Malware Analysis Report

2025-08-11 00:07

Sample ID 240513-h122zseg77
Target a4c17572ec457f0bc43ec43a580e5a40_NeikiAnalytics
SHA256 f3a1f166cbc20b41f7c4a6b9934866909a210a49dab03ae82b01b569c21ae979
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f3a1f166cbc20b41f7c4a6b9934866909a210a49dab03ae82b01b569c21ae979

Threat Level: Known bad

The file a4c17572ec457f0bc43ec43a580e5a40_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Windows security bypass

Modifies Installed Components in the registry

Sets file execution options in registry

Windows security modification

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 07:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 07:13

Reported

2024-05-13 07:15

Platform

win7-20240221-en

Max time kernel

149s

Max time network

119s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{484B554C-4249-4255-484B-554C42494255} C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{484B554C-4249-4255-484B-554C42494255}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{484B554C-4249-4255-484B-554C42494255}\IsInstalled = "1" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{484B554C-4249-4255-484B-554C42494255}\StubPath = "C:\\Windows\\system32\\avdonep-ouceas.exe" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\aphided.exe" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\updooris-oced.dll" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\aphided.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
File created C:\Windows\SysWOW64\avdonep-ouceas.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
File opened for modification C:\Windows\SysWOW64\updooris-oced.dll C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
File created C:\Windows\SysWOW64\updooris-oced.dll C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
File opened for modification C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
File opened for modification C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Users\Admin\AppData\Local\Temp\a4c17572ec457f0bc43ec43a580e5a40_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Users\Admin\AppData\Local\Temp\a4c17572ec457f0bc43ec43a580e5a40_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\aphided.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
File opened for modification C:\Windows\SysWOW64\avdonep-ouceas.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c17572ec457f0bc43ec43a580e5a40_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a4c17572ec457f0bc43ec43a580e5a40_NeikiAnalytics.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe
PID 2964 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a4c17572ec457f0bc43ec43a580e5a40_NeikiAnalytics.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe
PID 2964 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a4c17572ec457f0bc43ec43a580e5a40_NeikiAnalytics.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe
PID 2964 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a4c17572ec457f0bc43ec43a580e5a40_NeikiAnalytics.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe
PID 2816 wrote to memory of 436 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\system32\winlogon.exe
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 2620 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe
PID 2816 wrote to memory of 2620 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe
PID 2816 wrote to memory of 2620 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe
PID 2816 wrote to memory of 2620 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 2816 wrote to memory of 1156 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a4c17572ec457f0bc43ec43a580e5a40_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a4c17572ec457f0bc43ec43a580e5a40_NeikiAnalytics.exe"

C:\Windows\SysWOW64\oxsutuk-oubom.exe

"C:\Windows\system32\oxsutuk-oubom.exe"

C:\Windows\SysWOW64\oxsutuk-oubom.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 lkgvyaligrgpw.kr udp
US 8.8.8.8:53 lkgvyaligrgpw.kr udp

Files

\Windows\SysWOW64\oxsutuk-oubom.exe

MD5 a4c17572ec457f0bc43ec43a580e5a40
SHA1 834952a6aab16fcef9a4fd9aa28227e40d9161f3
SHA256 f3a1f166cbc20b41f7c4a6b9934866909a210a49dab03ae82b01b569c21ae979
SHA512 582b5e3983bd7c80818e274896b02a9408a4b74a9381d7c29ae7d7c3a59a8ecd18ff9f67ea53543f4f390fb0df648ce8cfc0e6a7095c8ea24489cfd3ca594d3e

memory/2964-10-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Windows\SysWOW64\avdonep-ouceas.exe

MD5 55b233372ea7209b374b741e90c7991a
SHA1 ab196cb8b61bb02833395704a72af1979a3ed377
SHA256 ac441d801f1cc4d7dfee3af053baa5bf04cbde85944e924fd81601e40819adb1
SHA512 541ed8365cee91bc7478066ba491b0115e1658e0026575ff17cb25d78322eacab0496fdf42a201a4dfd90a212c8102227b123544f12a73b1e5f75841c7b3d36b

C:\Windows\SysWOW64\aphided.exe

MD5 789e78b79b00f1b393eac16dbecf680d
SHA1 1e6daa1081b73d00ecd1cf8763f5a7ec34ec934b
SHA256 73891580083e7a41d7f8d39253d9d50de27d0b2e0c440d96a23680390f1ed99f
SHA512 9edebf4373a8c66f67cb0cb38a82fcab6cf7967535a1fddf3c8f9d65f83fda01537e413efbd9f914c5a954a9fba2a74f6f7eab3e60db080b634715ebc096fb82

