Malware Analysis Report

2024-11-15 06:34

Sample ID 240613-eddt4axamm
Target 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe
SHA256 026c597d45d928e26b89bf7931592333194b8771ae0c3fba0c57f1a3add20f3f
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

026c597d45d928e26b89bf7931592333194b8771ae0c3fba0c57f1a3add20f3f

Threat Level: Shows suspicious behavior

The file 5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:49

Reported

2024-06-13 03:51

Platform

win7-20240508-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe0S\\xoptiec.exe" C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintP0\\dobaloc.exe" C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe N/A
N/A N/A C:\Adobe0S\xoptiec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
PID 2980 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
PID 2980 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
PID 2980 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
PID 2980 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe C:\Adobe0S\xoptiec.exe
PID 2980 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe C:\Adobe0S\xoptiec.exe
PID 2980 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe C:\Adobe0S\xoptiec.exe
PID 2980 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe C:\Adobe0S\xoptiec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"

C:\Adobe0S\xoptiec.exe

C:\Adobe0S\xoptiec.exe

Network

N/A

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

MD5 afef198d37ebcbd3d8ab23da3dc389ce
SHA1 4b2e7f0a0fdcb763c57a062a48afd2e3c9b77eff
SHA256 4ed8d09b751c1ebf00d444d33682f5be91813a1873d328cf9743a35203de9eec
SHA512 6d6578a1b89cfd02de329576e51b44590e10fceb645532c45877ed71d6faf1a010c647b5a2654a9d159610435597b156d43790bb030fc6a4325d0d5ff407052f

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 5ef5e9b153c6c06228b95a709a8abd67
SHA1 f803c837f534f91a8afbc95d5cce7bbb2266464e
SHA256 67878f4eac93250baa7de5f609bac7b0668d1881c1b428e07ceb7403acce2852
SHA512 cf2d910d6f6e6e765715a0f128bb22bf1ef93a86d07a4c2d0d1088c0231bab7d7533855018ce593af98de36447adbdd3e3c8d64055f4b21b8f71e53fe2bb0eae

C:\Adobe0S\xoptiec.exe

MD5 7a468c233bf617ba35ce3fe9269a40bd
SHA1 19039095dbc3ec6e97bc2c1dd095d4ed12140864
SHA256 d789e1524f91c818961647f84e6c413b004469b235d2b4b383cfee051af45590
SHA512 9bbaa924cbc7a7e59002ef270e9b76c820f057102f34d135bace9724018d1028aca393b3066f066573a1e21f15acafd40eb8fab18a549548a587da615d3ee445

C:\MintP0\dobaloc.exe

MD5 1158f86a0845ee6fe9ce7b682fd51439
SHA1 caf9890ab05a6eef87827bb3ab60eaee3b254faa
SHA256 3d1f80bce336609701c74a291ec5f27ae76b198dfc51fe6615349996dcba8ab1
SHA512 3820fa06d8911561113535b4e01a0e4a3bcb87a566762f0995074fdd561e824454613a36d5347004f0370ff27867df4f962f498ca63e8e4b5e82c935860d3503

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 2b195f8d7a534217008bf5186a79f723
SHA1 243e8aaef3c64a07175e8b88c158c525cc351f30
SHA256 cc2f4cbc8b1691232af154545a4c5c5674cdc642f29d64cd45917e188e31fe6e
SHA512 bd14b180768affed52c27780bc594a1b4534422e362a47933fc68c48851b89423f048b7205e932140becdb2a72c98ef975eb3ceabbec4b98a52bc9cf2cf200e7

C:\MintP0\dobaloc.exe

MD5 a73a05a48f486fba0fd8eed601b3b15e
SHA1 7802ed77b26f5a50c06521d0bedfbcb2c2707479
SHA256 f9549bdab954b9c50d6bdc3120de9a93125561daa67b0884ee626c2898a4b9ea
SHA512 2b2577e1b90809d0ebfdc81bffae3c264aa44885d08dc83979c2514c2c8fdefc52bdf24469f3c5f42e200725066b6525256cebf7d31a02949d79d47a0eef7115

