729d3b05f874399ebbb6e5bf026f10_NeikiAnalytics.exe"

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

0

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpB20A.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpB4AB.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpB4EA.tmp"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\ProgramData\winmgr119.exe

C:\ProgramData\winmgr119.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\ProgramData\winmgr119.exe

C:\ProgramData\winmgr119.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp

Files

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe

MD5 4b4ebf2c3a4fcf1b18b6dd74c9e05b96
SHA1 cfe1f10e2225b8188a5910cefe1a002b0fad2da2
SHA256 c96916d77198b06010bbd76eb5792be447312f9b079c0427a05aba4c6b52c782
SHA512 2a1d3104ed748f53d420db3319d59861316b73e702f0f87e03f90e94580c1e502fc9bafa7ce688274b36f757a55937559334c9961ec4c7dc0fe1e5e326688e58

memory/4724-8-0x0000000000F00000-0x0000000000FCA000-memory.dmp

memory/4724-9-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

memory/1968-13-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1968-14-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1968-15-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1968-20-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB20A.tmp

MD5 b0cc2e6f2d8036c9b5fef218736fa9c9
SHA1 64fd3017625979c95ba09d7cbea201010a82f73f
SHA256 997aceeb78143e057d4ea0ed699db3cc1c723f699b4532663b7b85c83baa5c50
SHA512 a1fe80b2971c4d1141a594f27eaea61500bf701cd1b8fbdb5ac2204a63c8ef862344f8c30f65ce769f0acf2b0718ed33a02744dd1a152c4a62a5318333d29b9b

memory/4620-24-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4620-25-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4620-26-0x0000000000400000-0x0000000000491000-memory.dmp

memory/4620-28-0x0000000000400000-0x0000000000491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB4AB.tmp

MD5 de4e5ff058882957cf8a3b5f839a031f
SHA1 0b3d8279120fb5fa27efbd9eee89695aa040fc24
SHA256 ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49
SHA512 a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

memory/3300-32-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB4EA.tmp

MD5 3525ea58bba48993ea0d01b65ea71381
SHA1 1b917678fdd969e5ee5916e5899e7c75a979cf4d
SHA256 681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2
SHA512 5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

memory/3300-35-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3300-33-0x0000000000400000-0x000000000043C000-memory.dmp

C:\ProgramData\winmgr119.exe

MD5 ba6b44a079407a2db15e6b029023c6ea
SHA1 300f161c954a505d28aede29ddafc5feccd02aaa
SHA256 9dceca4dc68384e7e9aa9743d12a6698f139fd429cddbda7b0a227d1c2b6e631
SHA512 d6538188608e9fec985e7bbe1694e18ff59752605337006681b73cab85e32487d11684699337c5d9dc80edd5ac3f3119599a3f423004707a3d07b01fac5c87e5

memory/4724-44-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

C:\ProgramData\khaxFMfI\2c945db753d341ef9b0f02d75d493749

MD5 ed8de07a16ba614b7d15e263cb55f7e3
SHA1 aee78dd48c91f0e5451380b52a2faaa4eae7f4a5
SHA256 19dde1cad8e7c45c3e18dd0bc5b637328c0701658419379542b1c89e2090b81d
SHA512 3c683d4e9a8af470ef91b8fd6711defcf17e773b95ed0c970507cc0ae9c3913bb0df141e8b54c9869bb7597675e69dfcf73ad91aa9dffd31cf969f243be61e04