C:\Windows\SysWOW64\updooris-oced.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

memory/2816-55-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2620-56-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 07:13

Reported

2024-05-13 07:15

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

135s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47534147-4d48-4351-4753-41474D484351} C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47534147-4d48-4351-4753-41474D484351}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47534147-4d48-4351-4753-41474D484351}\IsInstalled = "1" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47534147-4d48-4351-4753-41474D484351}\StubPath = "C:\\Windows\\system32\\avdonep-ouceas.exe" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\aphided.exe" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\updooris-oced.dll" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\aphided.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
File opened for modification C:\Windows\SysWOW64\avdonep-ouceas.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
File created C:\Windows\SysWOW64\avdonep-ouceas.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
File opened for modification C:\Windows\SysWOW64\updooris-oced.dll C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
File created C:\Windows\SysWOW64\updooris-oced.dll C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
File opened for modification C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Users\Admin\AppData\Local\Temp\a4c17572ec457f0bc43ec43a580e5a40_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Users\Admin\AppData\Local\Temp\a4c17572ec457f0bc43ec43a580e5a40_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\aphided.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
File opened for modification C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A
N/A N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4c17572ec457f0bc43ec43a580e5a40_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3916 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\a4c17572ec457f0bc43ec43a580e5a40_NeikiAnalytics.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe
PID 3916 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\a4c17572ec457f0bc43ec43a580e5a40_NeikiAnalytics.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe
PID 3916 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\a4c17572ec457f0bc43ec43a580e5a40_NeikiAnalytics.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe
PID 4640 wrote to memory of 612 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\system32\winlogon.exe
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3316 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe
PID 4640 wrote to memory of 3316 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe
PID 4640 wrote to memory of 3316 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\SysWOW64\oxsutuk-oubom.exe
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE
PID 4640 wrote to memory of 3532 N/A C:\Windows\SysWOW64\oxsutuk-oubom.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a4c17572ec457f0bc43ec43a580e5a40_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a4c17572ec457f0bc43ec43a580e5a40_NeikiAnalytics.exe"

C:\Windows\SysWOW64\oxsutuk-oubom.exe

"C:\Windows\system32\oxsutuk-oubom.exe"

C:\Windows\SysWOW64\oxsutuk-oubom.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 ywacgls.vg udp
DE 88.198.29.97:80 ywacgls.vg tcp
US 8.8.8.8:53 utbidet-ugeas.biz udp
US 54.157.24.8:80 utbidet-ugeas.biz tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.29.198.88.in-addr.arpa udp
US 8.8.8.8:53 utbidet-ugeas.biz udp
US 54.157.24.8:80 utbidet-ugeas.biz tcp
US 8.8.8.8:53 8.24.157.54.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Windows\SysWOW64\oxsutuk-oubom.exe

MD5 a4c17572ec457f0bc43ec43a580e5a40
SHA1 834952a6aab16fcef9a4fd9aa28227e40d9161f3
SHA256 f3a1f166cbc20b41f7c4a6b9934866909a210a49dab03ae82b01b569c21ae979
SHA512 582b5e3983bd7c80818e274896b02a9408a4b74a9381d7c29ae7d7c3a59a8ecd18ff9f67ea53543f4f390fb0df648ce8cfc0e6a7095c8ea24489cfd3ca594d3e

memory/3916-5-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Windows\SysWOW64\aphided.exe

MD5 9a3449318066df659cc42836e92dc6e3
SHA1 efdab433e9481b7dc0aff75521a8d4bb9503acd6
SHA256 5c29d2df190bbf5bdc7e7777d6bddc91a31e431c359b84a0179be5966b903af8
SHA512 e707a2e13e78f89ce418e8639df3b2d4da3cb3523e9a1766eb7de2798b7ccfe914d726bc8c78e5cbac3da0b76550e0a928c03a207f88e761c87987d939c7fa91

C:\Windows\SysWOW64\updooris-oced.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

C:\Windows\SysWOW64\avdonep-ouceas.exe

MD5 4d904423320400d1908644dad9090747
SHA1 a3135844c1513b9475861e779fccdc8c933b1705
SHA256 e0d80be3f8f03257f07bdaf169f240dbb22987c218e98b5f2397131ad074fd80
SHA512 e5a03228e5220fe2dbfe6c56237de62ff1b5e010c9d3c6ec27907ecc4dc140606b8b6c4e81514a11c5a711e9512f0d6935699c1db391c63305687f379993ae71

memory/4640-49-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3316-50-0x0000000000400000-0x0000000000414000-memory.dmp