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:49

Reported

2024-06-13 03:51

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files97\\xoptiloc.exe" C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintE7\\dobaloc.exe" C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A
N/A N/A C:\Files97\xoptiloc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5c08244a62b4d0b537912c76aac4c750_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"

C:\Files97\xoptiloc.exe

C:\Files97\xoptiloc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe

MD5 b822fb89aed1bfa6e460b0409d15dfb8
SHA1 a4754e5706a83698383e4e841303f8a2bd660e02
SHA256 a90e9847977228d0fbb268bd6ec74222f6108293ba0615b3842487dacd4d30d4
SHA512 c19b40aa9c5942bf7a7cf6a27c7f2d2c4001a4c23d6a615a836c04dea1dcba5330bbf346bc0f222e58d0e554920976f9527e2e79d92fc0c77c50c6c29fb7cb00

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 f9558f891c8a1ef7ba064bdee2c43839
SHA1 de3618ce5743aa4fcbdaed37598394f4348d76d4
SHA256 002f96c97042ebcc8f477720f87b61bf51b2d271cdb9ad6e1d504e18753c819b
SHA512 a401c947f6f8a14aab261fa08a5d9cf9ed0f3fac9f916a973bec62aa7e27dec43d984df257f4b7351641a0e001c683e59267ed8fdb51de0e8dad403801897f7c

C:\Files97\xoptiloc.exe

MD5 df281bfeed20966154202479017c5833
SHA1 4bf02ba05985093e394a2a23df43add0038675b9
SHA256 5413f4323302e1679a11a57735e607bb6ff9d272be4b1c4c1760047c276d331a
SHA512 a99e6ed87160371c89e4227c2f969aede9f83aa0e79fc383e7ec10c798f9bcbda8c8724403693b72590bdd31c583835bb832da6dc5552d02abbd633c705ca590

C:\Files97\xoptiloc.exe

MD5 9138a7243c40092ed1843c64e0925d99
SHA1 3d199c8a7234750e950f0a8ad05c1cb56c3b2bb1
SHA256 15fdb69c12a6910874423bbad389a9017b27f8997e8981d4fe10a5fe288f08df
SHA512 eed6557044c431910f83d7bbe8263c914d22a870d41ff26e198f33c501f40f96097cdb860bdbbdb3d458d0bb3724b8aacafe2c311db911fe574c2c4fe1aadbb9

C:\MintE7\dobaloc.exe

MD5 c154fed2ae3c7a19cab82c777f1b2e52
SHA1 6e34d7cabc2af9ee235b29ce05c0819d4bd27593
SHA256 43b908b5a992193164bf5e4ba7249aa82dca4c898151bdf0edcd154c5d91ddc9
SHA512 fdc57705b714084ae2223c208cf0a409ae2e2f6037808869a2dcd4121cfdc204ec9a169d542c2234a3875f7e6d8261de0b5f774f75bcb2ef7addc3b7fd0388ab

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 f35923818eebaa8a99296c8c1782e7dc
SHA1 bf6bc089f9cbf12d9ebbb779127bcfb0de04ffd0
SHA256 630d9e36d71b9b8d9dc765991eeb57c9fea941e70a1d1bda05ea2b08e87e5e45
SHA512 a5282380e2366efbb4ffb41f58b7dfac1e25a36a069be359c157475f1669d6f05700b2ad67507220fdafecd44cce92908ba2108f8bc1de079841aed3bb57407d

C:\MintE7\dobaloc.exe

MD5 2b5e1c56a9666a14a1330e7a47ec7e48
SHA1 bf34ab7d17ac4425015d54e4e5a9a1434443f44b
SHA256 fe0d140ad955b1cf0a97f2fc41de8ec133905956e919b1f950590010e6f1852f
SHA512 caf33f86a89e9e3e995fd86965bcfb444653f5559dfc5a477613e3fd9f47bc6f5d32b9b4086239b1b02099c1a6714a83718f04a5656ca2ba18c20d7fd651dc49