Malware Analysis Report

2024-11-30 07:02

Sample ID 240601-jdkd4aeh72
Target 92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe
SHA256 f8ffbca68e93db55a302d9a8da8d25a29c65ebfecb743046bf05e04eeefea139
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f8ffbca68e93db55a302d9a8da8d25a29c65ebfecb743046bf05e04eeefea139

Threat Level: Shows suspicious behavior

The file 92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:33

Reported

2024-06-01 07:35

Platform

win7-20240419-en

Max time kernel

149s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOP\\abodloc.exe" C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZEO\\dobxsys.exe" C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe N/A
N/A N/A C:\FilesOP\abodloc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
PID 2440 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
PID 2440 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
PID 2440 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
PID 2440 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe C:\FilesOP\abodloc.exe
PID 2440 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe C:\FilesOP\abodloc.exe
PID 2440 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe C:\FilesOP\abodloc.exe
PID 2440 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe C:\FilesOP\abodloc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"

C:\FilesOP\abodloc.exe

C:\FilesOP\abodloc.exe

Network

N/A

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

MD5 8db0833410de772dc50a003146752104
SHA1 f15e8e0af6acc384be14ba62adcc14587c3c1d36
SHA256 8cf824ab1a937598763620b7a46377026ba05389e73d3491319f5a6b17a9c4df
SHA512 cc753a3fce8dbc55dc95a25caa83702d34c92990939a4d75109d5b34c1dbddf5b2e2ed2a16e63145b4e161bee672110d2da17dbef9ac6f090470cc201598ccff

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 a2ba94fb6d610543e4fa7a9af1165c1a
SHA1 1b5816a7018f189d29a37b7ccd6e1538a35c2485
SHA256 536c312b1a0eae58665ec00791033437a25015d8531a8dbde6c3deca33487e1b
SHA512 a6e455a0f596439b61cee5e7329b088f4eebb2e402356dada6cc6f25f8d410b59d6531f7b83a2ff312e1943b90322c8276ed453169a099ae2d38e0e5917d33d3

C:\FilesOP\abodloc.exe

MD5 3edf556b3d4eb877e5a7181a10b17d52
SHA1 517acb0a63b47430d5af78d01d349944a708b4e5
SHA256 5bb1653244c385f8ce48b3166506e987af570762012b92bcd36c5839cb06b549
SHA512 4d8fded054f4dbebb2ca257fc183f17f5928a5b5e7914d8fbffd6eb6d808a5d9d50d97353aeb7fbf46b42a51d7b5c553ceb1ae48e6cac40c30674365f15f11db

C:\LabZEO\dobxsys.exe

MD5 5f933184c38a76839b53e34c6ed0b2c2
SHA1 c4a9d2df640fe67b23001c22cc185cbab01b97d8
SHA256 3b9c60b4327d1c33a79fa3bc01529d8a0430a6f3fc7598cc7188c64d82d6d958
SHA512 ae085a12631afa34e3dbcc887ad108c27109976f86f985d738e33605f760eabcbbbc035f3ecc0aa421672365a034f6cebf25429943add6b94dd30bda7f28cbd0

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 6d14d833d41aef4b01ab67e0aa138102
SHA1 d8a3062d6f5699d06e56ab8cd1fc0c5a61e14287
SHA256 fa809260dc25d705e83a42f124e1ed204d3d67a4cc502d59319d310aa33b411b
SHA512 8ed47f6b0ba202b7ca6503c02c25b04a22a6270ec885e2cd5e8f480175083c12c7071a80d601b24c9f058dc39bba43858b9d31d53619cc908ef485cb9a7f0d49

C:\LabZEO\dobxsys.exe

MD5 6d35da454bf0c9a85a33e39af8286fb9
SHA1 fa86bf992c41cb2cad442fa0ab3b2098924d5dbb
SHA256 eaa0bf2cd77a00234640b40737f35006181baa5a4429eac49680abd25da236f3
SHA512 b4ecce616f86f4808727246f1790e8fe1b93289dbddfc5b4c6c0a5850768d8a42d85ef260f0f548463b110be09f7ee858ab77c47275673b9c67e03678b8c6cfe

