Malware Analysis Report

2025-08-11 00:04

Sample ID 240525-14sxlach36
Target 285b26a0c32b245e09c954a1b650cc30_NeikiAnalytics.exe
SHA256 7767a3714085511fe9b117c3246fe5c8dab47f84040f401408ab5f3f398ca2f6
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7767a3714085511fe9b117c3246fe5c8dab47f84040f401408ab5f3f398ca2f6

Threat Level: Known bad

The file 285b26a0c32b245e09c954a1b650cc30_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Windows security bypass

Modifies Installed Components in the registry

Sets file execution options in registry

Executes dropped EXE

Loads dropped DLL

Windows security modification

Modifies WinLogon

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-25 22:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 22:12

Reported

2024-05-25 22:15

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

123s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52484154-5145-4451-5248-415451454451} C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52484154-5145-4451-5248-415451454451}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52484154-5145-4451-5248-415451454451}\IsInstalled = "1" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52484154-5145-4451-5248-415451454451}\StubPath = "C:\\Windows\\system32\\eafhegid.exe" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\oupnoagim-eacex.exe" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\eaxlabis.dll" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\ounhetik-ehex.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
File opened for modification C:\Windows\SysWOW64\oupnoagim-eacex.exe C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
File created C:\Windows\SysWOW64\eafhegid.exe C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
File created C:\Windows\SysWOW64\eaxlabis.dll C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
File opened for modification C:\Windows\SysWOW64\eafhegid.exe C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
File opened for modification C:\Windows\SysWOW64\eaxlabis.dll C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
File opened for modification C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Users\Admin\AppData\Local\Temp\285b26a0c32b245e09c954a1b650cc30_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Users\Admin\AppData\Local\Temp\285b26a0c32b245e09c954a1b650cc30_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\oupnoagim-eacex.exe C:\Windows\SysWOW64\ounhetik-ehex.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\285b26a0c32b245e09c954a1b650cc30_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\285b26a0c32b245e09c954a1b650cc30_NeikiAnalytics.exe C:\Windows\SysWOW64\ounhetik-ehex.exe
PID 4656 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\285b26a0c32b245e09c954a1b650cc30_NeikiAnalytics.exe C:\Windows\SysWOW64\ounhetik-ehex.exe
PID 4656 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\285b26a0c32b245e09c954a1b650cc30_NeikiAnalytics.exe C:\Windows\SysWOW64\ounhetik-ehex.exe
PID 2164 wrote to memory of 624 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\system32\winlogon.exe
PID 2164 wrote to memory of 5096 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\SysWOW64\ounhetik-ehex.exe
PID 2164 wrote to memory of 5096 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\SysWOW64\ounhetik-ehex.exe
PID 2164 wrote to memory of 5096 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\SysWOW64\ounhetik-ehex.exe
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 2164 wrote to memory of 3604 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\285b26a0c32b245e09c954a1b650cc30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\285b26a0c32b245e09c954a1b650cc30_NeikiAnalytics.exe"

C:\Windows\SysWOW64\ounhetik-ehex.exe

"C:\Windows\system32\ounhetik-ehex.exe"

C:\Windows\SysWOW64\ounhetik-ehex.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 wcyozgxnc.ph udp
US 45.79.222.138:80 wcyozgxnc.ph tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 utbidet-ugeas.biz udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 138.222.79.45.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 utbidet-ugeas.biz udp
N/A 127.0.0.1:80 tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

C:\Windows\SysWOW64\ounhetik-ehex.exe

MD5 285b26a0c32b245e09c954a1b650cc30
SHA1 7b6422594a620e7a65deb4a525645a4023231e2b
SHA256 7767a3714085511fe9b117c3246fe5c8dab47f84040f401408ab5f3f398ca2f6
SHA512 64a699d02637cd902d6945849e2c97809c01c98b6898b2c1df66ad72b80fe52baef650b124ec86143a0c16ab3e1575abea7305391b88e16c870e27cf50af0583

memory/4656-5-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Windows\SysWOW64\eaxlabis.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

C:\Windows\SysWOW64\oupnoagim-eacex.exe

MD5 92b52bf62783e1082a7a76d8db5006aa
SHA1 935054dc030b4fc5b67343cef1e8ef5832e07ec4
SHA256 d5512a93749209042e7efaa1f49e0fa547b9c5f6a539b9aec7cef080a9ace478
SHA512 83e175131385777cfd7ea627f398bcc1e22d388be09f39f4fbb0bbfe36299b169ca2824cd4e4c53a92f724ddee926edb2c4e37fc799d3eb022287a21eedbe9b7

C:\Windows\SysWOW64\eafhegid.exe

MD5 d0c18e622454d529b971a869175ac0cb
SHA1 129ac88fef245bdf534dd00e8f7d9ef21adbf537
SHA256 818d199c6c304ad1577739bab4a2776562a25e350b62f0ed5e05620c5df67bee
SHA512 a329a9df69ed4547579bb1f967ec4abd889907d1968bb6f33d58c3ea0c82d4868483d1ddeedbaba0ea362dc2def59a430fdecd20fbae576d9a5ce47bc0127f80

memory/2164-49-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5096-50-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 22:12

