Malware Analysis Report

2024-08-06 19:49

Sample ID 240616-23s2mswhlq
Target 19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe
SHA256 2b6c10bf32972516bd188dd64ebce1008475510c52af2201cfe4c988acb123de
Tags
njrat neuf evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b6c10bf32972516bd188dd64ebce1008475510c52af2201cfe4c988acb123de

Threat Level: Known bad

The file 19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

njrat neuf evasion persistence trojan

njRAT/Bladabindi

Modifies Windows Firewall

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 23:06

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 23:06

Reported

2024-06-16 23:09

Platform

win10v2004-20240611-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe" C:\Users\Admin\AppData\Local\Temp\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3516 set thread context of 2692 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4532 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4532 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4532 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3516 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3516 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3516 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3516 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3516 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3516 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3516 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3516 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2692 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2692 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2692 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1304,i,8660989700097327804,17931739887231169645,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.201:443 www.bing.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 201.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp

Files

memory/4532-0-0x0000000074E42000-0x0000000074E43000-memory.dmp

memory/4532-1-0x0000000074E40000-0x00000000753F1000-memory.dmp

memory/4532-2-0x0000000074E40000-0x00000000753F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 a66d48fd6696d7a06ec99c68125daf92
SHA1 b0345136ab18dc15046cb881c9b1ac0d8f92d761
SHA256 53acfea390cf4a2d27a0010d7db6f04883381119fd31e75fdeaa980383af76dd
SHA512 9f10a4eb4023db1cf5906ababf001b44f9f111a202402893fe4c5265cbcf04b8e90ed74db1b59d85b869f7d8b8c02aa79ef6d1fb8cad09bbb78a5541e818f776

memory/4532-17-0x0000000074E40000-0x00000000753F1000-memory.dmp

memory/3516-18-0x0000000074E40000-0x00000000753F1000-memory.dmp

memory/3516-19-0x0000000074E40000-0x00000000753F1000-memory.dmp

memory/2692-20-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

MD5 0a9b4592cd49c3c21f6767c2dabda92f
SHA1 f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256 c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

memory/3516-25-0x0000000074E40000-0x00000000753F1000-memory.dmp

memory/2692-26-0x0000000074E40000-0x00000000753F1000-memory.dmp

memory/2692-24-0x0000000074E40000-0x00000000753F1000-memory.dmp

memory/2692-27-0x0000000074E40000-0x00000000753F1000-memory.dmp

memory/2692-28-0x0000000074E40000-0x00000000753F1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 23:06

Reported

2024-06-16 23:09

Platform

win7-20231129-en

Max time kernel

147s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe" C:\Users\Admin\AppData\Local\Temp\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2060 set thread context of 2636 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3040 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3040 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3040 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2060 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2060 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2060 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2060 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2060 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2060 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2060 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2060 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2060 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2636 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2636 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2636 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2636 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\19be2c9d8be93de93228644716f7cc90_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
US 2.22.144.86:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp

Files

memory/3040-0-0x0000000074D31000-0x0000000074D32000-memory.dmp

memory/3040-1-0x0000000074D30000-0x00000000752DB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1EDB.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 4ee322ac33ac1fccd76df308196defd5
SHA1 ae155076b8b68bdcb7f7a3ffdb5e3e477a6d108a
SHA256 34dbcc7ae2289610e7ca59c5d3c64d8ba31140f90ea3a172e5f38510bc9f92a5
SHA512 87441bc793fb61906795e336f9e6b8dd05b292a8e969b30185df297b9b579534c3983c50141583b4ec7f318f692a8918bb723373f954884a8d86e7cd6a17f5ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 711ac8a173b244f4c95573d094e08638
SHA1 3057d75f178089aa551c60b36e74abdf6e47f7d6
SHA256 2fba9403cbda03a4099b2017743c7da2a4b1b85a516a0542b35b66481ed7f222
SHA512 37832e222200fdd08c733ee4e1fa57533bd10474c205b90b5cebe6abd9d21dbf25b51eb01dfa16742477800eac9ccb7df29425df52795996716c9e8904f3dd61

\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 096f31555a364aab8f9ae26fd36d1b71
SHA1 95e03823b6f011bdf3e1ffbb5c847cc3c9a69b83
SHA256 8dfd29ecdf9ea9810bdf1258912e36ece01fe41761b1984fa83348ee87238499
SHA512 8f8659b0f298fc6d71d7f179c8d007a36911849244b0924a852f4622ca9a650208d9fe7299c18ea1f0a48ed84f9a457f4ab535c7cb1b9316f675185d780ec978

memory/3040-195-0x0000000074D30000-0x00000000752DB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c94fe343e628b916dabb168e92ecdd4
SHA1 cc52362ee84da82df4149bda8699ec58847bcf63
SHA256 cb75f6080e7432dd32779ed2db362d3bf1472fb72655b803adfe10b2ee471604
SHA512 c86afa90cb614e4f6be0b4bbf39a14fab3c60aad38b44ee0b7fe585c08c9860f3aa24c7287e50c0dc0630c9d407842eb91498bb1c63aa43f8146af06cc0143be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

MD5 fc1193c6345ac35188aa3de0f824ceb7
SHA1 8fb5606f5380ac6ace7bb4e7c71b6750362e8c5f
SHA256 bdfb8faff4c0c0a15c642890a5544bd32f930f55ca199470dbd4736a32d6e200
SHA512 480a3ad52cf215db3cede6ad93293f8f031c2cb7a190c6f4cbcd0f3eb06f5c81c7f13d304a495945192e759ab5403245acef7be0149b8615ce2b194927f3dec4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

MD5 416660d428c7cf64b9a7437138848bea
SHA1 b88612a4d598556dfd21241df049826c48b9fd4a
SHA256 e2e7bbbd3941b056f4f08d42539d0361c0147d7f6fa541e6df13124155aafaee
SHA512 d51a802effbf060183ecf75623f14b86cc3d978541b7009927badf9a76b60e0f67aaa3634e926e19162a3415af94a66d164e00bd066ad5dc41acec564e87472f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

MD5 cba2426f2aafe31899569ace05e89796
SHA1 3bfb16faefd762b18f033cb2de6ceb77db9d2390
SHA256 a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a
SHA512 395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

MD5 0991033c31c2a8b03ef1fb798cdf853c
SHA1 b126f36bbc3136a88e3ba696ed60f42e4ab71f81
SHA256 cd505fe353d01ef468aa91d99a308b9be6ddb1ab282acb77b978c46b07dfba7f
SHA512 3aa2239e464884e17aa44153ec94747580bf8f595e5120580d74a920775fb5ed60be3d3c8a4cf8d71affffc0f66d51a8113eda3a77c38d7af2501ab7a9d27e34

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c433abae1bdf98e213cf1a2e98a8f99
SHA1 3a1ce2ef1b8cc79cf4b58030a9e3685a66036e9b
SHA256 62baad9cbc5e0626cf4006a330fbc9d6c86f8dfe7693f599f0b92efc17ba3d4e
SHA512 c1463538ae17b69ac320e69957e65695b9cfa223a17ad9d8505324cdbbde683e92c924d3ba3481dafdf924af67ccffbc0e4fc289b9dc2769df075e59a9570ca4

memory/2636-362-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2636-364-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2636-365-0x0000000000400000-0x000000000040C000-memory.dmp