Malware Analysis Report

2024-11-30 05:56

Sample ID 240614-hf4ebayepg
Target a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe
SHA256 d79c4c4d526bbe186769da5b28e847c6fd0cf5a3f6439037ee850c15a48e3fc0
Tags
persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d79c4c4d526bbe186769da5b28e847c6fd0cf5a3f6439037ee850c15a48e3fc0

Threat Level: Shows suspicious behavior

The file a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence spyware stealer

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 06:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 06:41

Reported

2024-06-14 06:44

Platform

win7-20240611-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesNH\\devdobsys.exe" C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxW4\\optidevsys.exe" C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe N/A
N/A N/A C:\FilesNH\devdobsys.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 816 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
PID 816 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
PID 816 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
PID 816 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
PID 816 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe C:\FilesNH\devdobsys.exe
PID 816 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe C:\FilesNH\devdobsys.exe
PID 816 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe C:\FilesNH\devdobsys.exe
PID 816 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe C:\FilesNH\devdobsys.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"

C:\FilesNH\devdobsys.exe

C:\FilesNH\devdobsys.exe

Network

N/A

Files

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

MD5 2aa65e56ae8a96d18f54b6c75bc596aa
SHA1 8fa3d11f5e301c1ad47d5018fca96e3afd352843
SHA256 4b2e20487678cc6420aab78b9815b17aa3ad1cc1ac6bb8edb3364ad8672cc174
SHA512 c8ed94b3b7e500a3356b712da34c20a373581132eb79834f1e0b2ddc7b93de7cec386ef226ec443fa89371b96e3813e82c556650d3cec34588210ecbf899e760

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 d1dff0904a8984a3549a33ba48663046
SHA1 5a0855418a68801cb27eb478481cc0606898c2b0
SHA256 78005de5783d8e7f62bf3a15dd45c97d19f344db5458a51de1e7a405ef2c442a
SHA512 3aa512acf83a04055ceb3fd3755a5ebba3beeaf4a32eec2cc5d29a40a74606f8f5dcf04632a8cb0d6d49359802755e51c046f3a6d8cdbd947605c15b32eef38d

C:\FilesNH\devdobsys.exe

MD5 58d490ae112f8ca92229d810911e938f
SHA1 eeceaad69ba15569ff53a568092aca4f5717875b
SHA256 9c4f05c69841a561c8623138a52ffdb5b05702b8aea88cad95432dd2d741951c
SHA512 13ee4dfd2f85acc9df685c3af8e3a998402154169422ab1a3476a431648fff3da19786aad3a732d73325723b09f3d623f9ed58501a2752877f9f0091f30ce809

C:\GalaxW4\optidevsys.exe

MD5 f3610061718960f1ee41d7eb46061725
SHA1 568a10c2bfef4bbdd4cc785b79622c864a36bb44
SHA256 0548192f11fd60cde9ed64e6503bfc685474d51a2827882aeb74093d5ca2345a
SHA512 a44ea16930e35413ab3380dfe3a0bf376d607135f96264552f1214fbeae0cc31a69edb7f1199db7db5257a9b914d676ccd70f32f554d63a5fd9bd51d2487661a

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 360852f022979609c5317969978c48be
SHA1 6c1dd03628f712690457f674964e6f0e1d3c1bcd
SHA256 5693755ecf5eab27806aaa6562f84fcbfea255cb22d983228f056af4ee2e6a8b
SHA512 34fedec32cf010aa1886fac1c43f5b77174402f3391e64408fdce82a9bd48fb29d0d8d7c5fd5cfd46a046104e2674ef60f927391c0b98aca38e3ad4af25b7e72

C:\GalaxW4\optidevsys.exe

MD5 59f9bc992b2a8ab2aeb9fbe2107c0388
SHA1 22bc93ed8834b26595ed04ee5561cd2cf320e785
SHA256 740bfa163df2579d0cf64bab737529ff3c27854d0912965bec2ea2a57863834d
SHA512 39284fb651e09fbe1c0399226b8e1b4e0193b14dde6bd72c49a540037ebb9dedb078fba37aee4de87ec0ca5fda6bd8ad02374fe6cbad622f4dc2dae2e10e2211

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 06:41

Reported

2024-06-14 06:44

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBF\\devoptiec.exe" C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxSK\\bodaec.exe" C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A
N/A N/A C:\SysDrvBF\devoptiec.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a9f5ca7ebb7f8249faffc03cea8caec0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"

C:\SysDrvBF\devoptiec.exe

C:\SysDrvBF\devoptiec.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4292,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:8

Network

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

MD5 8a42cd690db90e12b428154c1b74db0e
SHA1 a47371f4eae7f17901bc98b6da162bee047c7b52
SHA256 416e9a092655bf9b3bc38177d4d5d34b445129fa10118ea540d896cad18b8284
SHA512 10063c423050075c05769b98a0a69e5f32fd2822dad24a48a089333edc40101b27039e249aacc6b37e27b055436b0d2f868af3e08b0fb7d1994a20d2808b397c

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 3e56c615370603e664731d73f08f7b66
SHA1 520e770ec18073b3af9d893df78d42deb743b0bb
SHA256 bfe931248856e3a64c32d4d54599dfb6b81b89754e056735a6ce300d7d432e30
SHA512 acb38bac51af66bbef06d17c90049948a736bdd3fef2fc318932687c88f4e75612ff1ceb2f697d0f84901fbe7d1131439ca76d1ae479bf0007250976d3a708cc

C:\SysDrvBF\devoptiec.exe

MD5 7004ea328c7b101287e2456b4e333d73
SHA1 3b7887fdc7cdb58e7ffe2532576e3f008b5dc783
SHA256 66c2aeb8eda8c2d068ba31ce6c0b96b19dcc77370fb47d633d7b0e563f1472bc
SHA512 f8d29d10bbb5f33d905f89ed33277d272b772411f0789641fa17c4f835cf29c074eee0eaf89c1dee0677fbde80fc702b9a153900fa736fd8b01629ce79cb37bd

C:\GalaxSK\bodaec.exe

MD5 d6f9d74b2613cd1c0323afa671e9857e
SHA1 2030660277a973271324c4027cc8175196d58fc8
SHA256 e99211329672d48bd212dfb3671fb1f5a23fbacd92f5a6afddbaca116c236257
SHA512 09046d06988f0f1ea1bd0cfdff81553c8e3b223a029f06fa40e97586c107d394a188eb269fa30a82ecb96abe0f45b39a48f349f2a5af7fa7a7a851966213f634

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 c3af3a767cd1530ab978f92d5cc310c4
SHA1 5262a31189f9a7cb1781612992badf75db0e8944
SHA256 6b711be347e28b9e43fc25e534e50afc4fb55a846a0198248efe7525cd436a5c
SHA512 82970dd2f5ef4d1b63b6026b02890e92df7544b047f897355bc8b8e196b2eba80a0435fce8ed720ed1488d36af0a597d85f2e5a320f09ba1620a4bb5d286fd57

C:\GalaxSK\bodaec.exe

MD5 7d8fc219cd7e52b50a3382dee3388ea3
SHA1 69d67251951b0ad0898bf28882977c92cdfdf97a
SHA256 d81ddce14eccceaf866eac9274774f6c46e75fd29c16bf32ce1115b494149a2c
SHA512 e50caf5a0078dec7f44b93c34f05e8bc8b78427b85f32106ec7b864c376e81065d70fce34865abee587fc43a62c632f3394bf75c6cd54034cdeb243ef74806fe