Malware Analysis Report

2024-11-15 06:34

Sample ID 240613-e1h3bsxfqm
Target 5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe
SHA256 bed0368aad6f2dd8cc6c15bfe538b4c87997c79ff4873d47b2a6f2f292cff3ec
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bed0368aad6f2dd8cc6c15bfe538b4c87997c79ff4873d47b2a6f2f292cff3ec

Threat Level: Shows suspicious behavior

The file 5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:24

Reported

2024-06-13 04:26

Platform

win7-20240221-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotK9\\xbodec.exe" C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid2B\\bodaloc.exe" C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe N/A
N/A N/A C:\UserDotK9\xbodec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2252 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
PID 2252 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
PID 2252 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
PID 2252 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
PID 2252 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe C:\UserDotK9\xbodec.exe
PID 2252 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe C:\UserDotK9\xbodec.exe
PID 2252 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe C:\UserDotK9\xbodec.exe
PID 2252 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe C:\UserDotK9\xbodec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"

C:\UserDotK9\xbodec.exe

C:\UserDotK9\xbodec.exe

Network

N/A

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe

MD5 3185709dc78f047c88e0d6cc7916eb46
SHA1 3b7b8e98a3a55f8432951e5caccce5ccb75e9d16
SHA256 ae23b91f627cbc61ca37b6c0e9ebef1552e834dd617c7f0361818f8040c55e5a
SHA512 944e4a1e926283fa8c1d633320734eca2805d969151cd49d1f1606bebfe910b26369099b2472c0d86845875c1e112607912f2b74fcd9cdc8eca436a357cf13d1

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 65afa83001750f48b3c1bf02241129eb
SHA1 ce386ad973ebd75388015558323e727f0dd6ebd4
SHA256 d1c45d8afc2b87b17040e2f715d772d29a1898048d4784916123111a8eb0ece2
SHA512 c3f2b1c54ae38919de91a6df9483de4ad117fcffe81754a5ac407506bbb0d9cf4d9fef0a672d5000c0a94d9444e436de2b860ccaecb6ceb5c4d19fc888d24f87

C:\UserDotK9\xbodec.exe

MD5 1dc38781176be25e3600c2ded876f946
SHA1 3301054c4f6ccb51a665c95923843147d4b8e0da
SHA256 507947cde9fe9100bc6973b1cd88a51966a55c85564cb795a4b5679c51754741
SHA512 60f14fae2b0b05856cb44436c2e6b9fa567efe08e13e3db85e15925e3313c4a51202f7adbbade58a9e7bb766072cc10ad6a063cc7978b4204104d140281ac016

C:\Vid2B\bodaloc.exe

MD5 6e39c2b845e876b0ed80dd21033084e1
SHA1 1f5ef2476f191f31f4031475a68b15e2167cce15
SHA256 8947e739c341a7af6c31010f252ff99ffb11e7c10850078bee19d9e284e15eed
SHA512 5a575ea5210b981734b4f92037e44e28ecd2e1598d5f0c61fc074f4f761adf1ad7d35f1a74cbda099b4067c46d8d4a3bc271382defc8c3dffbea242d87b30170

\UserDotK9\xbodec.exe

MD5 e81304f18b262cfb5883a916eff7aa01
SHA1 32d2ae042d6b105d208c0fd1dc797aef8fa36085
SHA256 640c9d0906d02b843944875941cbab6f30204f1f4bd7a7a42f89100218ed086e
SHA512 622864b1099785eb3a0885c8a7faf9fbb5b02966534cb78a8e8093a668aac56d6356f5d2b8f1807c8a1a8464d13d6c5a4c4937f0e97ff7ecf533012fc986a07c

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 b875f1ababf6c10a134628e46fb02260
SHA1 e0196465319bcfd2848099bc262ddccab5119221
SHA256 fb564aa85216bbf7b83e2e00c24151817c8ec269ea17bc82d6c2f1f00e094373
SHA512 8c1ff915814580294436697a92effaf00ea5ea555b5a52e1bbbd3011d2c896779095ff12781fe3a51e4316e664b0edfadd48cfd38a954cd7ebb61f4087efc011