Reported

2024-05-25 22:15

Platform

win7-20240221-en

Max time kernel

149s

Max time network

122s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{495A4B43-4b4f-5450-495A-4B434B4F5450} C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{495A4B43-4b4f-5450-495A-4B434B4F5450}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{495A4B43-4b4f-5450-495A-4B434B4F5450}\IsInstalled = "1" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{495A4B43-4b4f-5450-495A-4B434B4F5450}\StubPath = "C:\\Windows\\system32\\eafhegid.exe" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\oupnoagim-eacex.exe" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\ounhetik-ehex.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\eaxlabis.dll" C:\Windows\SysWOW64\ounhetik-ehex.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\oupnoagim-eacex.exe C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
File created C:\Windows\SysWOW64\eafhegid.exe C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
File opened for modification C:\Windows\SysWOW64\eaxlabis.dll C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
File opened for modification C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
File opened for modification C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Users\Admin\AppData\Local\Temp\285b26a0c32b245e09c954a1b650cc30_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Users\Admin\AppData\Local\Temp\285b26a0c32b245e09c954a1b650cc30_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\oupnoagim-eacex.exe C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
File opened for modification C:\Windows\SysWOW64\eafhegid.exe C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
File created C:\Windows\SysWOW64\eaxlabis.dll C:\Windows\SysWOW64\ounhetik-ehex.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A
N/A N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\285b26a0c32b245e09c954a1b650cc30_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\ounhetik-ehex.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\285b26a0c32b245e09c954a1b650cc30_NeikiAnalytics.exe C:\Windows\SysWOW64\ounhetik-ehex.exe
PID 2176 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\285b26a0c32b245e09c954a1b650cc30_NeikiAnalytics.exe C:\Windows\SysWOW64\ounhetik-ehex.exe
PID 2176 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\285b26a0c32b245e09c954a1b650cc30_NeikiAnalytics.exe C:\Windows\SysWOW64\ounhetik-ehex.exe
PID 2176 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\285b26a0c32b245e09c954a1b650cc30_NeikiAnalytics.exe C:\Windows\SysWOW64\ounhetik-ehex.exe
PID 860 wrote to memory of 436 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\system32\winlogon.exe
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1284 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\SysWOW64\ounhetik-ehex.exe
PID 860 wrote to memory of 1284 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\SysWOW64\ounhetik-ehex.exe
PID 860 wrote to memory of 1284 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\SysWOW64\ounhetik-ehex.exe
PID 860 wrote to memory of 1284 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\SysWOW64\ounhetik-ehex.exe
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE
PID 860 wrote to memory of 1192 N/A C:\Windows\SysWOW64\ounhetik-ehex.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\285b26a0c32b245e09c954a1b650cc30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\285b26a0c32b245e09c954a1b650cc30_NeikiAnalytics.exe"

C:\Windows\SysWOW64\ounhetik-ehex.exe

"C:\Windows\system32\ounhetik-ehex.exe"

C:\Windows\SysWOW64\ounhetik-ehex.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 sbwvwiu.st udp
US 8.8.8.8:53 sbwvwiu.st udp

Files

\Windows\SysWOW64\ounhetik-ehex.exe

MD5 285b26a0c32b245e09c954a1b650cc30
SHA1 7b6422594a620e7a65deb4a525645a4023231e2b
SHA256 7767a3714085511fe9b117c3246fe5c8dab47f84040f401408ab5f3f398ca2f6
SHA512 64a699d02637cd902d6945849e2c97809c01c98b6898b2c1df66ad72b80fe52baef650b124ec86143a0c16ab3e1575abea7305391b88e16c870e27cf50af0583

memory/2176-9-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Windows\SysWOW64\eafhegid.exe

MD5 7cfdf93c021cea231f8c32c9d20baaf1
SHA1 707e815f71eb70684b0dde4a4dd4b488bec21f3f
SHA256 0c8abc190791d035c46f556cf1bc51c42da904985fde8b940609b51bff533c70
SHA512 5a033a4e6a1fccf1853f38ca57cb6a238c80ce877235996527b699e27ac67880b838df611af908a3e48c2216c9eaf5ec777f63a47700cd6334f7dbbdf54f1508

C:\Windows\SysWOW64\oupnoagim-eacex.exe

MD5 75f16d8c7814a1e91206e150ce761e5b
SHA1 d80804e5658abd7889593502cd91ab60f4e62c7f
SHA256 845bbe6756c69459e8d49169ad1e9c4062d414cd939fd7768089ffd76808e396
SHA512 c4ebbaac844229e523d6e49096c469a8983dce60ea52e9c506e6a618c2efaf6db0da26a4577ecb45890df2c9359dbd5e7195ded0b68d9e3668e793b975c07124

C:\Windows\SysWOW64\eaxlabis.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

memory/860-55-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1284-56-0x0000000000400000-0x0000000000414000-memory.dmp