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:33

Reported

2024-06-01 07:35

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvG1\\devoptiloc.exe" C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZK5\\optidevsys.exe" C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A
N/A N/A C:\SysDrvG1\devoptiloc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\92ccc0afbc7ad7d2c70c7375b4f04c90_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"

C:\SysDrvG1\devoptiloc.exe

C:\SysDrvG1\devoptiloc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

MD5 767921268238d4c327bc3c1319b8e578
SHA1 01e51b76973f87104f7d5b27dd84d025585e0a58
SHA256 78930fb4e8a919e69208558b8e1ec0bf88a5cb664041743a5505a7aa8aa7219c
SHA512 0c6fa07629c589cfaf4efcc52c3afc819af455be5c7cf5fd737027e2e7ce19485eac723e99a9839187c5995f84f64528e726704c3ea46577382acc954a03e630

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 28fb86fc4d59ad1a430d48cc041c0e41
SHA1 397803b0bd2a2675a6f383dbfd9d74e78794cbf0
SHA256 b6ff8441cce4333e0ce176c460c5a706a6d2c4d272780383ac0a1fe8cb084aae
SHA512 c9492c150d00da9901b5710cc14b222c0ef2ffd591a2682bb2f2a6ceda8cbfcdebc28313a52254db4582ce4db97dede156a06728ca2da9df7716238a4c62d900

C:\SysDrvG1\devoptiloc.exe

MD5 b30fd3669d701c64698f0cd1e14c8117
SHA1 947c372b38e06bfdc37786a5fcae3c5e782a5ac4
SHA256 5d51e564ead62d62f06c1860e81a6c20c6f3568cf6025cbbdcc8e771e085bb2a
SHA512 7ade137f86c39d7c8a3962b20ebd3156fb0970d01eea41277a92f41b42b4682413219166443506f9213fc1104a9b76cfc4994cddc5dfb7836039f6559f7153b4

C:\SysDrvG1\devoptiloc.exe

MD5 02e0eb4cba39387a812a786f1e845fae
SHA1 dcfb7199257a1014593bcc9a6b702f86d019ecde
SHA256 259af9b60114f342bcd44d93d38cb458f1fbb905353003f059089f5af8da3766
SHA512 ccbeeb4a2324e3f7b009bc73ec741e0bc32264285e8a4cef656fab6f735e51a9e32af245cf2e9e45567f4e3fc0ba4981011e588998288318013ee72896b5f370

C:\LabZK5\optidevsys.exe

MD5 21500b33e91cfb5bbe022d45bd694e2d
SHA1 a80d03dddec345a0097faa2079812a91e1ef9d43
SHA256 a3bf64e64a2584e40c23fd9924555cbc1bb8debc63e6616cb9637726eed86d57
SHA512 33d060a22cb9f4e618f89c25e0e4821520b01e078fb3e9b5a1c6455e1ba93a768d21c24156f5fff7a85e2da59ad9d44ca9fea8b3932694df56f8539d401422da

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 94d073ae5a2fb9479bf19bd95e7dba3d
SHA1 5d85329a049b9175ad7ddb722e84285834d76a63
SHA256 d23e25261f1b4251490310aa06467e799e2a7f58e904785b2c41916372012e0f
SHA512 8d3243c252d8b4a08d064ba122d87e60c5a88acb8bebbd4bdca0b936473238376460c414a8b3e1c78c08da414cf1054d54ad46fafbefeb0c443872c5f5ebfdd7

C:\LabZK5\optidevsys.exe

MD5 78aa3eddd48f7952b716ca58e85294f7
SHA1 f2793e32f5b83047883595d64e944a50aa84171a
SHA256 6fbfd885afdaad79fc104e7877f35b71f5c9f8e1215ab4c7a451bbfb9c5329ac
SHA512 a7faa0a966c5c620c4ea0de5374eec13164319c4aba3eee78a8604ed78cfcd9132bd54aaed40fad8518aa833c324e786d145bcf73b00d39224b4b4b0c37c3c57