Malware Analysis Report

2024-09-11 09:53

Sample ID 240617-k3eqksxgkn
Target 704fdc0ee3f347dd91cf693373edd300_NeikiAnalytics.exe
SHA256 c1185c1061fcf0fbcdc583bb15420fb5891b5d0eee117ceb6b3154b1c3725a24
Tags
redline sectoprat cheat execution infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c1185c1061fcf0fbcdc583bb15420fb5891b5d0eee117ceb6b3154b1c3725a24

Threat Level: Known bad

The file 704fdc0ee3f347dd91cf693373edd300_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

redline sectoprat cheat execution infostealer rat trojan

SectopRAT

RedLine payload

SectopRAT payload

RedLine

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 09:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 09:07

Reported

2024-06-17 09:09

Platform

win7-20240508-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\704fdc0ee3f347dd91cf693373edd300_NeikiAnalytics.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\704fdc0ee3f347dd91cf693373edd300_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\704fdc0ee3f347dd91cf693373edd300_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\704fdc0ee3f347dd91cf693373edd300_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\704fdc0ee3f347dd91cf693373edd300_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2648 set thread context of 3028 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\704fdc0ee3f347dd91cf693373edd300_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 2180 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\704fdc0ee3f347dd91cf693373edd300_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 2180 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\704fdc0ee3f347dd91cf693373edd300_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 2180 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\704fdc0ee3f347dd91cf693373edd300_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 2648 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\schtasks.exe
PID 2648 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\schtasks.exe
PID 2648 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\schtasks.exe
PID 2648 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\schtasks.exe
PID 2648 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 2648 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 2648 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 2648 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 2648 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 2648 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 2648 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 2648 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 2648 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Processes

C:\Users\Admin\AppData\Local\Temp\704fdc0ee3f347dd91cf693373edd300_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\704fdc0ee3f347dd91cf693373edd300_NeikiAnalytics.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QopWAwElUmz.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QopWAwElUmz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A9E.tmp"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"

Network

Country Destination Domain Proto
NL 45.137.22.68:55615 tcp
NL 45.137.22.68:55615 tcp
NL 45.137.22.68:55615 tcp
NL 45.137.22.68:55615 tcp
NL 45.137.22.68:55615 tcp
NL 45.137.22.68:55615 tcp

Files

memory/2180-4-0x0000000000DC0000-0x0000000000DC2000-memory.dmp

memory/2112-5-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2112-6-0x0000000000390000-0x0000000000391000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

MD5 cbba28340b41795a6d4beafe4f3af972
SHA1 d8cd2bf87a9272d4dd0db86400452d697cf732ef
SHA256 2606ddf0cfd583b2345c72e51f7580a8a63927832ab72901790401675b4fc24c
SHA512 feb403caf71667382927b4ad62bbd352db5ca54a82a88af3ed3bcd40b4e312a9803e3b71517ba8178ec57767b2cbb024c249a52bda9d22972b91d5341bdfeb23

memory/2648-21-0x0000000000BF0000-0x0000000000C80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg

MD5 e83ccb51ee74efd2a221be293d23c69a
SHA1 4365ca564f7cdd7337cf0f83ac5fd64317fb4c32
SHA256 da931852a19a707d01c3edf138622b8601056c42525f8ac40cb48af43a7410cc
SHA512 0252e629fbdafdb66ff63ef76d18f25d1ca46ac3eff019f012361db45ebd34d1a7a9ad35f7a2fc5830676c771997633f3abf1dc3224bd8f6bd55456b0a554a46

memory/2648-23-0x00000000005E0000-0x00000000005F6000-memory.dmp

memory/2648-24-0x00000000007A0000-0x00000000007AE000-memory.dmp

memory/2648-25-0x00000000007B0000-0x00000000007C0000-memory.dmp

memory/2648-26-0x00000000046B0000-0x0000000004710000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 ce776aeec5cf3c40a73f05f2bc15319f
SHA1 1e2ef4d54d6764909af32e83f728802c48eb159b
SHA256 1917e573c0a43df23dc1ee33dcb34c9c36be837202cd33adab2e4f93d42c0a43
SHA512 be6121458708e4cc65b9916f91f6d5287afad41a1881fdfaa2457a8ea690004e767e6542b4b4e76c0518f814a30ec8541d6885488381b1a6f5c0702ac190af7c

C:\Users\Admin\AppData\Local\Temp\tmp5A9E.tmp

MD5 31b7179a8c05f520d53fc49239af0caf
SHA1 4238955289043a5b4033ee9d974dd9f71e782de4
SHA256 fe8d3c7c1b808663706104eced3394769bed83d349dc4d5924c7cac30ff25cbb
SHA512 8278997e35ca19124334c4d67ff60ad1c09ec146f64266dd461904b65b2cd85a06f026ce6baf9e40b96e0a5fe1a0277b86ca829d600f799764d1e42b81020399

memory/3028-49-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3028-46-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3028-44-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3028-42-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3028-40-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3028-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3028-53-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3028-51-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2112-54-0x0000000000390000-0x0000000000391000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 09:07

Reported

2024-06-17 09:09

Platform

win10v2004-20240508-en

Max time kernel

129s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\704fdc0ee3f347dd91cf693373edd300_NeikiAnalytics.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\704fdc0ee3f347dd91cf693373edd300_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3312 set thread context of 1036 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3692 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\704fdc0ee3f347dd91cf693373edd300_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 3692 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\704fdc0ee3f347dd91cf693373edd300_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 3692 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\704fdc0ee3f347dd91cf693373edd300_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 3312 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\schtasks.exe
PID 3312 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\schtasks.exe
PID 3312 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\schtasks.exe
PID 3312 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 3312 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 3312 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 3312 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 3312 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 3312 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 3312 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 3312 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Processes

