Malware Analysis Report

2025-01-03 09:34

Sample ID 240604-hvaqjsgh9x
Target 3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe
SHA256 8fbe6b8faf87ba5df0fe4f5d6e5d6eceb666a31ca24af1b22dd383e4e128e991
Tags
upx bootkit persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8fbe6b8faf87ba5df0fe4f5d6e5d6eceb666a31ca24af1b22dd383e4e128e991

Threat Level: Shows suspicious behavior

The file 3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx bootkit persistence spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Deletes itself

UPX packed file

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Enumerates connected drives

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Checks processor information in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 07:02

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 07:02

Reported

2024-06-04 07:05

Platform

win7-20240221-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\euknivlv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\euknivlv.exe N/A
N/A N/A \??\c:\Program Files\byhtg\bvdrf.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\HTML = "c:\\Program Files\\byhtg\\bvdrf.exe \"c:\\Program Files\\byhtg\\bvdrf.dll\",PraseHTML" \??\c:\Program Files\byhtg\bvdrf.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\y: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\a: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\h: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\k: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\o: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\t: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\v: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\x: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\g: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\p: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\r: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\s: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\u: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\n: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\w: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\z: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\b: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\e: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\i: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\j: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\l: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\m: \??\c:\Program Files\byhtg\bvdrf.exe N/A
File opened (read-only) \??\q: \??\c:\Program Files\byhtg\bvdrf.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\Program Files\byhtg\bvdrf.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\byhtg\bvdrf.dll C:\Users\Admin\AppData\Local\Temp\euknivlv.exe N/A
File created \??\c:\Program Files\byhtg\bvdrf.exe C:\Users\Admin\AppData\Local\Temp\euknivlv.exe N/A
File opened for modification \??\c:\Program Files\byhtg\bvdrf.exe C:\Users\Admin\AppData\Local\Temp\euknivlv.exe N/A
File opened for modification \??\c:\Program Files\byhtg C:\Users\Admin\AppData\Local\Temp\euknivlv.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\Program Files\byhtg\bvdrf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\Program Files\byhtg\bvdrf.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\Program Files\byhtg\bvdrf.exe N/A
N/A N/A \??\c:\Program Files\byhtg\bvdrf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\Program Files\byhtg\bvdrf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\euknivlv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1136 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2108 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2108 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2108 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2108 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\euknivlv.exe
PID 2108 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\euknivlv.exe
PID 2108 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\euknivlv.exe
PID 2108 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\euknivlv.exe
PID 2188 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\euknivlv.exe \??\c:\Program Files\byhtg\bvdrf.exe
PID 2188 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\euknivlv.exe \??\c:\Program Files\byhtg\bvdrf.exe
PID 2188 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\euknivlv.exe \??\c:\Program Files\byhtg\bvdrf.exe
PID 2188 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\euknivlv.exe \??\c:\Program Files\byhtg\bvdrf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\euknivlv.exe "C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\euknivlv.exe

C:\Users\Admin\AppData\Local\Temp\\euknivlv.exe "C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe"

\??\c:\Program Files\byhtg\bvdrf.exe

"c:\Program Files\byhtg\bvdrf.exe" "c:\Program Files\byhtg\bvdrf.dll",PraseHTML C:\Users\Admin\AppData\Local\Temp\euknivlv.exe

Network

Country Destination Domain Proto
US 107.163.56.238:18530 tcp
US 107.163.43.143:12388 tcp
US 107.163.56.238:18530 tcp
US 107.163.43.143:12388 tcp
US 107.163.56.251:6658 tcp
US 107.163.56.239:18963 tcp
US 107.163.56.239:18963 tcp
US 107.163.56.239:18963 tcp
US 107.163.56.239:18963 tcp
US 107.163.56.251:6658 tcp
US 107.163.56.251:6658 tcp
US 107.163.56.251:6658 tcp

Files

\Users\Admin\AppData\Local\Temp\euknivlv.exe

MD5 53ac7bd61f78d34d65a2d58566f51682
SHA1 60ecfa9fcaab9b651990995b7dde5980f4544028
SHA256 28764c2d95e4db93852a13e8754d102be4caa6d4aa2b139d7d5f6ed0a9b244ee
SHA512 227093110139a0ca08933fec973d653de30c4e27fa21f3a8d0594b158a7b6822aea2228107771ca65b10bb6f7dee737964a9bdb7cf76af5e47c128ba4a8c40d7

\Program Files\byhtg\bvdrf.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

\??\c:\Program Files\byhtg\bvdrf.dll

MD5 819702dcb8f8c3877c5299c3550e4933
SHA1 52bcdc04e16b49138835ee478a1657176aaa49b9
SHA256 7eab8bab97bb8735d4091de759e3bde4a2de7828a4df85950ba2a1cee96b80cb
SHA512 6f48c939569ed7b9ac77a05134f0bb544ded7292eb6585849de92c0829b98de4fd7ca4ce1ab2eb7e26602d401f6f5892b57f235ec3878bbe718558abaa809c3f

memory/2604-18-0x0000000010000000-0x0000000010083000-memory.dmp

memory/2604-17-0x0000000010000000-0x0000000010083000-memory.dmp

memory/2604-23-0x000000001005B000-0x0000000010083000-memory.dmp

memory/2604-24-0x0000000010000000-0x0000000010083000-memory.dmp

memory/2604-25-0x0000000010000000-0x0000000010083000-memory.dmp

memory/2604-26-0x0000000010000000-0x0000000010083000-memory.dmp

memory/2604-30-0x0000000010000000-0x0000000010083000-memory.dmp

memory/2604-34-0x0000000010000000-0x0000000010083000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 07:02

