Malware Analysis Report

2024-08-06 19:47

Sample ID 240618-m3xx9svcnl
Target 3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe
SHA256 972c24bd1d0c675187a1f65fc7c4b4a3fce48b23ec1ed198d49bbe116d4d6192
Tags
njrat neuf evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

972c24bd1d0c675187a1f65fc7c4b4a3fce48b23ec1ed198d49bbe116d4d6192

Threat Level: Known bad

The file 3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

njrat neuf evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Defense Evasion
TA0005
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-18 10:59

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 10:59

Reported

2024-06-18 11:02

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe" C:\Users\Admin\AppData\Local\Temp\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3060 set thread context of 4860 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2380 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2380 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3060 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3060 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3060 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3060 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3060 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3060 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3060 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3060 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4860 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 4860 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 4860 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 207.84.97.52:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 207.84.97.52:10000 doddyfire.linkpc.net tcp
US 207.84.97.52:10000 doddyfire.linkpc.net tcp
US 207.84.97.52:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 207.84.97.52:10000 doddyfire.linkpc.net tcp
US 207.84.97.52:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/2380-0-0x0000000074E62000-0x0000000074E63000-memory.dmp

memory/2380-1-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/2380-2-0x0000000074E60000-0x0000000075411000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 b56992e9bf9e8ae4b8b8ca05854cd9c8
SHA1 2d7df1b275d72033fee77ec5605856524683b1ee
SHA256 7ed08bd3cecfc9d88af385a0e0f53cd161d1161da0ec9736df450f434406aee0
SHA512 30a6103d17af793fda91574de5d376052442354c778e933a843ada9cec452f0ce8198787682abebc6eb349939d793a058e29e2f62285956f76b3a1032145b81f

memory/2380-17-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/3060-18-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/3060-19-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/4860-20-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

MD5 0a9b4592cd49c3c21f6767c2dabda92f
SHA1 f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256 c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

memory/4860-25-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/3060-24-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/4860-26-0x0000000074E60000-0x0000000075411000-memory.dmp

memory/4860-27-0x0000000074E60000-0x0000000075411000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 10:59

Reported

2024-06-18 11:02

Platform

win7-20240220-en

Max time kernel

147s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe" C:\Users\Admin\AppData\Local\Temp\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2260 set thread context of 2632 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2308 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2308 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2308 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2260 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2260 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2260 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2260 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2260 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2260 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2260 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2260 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2260 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2632 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2632 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2632 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2632 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
BE 23.14.90.104:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
SE 23.34.233.128:80 www.microsoft.com tcp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 207.84.97.52:10000 doddyfire.linkpc.net tcp
US 207.84.97.52:10000 doddyfire.linkpc.net tcp
US 207.84.97.52:10000 doddyfire.linkpc.net tcp
US 207.84.97.52:10000 doddyfire.linkpc.net tcp
US 207.84.97.52:10000 doddyfire.linkpc.net tcp
US 207.84.97.52:10000 doddyfire.linkpc.net tcp

Files

memory/2308-0-0x0000000074BC1000-0x0000000074BC2000-memory.dmp

memory/2308-1-0x0000000074BC0000-0x000000007516B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabBE5.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarC26.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF1D.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 53cd913e6323faa4e1da3ad321011400
SHA1 320a73b91013f27c080b592dae409f4f6f35600e
SHA256 4d95255c07c7f2f3e58fbbd3c3a692bfbddcd05800a50be0df26dbeb1218c265
SHA512 ba23ec7ba712ce429d59fb893cdae7c29895d6b8e37569b39e587f7bce10199d34de7044710885d54d153c7e9d38d3175a9687676a3ba988f2b28fb2b10e7e89

\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 af76c7b389f7c7ad27ecb44357a9eb07
SHA1 32ee2aa050ccf2b4db4ceca56a56d05beda52b3e
SHA256 e9eecd5e3040fc2507f5f1fbb5d4a3d1d87ca049d7d7431786588e8a583d9b76
SHA512 23dfbea88473fe0dd8b66748d5fac8303034a29a32b008e8188dc5ad76fd0da1742a1d102771e16bdc958440e9655bf4f3e4acd9cd816dbffe15fe631ab10d7a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fcaa27b80e2bd4fefcbeba4bf8c4509e
SHA1 05e21be793244274df5d05abcc6bd27f5e8a564f
SHA256 ab8d9cbec694fa9ff9f486b3682b392011ba4ea0394567393b7b41f9b286efd5
SHA512 f36fc24be833f6eb0def5d2098cb937a0d54a4933ac5275368234cafde01b6d75cd4cc81401f89febd67e0b0ee9abcf0fec726b5ea3f48104621a2289cc65163

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

MD5 fc1193c6345ac35188aa3de0f824ceb7
SHA1 8fb5606f5380ac6ace7bb4e7c71b6750362e8c5f
SHA256 bdfb8faff4c0c0a15c642890a5544bd32f930f55ca199470dbd4736a32d6e200
SHA512 480a3ad52cf215db3cede6ad93293f8f031c2cb7a190c6f4cbcd0f3eb06f5c81c7f13d304a495945192e759ab5403245acef7be0149b8615ce2b194927f3dec4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

MD5 229c7c50ea8c971095e4a7557e35a362
SHA1 646b912002cf63dc7f61447ec2239d058f796a39
SHA256 fa0407027a15eac0c05e0b79137ce6d21848a14af5441861360c1372e57bdc97
SHA512 972de32ce174a1d79342b105687524bbf6e631de7708124f7ed6452c9c4def62eae92c2f723c3f8b58104ebd6bacf031b0b6a4051809ff435fe1815d8ce9a974

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

MD5 cba2426f2aafe31899569ace05e89796
SHA1 3bfb16faefd762b18f033cb2de6ceb77db9d2390
SHA256 a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a
SHA512 395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

MD5 f94800ebfe20c7814217fbf76b6fea69
SHA1 10f6db612397541faa4135ef303d2b8dd8bc16b4
SHA256 860ff044b2d198120d01de4938279937232e2c755362239e65df7546506a586e
SHA512 3dcb20e6270d618bdf3762a9a9af5a6c729dd892253bbd130a2356549743ef88bace751f3397fb74bc716b1068fe414cfe592961c1c220311c5df058df10da8c

memory/2308-219-0x0000000074BC0000-0x000000007516B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef90b9d32e77e47270a9cd309b302f0d
SHA1 4dca20b3a74e78b4f17dcafe0c1191f085103f17
SHA256 0d893418b04aa881aa62025b0e722adeb7029e0e4f67c88780b4c71b6d287e13
SHA512 ce83b94eca1ed5b7d011af16afb8b6db0c2e690835f2b9ff7d056cbafe4f493d134966d0e89135f9b10a6957606e89d915cef6b3136739a0298352c9c969fb43

memory/2632-365-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2632-368-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2632-367-0x0000000000400000-0x000000000040C000-memory.dmp