C:\Users\Admin\AppData\Local\Temp\704fdc0ee3f347dd91cf693373edd300_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\704fdc0ee3f347dd91cf693373edd300_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QopWAwElUmz.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QopWAwElUmz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA9FB.tmp"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"

Network

Country Destination Domain Proto
NL 45.137.22.68:55615 tcp
NL 45.137.22.68:55615 tcp
NL 45.137.22.68:55615 tcp
US 52.111.229.43:443 tcp
NL 45.137.22.68:55615 tcp
NL 45.137.22.68:55615 tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

MD5 cbba28340b41795a6d4beafe4f3af972
SHA1 d8cd2bf87a9272d4dd0db86400452d697cf732ef
SHA256 2606ddf0cfd583b2345c72e51f7580a8a63927832ab72901790401675b4fc24c
SHA512 feb403caf71667382927b4ad62bbd352db5ca54a82a88af3ed3bcd40b4e312a9803e3b71517ba8178ec57767b2cbb024c249a52bda9d22972b91d5341bdfeb23

memory/3312-14-0x000000007293E000-0x000000007293F000-memory.dmp

memory/3312-15-0x00000000009A0000-0x0000000000A30000-memory.dmp

memory/3312-16-0x00000000058C0000-0x0000000005E64000-memory.dmp

memory/3312-17-0x0000000005410000-0x00000000054A2000-memory.dmp

memory/3312-18-0x0000000072930000-0x00000000730E0000-memory.dmp

memory/3312-19-0x00000000054D0000-0x00000000054DA000-memory.dmp

memory/3312-20-0x0000000008560000-0x0000000008576000-memory.dmp

memory/3312-21-0x0000000008590000-0x000000000859E000-memory.dmp

memory/3312-22-0x00000000085B0000-0x00000000085C0000-memory.dmp

memory/3312-23-0x00000000085C0000-0x0000000008620000-memory.dmp

memory/3312-24-0x000000000ADE0000-0x000000000AE7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg

MD5 e83ccb51ee74efd2a221be293d23c69a
SHA1 4365ca564f7cdd7337cf0f83ac5fd64317fb4c32
SHA256 da931852a19a707d01c3edf138622b8601056c42525f8ac40cb48af43a7410cc
SHA512 0252e629fbdafdb66ff63ef76d18f25d1ca46ac3eff019f012361db45ebd34d1a7a9ad35f7a2fc5830676c771997633f3abf1dc3224bd8f6bd55456b0a554a46

memory/3040-30-0x0000000002210000-0x0000000002246000-memory.dmp

memory/3040-31-0x0000000004EE0000-0x0000000005508000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA9FB.tmp

MD5 b0365f3a17f1c706e242ad05debd2da0
SHA1 89b180ef7c92abab23c423bad1847c24fd931303
SHA256 a2176751a7c762928d89bff978c1ef9f1dbc430af50d85039c90c44962509ff7
SHA512 a474cea4c70511aa2e1fb9512b58b9b997e55dc1f70c6dcd63b9b05a9989287430d393cf6200227eb17958505a6b69f029c5498e2e2de3e74392aa8a620b3adb

memory/3040-33-0x0000000004A50000-0x0000000004A72000-memory.dmp

memory/2144-35-0x00000000060A0000-0x0000000006106000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cslyxdvk.1cc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2144-34-0x0000000005960000-0x00000000059C6000-memory.dmp

memory/1036-41-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3040-48-0x0000000005510000-0x0000000005864000-memory.dmp

memory/3312-58-0x0000000072930000-0x00000000730E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/1036-60-0x00000000058B0000-0x0000000005EC8000-memory.dmp

memory/1036-61-0x0000000005260000-0x0000000005272000-memory.dmp

memory/1036-62-0x00000000052D0000-0x000000000530C000-memory.dmp

memory/3040-63-0x0000000005B00000-0x0000000005B1E000-memory.dmp

memory/3040-64-0x0000000005BC0000-0x0000000005C0C000-memory.dmp

memory/1036-65-0x0000000005570000-0x000000000567A000-memory.dmp

memory/3040-66-0x0000000006AD0000-0x0000000006B02000-memory.dmp

memory/3040-77-0x00000000060B0000-0x00000000060CE000-memory.dmp

memory/3040-67-0x0000000070030000-0x000000007007C000-memory.dmp

memory/3040-78-0x0000000006B10000-0x0000000006BB3000-memory.dmp

memory/2144-79-0x0000000070030000-0x000000007007C000-memory.dmp

memory/3040-90-0x0000000006E20000-0x0000000006E3A000-memory.dmp

memory/3040-89-0x0000000007470000-0x0000000007AEA000-memory.dmp

memory/3040-91-0x0000000006E90000-0x0000000006E9A000-memory.dmp

memory/2144-92-0x0000000007DD0000-0x0000000007E66000-memory.dmp

memory/2144-93-0x0000000007D50000-0x0000000007D61000-memory.dmp

memory/2144-94-0x0000000007D80000-0x0000000007D8E000-memory.dmp

memory/2144-95-0x0000000007D90000-0x0000000007DA4000-memory.dmp

memory/2144-96-0x0000000007E90000-0x0000000007EAA000-memory.dmp

memory/3040-97-0x0000000007140000-0x0000000007148000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 db330b8987a380134434212686da192b
SHA1 84227d589a55ce196968b1df9b7b0c0ddacb880e
SHA256 bc070735649b1daf93776eba7f7bd26a8a7f550a0243a93ffbc31f1b677223aa
SHA512 3e938618196a745e3d2466051c281fc79b6f335b59041aa5f58fdb812aee5e9d1a0f28b07201355422ed93fb47410919c21f4a7597d85c0249e93f8e259c3a12