Malware Analysis Report

2025-01-03 09:34

Sample ID 240604-k1m9yacb52
Target 4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe
SHA256 f2fdde7b8acd5d557f291b86208b0c4c86b67ab5863ac749272ce9569cac0288
Tags
bootkit persistence spyware stealer upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f2fdde7b8acd5d557f291b86208b0c4c86b67ab5863ac749272ce9569cac0288

Threat Level: Likely malicious

The file 4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence spyware stealer upx

Blocklisted process makes network request

Deletes itself

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

UPX packed file

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Enumerates connected drives

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Kills process with taskkill

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 09:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 09:04

Reported

2024-06-04 09:06

Platform

win7-20240508-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovlj.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovlj.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\knmdx\\ehvxs.hxe\",crc32" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\taskkill.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\taskkill.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovlj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2184 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2184 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2184 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2184 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\jovlj.exe
PID 2184 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\jovlj.exe
PID 2184 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\jovlj.exe
PID 2184 wrote to memory of 1040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\jovlj.exe
PID 1040 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\jovlj.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1040 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\jovlj.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1040 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\jovlj.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1040 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\jovlj.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1040 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\jovlj.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1040 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\jovlj.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1040 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\jovlj.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2668 wrote to memory of 2688 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 2668 wrote to memory of 2688 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 2668 wrote to memory of 2688 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 2668 wrote to memory of 2688 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\jovlj.exe "C:\Users\Admin\AppData\Local\Temp\4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\jovlj.exe

C:\Users\Admin\AppData\Local\Temp\\jovlj.exe "C:\Users\Admin\AppData\Local\Temp\4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\knmdx\ehvxs.hxe",crc32 C:\Users\Admin\AppData\Local\Temp\jovlj.exe

\??\c:\windows\SysWOW64\taskkill.exe

taskkill /f /im attrib.exe

Network

Country Destination Domain Proto
US 98.126.15.172:803 tcp
US 98.126.15.172:803 tcp
US 98.126.15.170:3201 tcp
US 98.126.15.171:805 tcp
US 98.126.15.171:805 tcp
US 98.126.15.171:805 tcp
US 98.126.15.171:805 tcp
US 98.126.15.170:3201 tcp
US 98.126.15.170:3201 tcp
US 98.126.15.170:3201 tcp

Files

memory/1932-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1932-1-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1932-3-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jovlj.exe

MD5 1976cb640e6964fa2ae5d8217b495226
SHA1 d7f844348e59ee5e3f41e7803aed09f26c7271aa
SHA256 0f2a577d70992c60c61375f7986451ae35a7bf096269385f524ca28ec5667fb4
SHA512 a8bded477fbe694b0b6ddd28dcd8759eb72db4cefa93a0b6fba9383ae75722674384c38e729d9cca2fdbc4e6f8eae1dd2a9bd847c3c37d5b04d9a48421f8b87d

memory/2184-9-0x0000000000370000-0x0000000000398000-memory.dmp

memory/1040-10-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2184-8-0x0000000000370000-0x0000000000398000-memory.dmp

memory/1040-11-0x0000000000360000-0x0000000000361000-memory.dmp

memory/1040-13-0x0000000000400000-0x0000000000428000-memory.dmp

\??\c:\knmdx\ehvxs.hxe

MD5 2f53f49e01f09d6e6064871eec1955cd
SHA1 a6e1a6e5c2080d0fb2f7a872e3902a8a4a1a9b5f
SHA256 964e4dd2532d540bb61d3c7ccc833f2358d8cd6b2eabc3a2d51183a18b59f82d
SHA512 2cb98030c3df7417c04f796f78f23f96d381871d9c7ae4a14116764e915b2e2f56b9b3a6fb76fedc50a17788de9538fc7954a7b73bf17e4be43e1fc1a06bc218

memory/2668-16-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2668-17-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2668-21-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2668-22-0x0000000010000000-0x0000000010022000-memory.dmp

memory/2668-23-0x0000000010000000-0x0000000010022000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 09:04

Reported

2024-06-04 09:06

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbpkk.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbpkk.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\ppcehgh\\coccig.occ\",crc32" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\taskkill.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\taskkill.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vbpkk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 560 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3080 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3080 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3080 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3080 wrote to memory of 3388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\vbpkk.exe
PID 3080 wrote to memory of 3388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\vbpkk.exe
PID 3080 wrote to memory of 3388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\vbpkk.exe
PID 3388 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\vbpkk.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3388 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\vbpkk.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3388 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\vbpkk.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 5080 wrote to memory of 2432 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 5080 wrote to memory of 2432 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe
PID 5080 wrote to memory of 2432 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\vbpkk.exe "C:\Users\Admin\AppData\Local\Temp\4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\vbpkk.exe

C:\Users\Admin\AppData\Local\Temp\\vbpkk.exe "C:\Users\Admin\AppData\Local\Temp\4eafbb1bb0f65e4fcaba7f64bf7f9300_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\ppcehgh\coccig.occ",crc32 C:\Users\Admin\AppData\Local\Temp\vbpkk.exe

\??\c:\windows\SysWOW64\taskkill.exe

taskkill /f /im attrib.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 98.126.15.172:803 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 98.126.15.170:3201 tcp
US 98.126.15.171:805 tcp
US 98.126.15.171:805 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 98.126.15.171:805 tcp
US 98.126.15.170:3201 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 98.126.15.170:3201 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 98.126.15.170:3201 tcp

Files

memory/560-0-0x0000000000400000-0x0000000000428000-memory.dmp

memory/560-1-0x00000000005B0000-0x00000000005B1000-memory.dmp

memory/560-3-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbpkk.exe

MD5 5a76d3a2a66221a97f83484b4571ee8a
SHA1 4e6bf855eaa3c543ecd3fa72cf67bb4892f9a780
SHA256 fa23482f1a616e409bd0842f6a4479f6f5b8b418cf78e6ae61f05a224c2a7af7
SHA512 31d24f4580b45afa0f5e9c45f5548dde3d42cc717ef31c0015e89de8a33678279d3f40c5f534232a205fbc5083c353dff89c603773425aad5a9cada20d574868

memory/3388-7-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3388-8-0x00000000005B0000-0x00000000005B1000-memory.dmp

memory/3388-10-0x0000000000400000-0x0000000000428000-memory.dmp

C:\ppcehgh\coccig.occ

MD5 2f53f49e01f09d6e6064871eec1955cd
SHA1 a6e1a6e5c2080d0fb2f7a872e3902a8a4a1a9b5f
SHA256 964e4dd2532d540bb61d3c7ccc833f2358d8cd6b2eabc3a2d51183a18b59f82d
SHA512 2cb98030c3df7417c04f796f78f23f96d381871d9c7ae4a14116764e915b2e2f56b9b3a6fb76fedc50a17788de9538fc7954a7b73bf17e4be43e1fc1a06bc218

memory/5080-13-0x0000000010000000-0x0000000010022000-memory.dmp

memory/5080-14-0x0000000010000000-0x0000000010022000-memory.dmp

memory/5080-16-0x0000000010000000-0x0000000010022000-memory.dmp

memory/5080-18-0x0000000010000000-0x0000000010022000-memory.dmp