Malware Analysis Report

2025-01-03 09:34

Sample ID 240604-frpn7aeb3x
Target 30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe
SHA256 d095c5af558806269fd965df0e8f4c6e87ce71c6dc5d8519611e3d804fbd0572
Tags
upx bootkit persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d095c5af558806269fd965df0e8f4c6e87ce71c6dc5d8519611e3d804fbd0572

Threat Level: Shows suspicious behavior

The file 30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx bootkit persistence spyware stealer

Deletes itself

UPX packed file

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 05:06

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 05:06

Reported

2024-06-04 05:09

Platform

win7-20231129-en

Max time kernel

147s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shwyw.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shwyw.exe N/A
N/A N/A \??\c:\Program Files\fmnng\etgydspe.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfl = "c:\\Program Files\\fmnng\\etgydspe.exe \"c:\\Program Files\\fmnng\\etgydspe.dll\",WriteErrorLog" \??\c:\Program Files\fmnng\etgydspe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\t: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\w: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\x: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\k: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\m: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\n: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\l: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\q: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\r: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\s: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\u: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\a: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\e: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\h: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\v: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\z: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\g: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\o: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\y: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\p: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\b: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\i: \??\c:\Program Files\fmnng\etgydspe.exe N/A
File opened (read-only) \??\j: \??\c:\Program Files\fmnng\etgydspe.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\Program Files\fmnng\etgydspe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\fmnng C:\Users\Admin\AppData\Local\Temp\shwyw.exe N/A
File created \??\c:\Program Files\fmnng\etgydspe.dll C:\Users\Admin\AppData\Local\Temp\shwyw.exe N/A
File created \??\c:\Program Files\fmnng\etgydspe.exe C:\Users\Admin\AppData\Local\Temp\shwyw.exe N/A
File opened for modification \??\c:\Program Files\fmnng\etgydspe.exe C:\Users\Admin\AppData\Local\Temp\shwyw.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\Program Files\fmnng\etgydspe.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\Program Files\fmnng\etgydspe.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\Program Files\fmnng\etgydspe.exe N/A
N/A N/A \??\c:\Program Files\fmnng\etgydspe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\Program Files\fmnng\etgydspe.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shwyw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2052 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2052 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2052 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2052 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\shwyw.exe
PID 2052 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\shwyw.exe
PID 2052 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\shwyw.exe
PID 2052 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\shwyw.exe
PID 3036 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\shwyw.exe \??\c:\Program Files\fmnng\etgydspe.exe
PID 3036 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\shwyw.exe \??\c:\Program Files\fmnng\etgydspe.exe
PID 3036 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\shwyw.exe \??\c:\Program Files\fmnng\etgydspe.exe
PID 3036 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\shwyw.exe \??\c:\Program Files\fmnng\etgydspe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\shwyw.exe "C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\shwyw.exe

C:\Users\Admin\AppData\Local\Temp\\shwyw.exe "C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe"

\??\c:\Program Files\fmnng\etgydspe.exe

"c:\Program Files\fmnng\etgydspe.exe" "c:\Program Files\fmnng\etgydspe.dll",WriteErrorLog C:\Users\Admin\AppData\Local\Temp\shwyw.exe

Network

Country Destination Domain Proto
US 107.163.56.235:18530 107.163.56.235 tcp
US 107.163.56.110:18530 107.163.56.110 tcp
US 107.163.56.251:6658 tcp
US 107.163.56.236:18963 tcp
US 107.163.56.236:18963 tcp
US 107.163.56.236:18963 tcp
US 107.163.56.236:18963 tcp
US 107.163.56.251:6658 tcp
US 107.163.56.251:6658 tcp
US 107.163.56.251:6658 tcp

Files

C:\Users\Admin\AppData\Local\Temp\shwyw.exe

MD5 63d33665a3bbf1e2a1a231d5574d69d8
SHA1 5092a4aeb8cbd5eb112560f69ad93bcb731bd0cb
SHA256 6bfd094b815c370c63ee93af4f90a1b673947f7c75af9c5f9881f164a081315f
SHA512 3b7f550b2d2b48614a9cf82fd8489c54a96c0185b0eb289e18eaa60da4b3d0fd6532d6f0e711566e761289d66d62fe7c7a7a6c8e543c76f6a97725c70a93d643

memory/2160-17-0x0000000010000000-0x000000001004E000-memory.dmp

memory/2160-22-0x00000000000D0000-0x00000000000D2000-memory.dmp

memory/2160-20-0x0000000010000000-0x000000001004E000-memory.dmp

memory/2160-18-0x0000000010000000-0x000000001004E000-memory.dmp

\Program Files\fmnng\etgydspe.dll

MD5 09d1b0fb0962df8ff8e20fa2912a6702
SHA1 d0aebab2e0e502367013df50c05657892a478bc6
SHA256 21dbab9d1a07c41a034a6eec8237cf45e220eed4367328996eb7206c651a12a1
SHA512 5735c42425fd4053acd98ae4df216ce1604fb11b7060b40abdb7b8e7397d60cf793da8a9138386f80cd9e0522dbbc17bfb58d2baf5722ae29b8be157f91e6256