C:\Vid2B\bodaloc.exe

MD5 ebef48138c153b4db5866b3d2cea6e9d
SHA1 c39d69a4435f466ab30c2dc1b58828be325a9860
SHA256 166834794c8228d52e678eae929251e41fb679be515442dd507d4cfb3462e743
SHA512 9af7b1a6f9d04d70b02c5b4e98514df1466e14b6b7439deff79b85a5b44f7740d05713e30a5e47d9cf04af572e480fc056cccb29da963aa673d685c59e7b0b48

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:24

Reported

2024-06-13 04:26

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocFU\\devoptiec.exe" C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ36\\dobdevec.exe" C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A
N/A N/A C:\IntelprocFU\devoptiec.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5e1c8de89597847d39f9443b7bd03160_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"

C:\IntelprocFU\devoptiec.exe

C:\IntelprocFU\devoptiec.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe

MD5 88c42fbd28eed6898c86e0a12489155d
SHA1 13569bd81d69f3a43c31bbd8fc2ab050984dce4f
SHA256 1eaba797348d4b58df309de541a06cd2a7396ef95a0d32961976f469936b3c04
SHA512 52e53bcecefdb7dd8d84528598c2174d18e0bf9dfb9218b42d52d801d761c4ce1c4cbec682955e96c039ae457cee8b497025e0fff45d6e301331c10fbd4b5713

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 e90df232ec7d919d78029857aca3d7db
SHA1 7b9b5d60c8e33ed2cd164ddc4d358c6c2f0d8dc4
SHA256 23410bcbb8999043cf573d56f9c415ea408cc347835db57c45db417d7e9d4ad9
SHA512 f253f2bd85c49504700e81e0a08f015e4529dcfe8c8c32fe36b0141e87d8b3b281ef1b4f2b3a8f70150d7b1d8307e0fae0e1a3ca59913f409da9750611786599

C:\IntelprocFU\devoptiec.exe

MD5 c4f83f89913d922645c736eca3a7d7c0
SHA1 e7abf0d004e66cd4e9bd82cad6027f5257f0dccf
SHA256 71d500d6c794da9230f8dde91cd41d6de5af59fea5eb4b1140e89914afa08bde
SHA512 1b93dac85ca2e7713977cca57705fdfeeb470dc1d9b72eb4858a2f5d30ff0c64b234425491f7576f3afb4627d41391f5237bbe75e3a8d9c9913f8014e505d595

C:\IntelprocFU\devoptiec.exe

MD5 36dc548713e327e5d194c946b1dd8b4f
SHA1 667a693c695074b8e496b9c1b4ceac8fb16b96e4
SHA256 926cba8c61e26c002f29a068df048b89bd76366e879c7a10dfaed734d17932f8
SHA512 e007655f7fe1ef74e390f3e8c61488b837c467de24c5bd2b452c0ae83eab70f5c1fb54c730f14e4a3746f931ebc37852d4d5c50bc722540fb75b5e9b790a398c

C:\LabZ36\dobdevec.exe

MD5 b42aceeb7d6026522214786e59f568eb
SHA1 119a53f62efdbe60109ec165bdc5cbaa4e1f10fd
SHA256 82c2b77061151e3f5388562591a5f1b5f429adfbb897ebe184f36ef36de58549
SHA512 94949c4a45c20eaea2c173b6adc340fdc31bedcec3dc915f90eb31ea2bb850f1345592ba93330bb023829cc0a1fc5738070b12b9b62c94b70395b05537d7ed79

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 75e17df605a4bc141e54df12e60868b2
SHA1 232fa44e3890b2f0df87f200ae265ce725cd46dd
SHA256 6443b15bf2d29e46fb5a6c52849617558e90d67ba048b6232d7927caa2dabbd3
SHA512 74189d2fd1e3737c1bf396efc28a86cef76faab9ad675fe97820e122f062a3742e7863113efb684c3ab690e02ccb40b6c2dffade4c28c95753e3f6ae8c961ac0

C:\LabZ36\dobdevec.exe

MD5 f23ada096c7adffd47957ad97468d399
SHA1 c50b77a9a9105b8ffe2684eb9748c4aabb789354
SHA256 0122af29b48c157ddfeb2daf79d543072119c7368fa0a811c2d35340416fa3f3
SHA512 bfa83b3b79ea4baefa4e67423807594b627d0bba13b99ebd51a22408dc1d264b4c20b7bed9acb7ac1acac32e5d16b2403195e7422a4222128a7605485ad410a0