Reported

2024-06-04 07:05

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shtrwixvb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\shtrwixvb.exe N/A
N/A N/A \??\c:\Program Files\weovs\sttobzxju.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\Program Files\weovs\sttobzxju.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HTML = "c:\\Program Files\\weovs\\sttobzxju.exe \"c:\\Program Files\\weovs\\sttobzxju.dll\",PraseHTML" \??\c:\Program Files\weovs\sttobzxju.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\l: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\s: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\z: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\t: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\w: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\x: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\e: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\p: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\q: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\k: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\m: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\n: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\r: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\u: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\h: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\i: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\j: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\y: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\o: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\v: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\a: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\b: \??\c:\Program Files\weovs\sttobzxju.exe N/A
File opened (read-only) \??\g: \??\c:\Program Files\weovs\sttobzxju.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\Program Files\weovs\sttobzxju.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\weovs C:\Users\Admin\AppData\Local\Temp\shtrwixvb.exe N/A
File created \??\c:\Program Files\weovs\sttobzxju.dll C:\Users\Admin\AppData\Local\Temp\shtrwixvb.exe N/A
File created \??\c:\Program Files\weovs\sttobzxju.exe C:\Users\Admin\AppData\Local\Temp\shtrwixvb.exe N/A
File opened for modification \??\c:\Program Files\weovs\sttobzxju.exe C:\Users\Admin\AppData\Local\Temp\shtrwixvb.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\Program Files\weovs\sttobzxju.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\Program Files\weovs\sttobzxju.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\Program Files\weovs\sttobzxju.exe N/A
N/A N/A \??\c:\Program Files\weovs\sttobzxju.exe N/A
N/A N/A \??\c:\Program Files\weovs\sttobzxju.exe N/A
N/A N/A \??\c:\Program Files\weovs\sttobzxju.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\Program Files\weovs\sttobzxju.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shtrwixvb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5008 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5008 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5008 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\shtrwixvb.exe
PID 5008 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\shtrwixvb.exe
PID 5008 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\shtrwixvb.exe
PID 3264 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\shtrwixvb.exe \??\c:\Program Files\weovs\sttobzxju.exe
PID 3264 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\shtrwixvb.exe \??\c:\Program Files\weovs\sttobzxju.exe
PID 3264 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\shtrwixvb.exe \??\c:\Program Files\weovs\sttobzxju.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\shtrwixvb.exe "C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\shtrwixvb.exe

C:\Users\Admin\AppData\Local\Temp\\shtrwixvb.exe "C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe"

\??\c:\Program Files\weovs\sttobzxju.exe

"c:\Program Files\weovs\sttobzxju.exe" "c:\Program Files\weovs\sttobzxju.dll",PraseHTML C:\Users\Admin\AppData\Local\Temp\shtrwixvb.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4376,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 107.163.56.238:18530 107.163.56.238 tcp
US 8.8.8.8:53 238.56.163.107.in-addr.arpa udp
US 107.163.43.143:12388 107.163.43.143 tcp
US 8.8.8.8:53 143.43.163.107.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 107.163.56.251:6658 tcp
US 8.8.8.8:53 251.56.163.107.in-addr.arpa udp
US 107.163.56.239:18963 107.163.56.239 tcp
US 107.163.56.239:18963 107.163.56.239 tcp
US 8.8.8.8:53 239.56.163.107.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 107.163.56.239:18963 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
US 107.163.56.251:6658 tcp
US 107.163.56.251:6658 tcp

Files

C:\Users\Admin\AppData\Local\Temp\shtrwixvb.exe

MD5 b0c1c50d53735acfed2935047eb99c3e
SHA1 4086c90699fdc3cc1159c45db54b6a2dc0418b7c
SHA256 ac401d90495ccf7dc3eccc8a86543e3fe9d093f0a9ad239e0b46a9cbf6543087
SHA512 82aebfb4c6240575e857f9c74983892353d0b7857f26493b4667fd469ebe12473d86f42044912d67f207c2c55e923f40b06310ebee9fb287e3c98efeaf70487c

C:\Program Files\weovs\sttobzxju.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

memory/3836-11-0x0000000010000000-0x0000000010083000-memory.dmp

memory/3836-14-0x0000000010000000-0x0000000010083000-memory.dmp

memory/3836-13-0x0000000010000000-0x0000000010083000-memory.dmp

memory/3836-12-0x000000001005B000-0x0000000010083000-memory.dmp

C:\Program Files\weovs\sttobzxju.dll

MD5 9adedba2b440b7340eed8506abb604c8
SHA1 da644de7c53c232a9204aac2a791ebc8012641d8
SHA256 b8d68df91792487f83068c31c8895db5ae72ae2e1cffc1b2fc54dd1bc459595b
SHA512 bc45d3b14de7e1e92147f8649e39c51c90e4b68b69d5c97f8b52e47d262f0c2fa139508e49ff3dd8bc78da4014d4a0ca260bfefa4d2221265294287ea3ab9f7f

memory/3836-15-0x0000000010000000-0x0000000010083000-memory.dmp

memory/3836-18-0x0000000010000000-0x0000000010083000-memory.dmp

memory/3836-21-0x0000000010000000-0x0000000010083000-memory.dmp

memory/3836-25-0x0000000010000000-0x0000000010083000-memory.dmp