\??\c:\Program Files\fmnng\etgydspe.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

memory/2160-23-0x0000000010000000-0x000000001004E000-memory.dmp

memory/2160-26-0x0000000010000000-0x000000001004E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 05:06

Reported

2024-06-04 05:09

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zboiz.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zboiz.exe N/A
N/A N/A \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfl = "c:\\Program Files\\eodgmhqzb\\biinuhja.exe \"c:\\Program Files\\eodgmhqzb\\biinuhja.dll\",WriteErrorLog" \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\s: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\t: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\u: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\b: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\g: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\h: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\j: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\o: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\x: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\a: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\i: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\n: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\r: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\z: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\y: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\l: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\m: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\p: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\q: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\v: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\e: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\k: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
File opened (read-only) \??\w: \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\eodgmhqzb C:\Users\Admin\AppData\Local\Temp\zboiz.exe N/A
File created \??\c:\Program Files\eodgmhqzb\biinuhja.dll C:\Users\Admin\AppData\Local\Temp\zboiz.exe N/A
File created \??\c:\Program Files\eodgmhqzb\biinuhja.exe C:\Users\Admin\AppData\Local\Temp\zboiz.exe N/A
File opened for modification \??\c:\Program Files\eodgmhqzb\biinuhja.exe C:\Users\Admin\AppData\Local\Temp\zboiz.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
N/A N/A \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
N/A N/A \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A
N/A N/A \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\Program Files\eodgmhqzb\biinuhja.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zboiz.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1336 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4208 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4208 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4208 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\zboiz.exe
PID 4208 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\zboiz.exe
PID 4208 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\zboiz.exe
PID 556 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\zboiz.exe \??\c:\Program Files\eodgmhqzb\biinuhja.exe
PID 556 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\zboiz.exe \??\c:\Program Files\eodgmhqzb\biinuhja.exe
PID 556 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\zboiz.exe \??\c:\Program Files\eodgmhqzb\biinuhja.exe

Processes

C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\zboiz.exe "C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\zboiz.exe

C:\Users\Admin\AppData\Local\Temp\\zboiz.exe "C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe"

\??\c:\Program Files\eodgmhqzb\biinuhja.exe

"c:\Program Files\eodgmhqzb\biinuhja.exe" "c:\Program Files\eodgmhqzb\biinuhja.dll",WriteErrorLog C:\Users\Admin\AppData\Local\Temp\zboiz.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 107.163.56.235:18530 tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 107.163.56.110:18530 tcp
US 107.163.56.251:6658 tcp
US 8.8.8.8:53 251.56.163.107.in-addr.arpa udp
US 107.163.56.236:18963 107.163.56.236 tcp
US 107.163.56.236:18963 107.163.56.236 tcp
US 8.8.8.8:53 236.56.163.107.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 107.163.56.236:18963 tcp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 107.163.56.251:6658 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 107.163.56.251:6658 tcp

Files

C:\Users\Admin\AppData\Local\Temp\zboiz.exe

MD5 2920d0ca53912a7852b7fa1208a3e30a
SHA1 5975287b2cdd0212332bc8b922f00e8c2adc62c3
SHA256 ed241378f52ecbb35df5998e354e49e05281e7c2e502ffa6d05edd5236de8e48
SHA512 fbe82c92482ee8bb508a31f0c1949e6611b158939098d113368b59e3d5e70bb7c2c16700576404d540333d68bc4eba258c0ef278fff941cfc4c33daf36289364

C:\Program Files\eodgmhqzb\biinuhja.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

C:\Program Files\eodgmhqzb\biinuhja.dll

MD5 741edca379170c6e47223de22f2fbac2
SHA1 9df6bd02bbd93e718f0f613701d903c296bc160c
SHA256 e1cfc8608db512596ca0fe65dabbe7bdbed7595f9e45953ab9d9397e78927b6c
SHA512 e34010021a112527a34276f20d80407558ce258ac31a26940d683c38ad8c9f087b768f5bce93466f0b2e0e16a61595171213422569435122ef7e6ab5fbcd9ac7

memory/4368-11-0x0000000010000000-0x000000001004E000-memory.dmp

memory/4368-14-0x0000000010000000-0x000000001004E000-memory.dmp

memory/4368-12-0x0000000010000000-0x000000001004E000-memory.dmp

memory/4368-16-0x0000000000BE0000-0x0000000000BE2000-memory.dmp

memory/4368-17-0x0000000010000000-0x000000001004E000-memory.dmp

memory/4368-19-0x0000000010000000-0x000000001004E000-memory.dmp

memory/4368-22-0x0000000010000000-0x000000001004E000-memory.dmp

memory/4368-26-0x0000000010000000-0x000000001004E000-memory.dmp