Malware Analysis Report

2024-08-06 19:44

Sample ID 240617-dhwd9svhnl
Target 3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe
SHA256 703c2f7d597179efa4611f8baec9329d4fb81a244876a33005071080c5a4738a
Tags
njrat neuf evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

703c2f7d597179efa4611f8baec9329d4fb81a244876a33005071080c5a4738a

Threat Level: Known bad

The file 3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

njrat neuf evasion persistence trojan

njRAT/Bladabindi

Modifies Windows Firewall

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 03:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 03:01

Reported

2024-06-17 03:03

Platform

win7-20240611-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe" C:\Users\Admin\AppData\Local\Temp\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1664 set thread context of 2984 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1856 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1856 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1856 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1664 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1664 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1664 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1664 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1664 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1664 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1664 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1664 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1664 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2984 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2984 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2984 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2984 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp

Files

memory/1856-0-0x0000000074731000-0x0000000074732000-memory.dmp

memory/1856-1-0x0000000074730000-0x0000000074CDB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab125A.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

C:\Users\Admin\AppData\Local\Temp\Tar12BF.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b88c60d2e94e8144ba318c11d231bc6
SHA1 02eee7f4f575a73b649b7af7226b10d6c4f59d5f
SHA256 4f23e9ad8a3396a33518f0e335cd21941c56ac9101e5a41183ed5f27b1e395d3
SHA512 7ff09cffa2460cdc11ac4ead362480987083fc5ccc1640f951e081a84d1b4e70263181e02d554f514cda01eebc0159530f825423366303a0dad1d7d48f489576

\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 594c383486053cc9213d64f0a3a6c69a
SHA1 1ee822153406472a5db25f1a898c2860d407bca6
SHA256 7eaa16b10954e1405cf3c48d26cf6d3dbf0c73db28708914f2202eb566d3b6e5
SHA512 cfcfc6376aa6c24e794d85c8c20962a7357da47e5c29d938ea6c27dac6902510b93fdf652afe6719c2c187d51f61d668b2d83717fc2533874d49b5c4f171f2c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 220ad24ebcd8b8fa68549bb234037d61
SHA1 1de155e3361f9cb92756677bdea54875348ba2d0
SHA256 19658b94d4475fbd39c5e636789076a1bf18c07fff8a99d29c9459b38c2ea6a1
SHA512 cd1a45013c5e86f63eec3be1383f87388adaf762cfe5eabeede187aa36d42dafbf83fdc73d551e421c91acd252ee26b1bdcd2ae6e8dbe1c097f2421ac25a5905

memory/1856-171-0x0000000074730000-0x0000000074CDB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa2174481f54d7e2084b4712170a4f2f
SHA1 b7f4d7628d0ebd143c8e77e46b2caaa60353327d
SHA256 2c7ddc00c1c4c111f8caf1972be3d13e0e53fe4c52820a157a8b119d4a82e036
SHA512 7b458699992750cde5aff2c3e3318bf3a441961d10ce5de7e7238f81bda80aacdd9eea13cc5f49d172968d103eabd3532b5ee22461535d741af2d7675af50172

memory/2984-302-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2984-305-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2984-304-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 03:01

Reported

2024-06-17 03:03

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe" C:\Users\Admin\AppData\Local\Temp\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2236 set thread context of 2976 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2236 set thread context of 4744 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1436 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1436 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1436 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2236 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2236 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2236 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2236 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2236 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2236 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2236 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2236 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2236 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2236 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2236 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2236 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2236 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2236 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2236 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2236 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2976 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2976 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2976 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3bb283660f6491cee844e099452f2d20_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4744 -ip 4744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 80

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2628 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
NL 52.142.223.178:80 tcp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 105.156.53.97:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 59.189.79.40.in-addr.arpa udp

Files

memory/1436-0-0x0000000074712000-0x0000000074713000-memory.dmp

memory/1436-1-0x0000000074710000-0x0000000074CC1000-memory.dmp

memory/1436-2-0x0000000074710000-0x0000000074CC1000-memory.dmp

memory/1436-6-0x0000000074712000-0x0000000074713000-memory.dmp

memory/1436-7-0x0000000074710000-0x0000000074CC1000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 ea59bed0fd5c793ae6feb6c919bc8221
SHA1 554f74cec2afcdb6b6612226337523d23b020a6e
SHA256 df7fdce4a9230a4cd364e84127e973ccf37289dbede6f8b27494cb2995b64217
SHA512 ad4bfc8cb7603769aef15312d1f27de685ad8482ebf00e32ea0d2c4f120569b4582cd4e986c10d18136566f4b7077410d06dabdfba2fad5b8d80df72496ac71d

memory/1436-19-0x0000000074710000-0x0000000074CC1000-memory.dmp

memory/1436-21-0x0000000074710000-0x0000000074CC1000-memory.dmp

memory/2236-20-0x0000000074710000-0x0000000074CC1000-memory.dmp

memory/2236-22-0x0000000074710000-0x0000000074CC1000-memory.dmp

memory/2236-23-0x0000000074710000-0x0000000074CC1000-memory.dmp

memory/2976-24-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

MD5 0a9b4592cd49c3c21f6767c2dabda92f
SHA1 f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256 c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

memory/2236-31-0x0000000074710000-0x0000000074CC1000-memory.dmp

memory/2976-30-0x0000000074710000-0x0000000074CC1000-memory.dmp

memory/2976-32-0x0000000074710000-0x0000000074CC1000-memory.dmp

memory/2976-33-0x0000000074710000-0x0000000074CC1000-memory.dmp

memory/2976-34-0x0000000074710000-0x0000000074CC1000-memory.dmp