Malware Analysis Report

2025-06-16 03:38

Sample ID 240526-rmb33shc3t
Target 080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe
SHA256 600b6df1fa279556cb7bfcbba34a3fc80c04e85f0b1923de0318b06b5f1ca955
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

600b6df1fa279556cb7bfcbba34a3fc80c04e85f0b1923de0318b06b5f1ca955

Threat Level: Shows suspicious behavior

The file 080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 14:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 14:18

Reported

2024-05-26 14:20

Platform

win7-20240508-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\wuaucldt.exe N/A
N/A N/A \??\c:\users\admin\wuaucldt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\windows\\system32\\wuaucldt.exe" \??\c:\users\admin\wuaucldt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\users\\admin\\wuaucldt.exe" \??\c:\users\admin\wuaucldt.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\wuaucldt.exe C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe N/A
File created \??\c:\windows\SysWOW64\wuaucldt.exe \??\c:\windows\SysWOW64\wuaucldt.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3000 set thread context of 1916 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2928 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe \??\c:\windows\SysWOW64\wuaucldt.exe
PID 2928 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe \??\c:\windows\SysWOW64\wuaucldt.exe
PID 2928 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe \??\c:\windows\SysWOW64\wuaucldt.exe
PID 2928 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe \??\c:\windows\SysWOW64\wuaucldt.exe
PID 2992 wrote to memory of 3000 N/A \??\c:\windows\SysWOW64\wuaucldt.exe \??\c:\users\admin\wuaucldt.exe
PID 2992 wrote to memory of 3000 N/A \??\c:\windows\SysWOW64\wuaucldt.exe \??\c:\users\admin\wuaucldt.exe
PID 2992 wrote to memory of 3000 N/A \??\c:\windows\SysWOW64\wuaucldt.exe \??\c:\users\admin\wuaucldt.exe
PID 2992 wrote to memory of 3000 N/A \??\c:\windows\SysWOW64\wuaucldt.exe \??\c:\users\admin\wuaucldt.exe
PID 3000 wrote to memory of 1916 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 3000 wrote to memory of 1916 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 3000 wrote to memory of 1916 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 3000 wrote to memory of 1916 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 3000 wrote to memory of 1916 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 3000 wrote to memory of 1916 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 2928 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2688 N/A \??\c:\windows\SysWOW64\wuaucldt.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2688 N/A \??\c:\windows\SysWOW64\wuaucldt.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2688 N/A \??\c:\windows\SysWOW64\wuaucldt.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2688 N/A \??\c:\windows\SysWOW64\wuaucldt.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\wuaucldt.exe

c:\windows\system32\wuaucldt.exe

\??\c:\users\admin\wuaucldt.exe

c:\users\admin\wuaucldt.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del c:\users\admin\appdata\local\temp\080D6C~1.EXE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del c:\windows\syswow64\wuaucldt.exe

Network

Country Destination Domain Proto
US 64.56.68.34:443 tcp
BR 200.192.143.87:443 tcp
JP 202.164.228.11:443 tcp
JP 163.209.180.1:443 tcp
UA 77.120.110.76:443 tcp
JP 210.165.4.71:443 tcp
US 8.8.8.8:53 ss1.coressl.jp udp
US 8.8.8.8:53 www.imusica.com.br udp
US 8.8.8.8:53 spooky.cartoons.org.ua udp
US 8.8.8.8:53 ex2.broadser udp
US 8.8.8.8:53 forums.ubuntulinux.jp udp
US 8.8.8.8:53 ex2.broadser udp
US 8.8.8.8:53 www.guiaseshop.com.br udp
US 8.8.8.8:53 www.marantz.jp udp
US 8.8.8.8:53 ss1.coressl.jp udp
JP 183.90.183.210:443 ss1.coressl.jp tcp
US 104.18.21.243:443 www.marantz.jp tcp
US 104.21.80.9:443 forums.ubuntulinux.jp tcp
US 104.18.21.243:443 www.marantz.jp tcp
UA 195.182.192.2:443 tcp
US 3.162.140.55:443 www.imusica.com.br tcp
US 207.44.220.4:443 tcp
UA 91.196.95.24:443 tcp
US 8.8.8.8:53 www.treasuryislandcasino.com.ua udp
DE 37.1.197.107:443 www.treasuryislandcasino.com.ua tcp
BR 201.20.45.207:443 tcp
JP 183.90.183.210:443 ss1.coressl.jp tcp
JP 130.69.92.68:443 tcp
US 8.8.8.8:53 wow.merlin.org.ua udp
UA 193.138.146.141:443 wow.merlin.org.ua tcp
NL 87.239.184.105:443 tcp
BR 201.20.45.207:443 tcp
UA 193.178.147.110:443 tcp
US 8.8.8.8:53 www.jica.go.jp udp
US 3.162.140.60:443 www.jica.go.jp tcp
US 8.8.8.8:53 shop.poziti udp
JP 133.26.200.10:443 tcp
US 8.8.8.8:53 www.myeclipseide.jp udp
DE 185.53.178.50:443 www.myeclipseide.jp tcp
JP 118.67.65.194:443 tcp
BR 201.76.50.168:443 tcp
US 8.8.8.8:53 www.sextoy.com.br udp
US 147.182.196.237:443 www.sextoy.com.br tcp
US 8.8.8.8:53 bunker.org.ua udp
DE 116.202.13.71:443 bunker.org.ua tcp
US 8.8.8.8:53 loja.tray.com.br udp
BR 177.67.115.135:443 loja.tray.com.br tcp
US 64.79.197.143:443 tcp
US 8.8.8.8:53 weather.co.ua udp
RU 185.9.147.4:443 weather.co.ua tcp
UA 212.82.216.42:443 tcp
US 64.56.68.36:443 tcp
BR 200.192.143.87:443 tcp
US 204.13.248.107:443 tcp
UA 82.193.122.190:443 tcp
JP 202.226.91.62:443 tcp
US 8.8.8.8:53 bookweb.kinokuniya.co.jp udp
JP 122.219.252.105:443 tcp
BR 200.234.192.141:443 tcp
JP 203.216.221.246:443 bookweb.kinokuniya.co.jp tcp
UA 82.193.122.190:443 tcp
JP 210.171.131.16:443 tcp
UA 79.171.122.236:443 tcp
JP 203.216.221.246:443 bookweb.kinokuniya.co.jp tcp
JP 202.218.203.244:443 tcp
UA 195.214.214.53:443 tcp
BR 201.20.45.207:443 tcp
US 8.8.8.8:53 secure.fox udp
US 64.79.197.143:443 tcp
RU 185.9.147.4:443 weather.co.ua tcp
US 104.21.80.9:443 forums.ubuntulinux.jp tcp
JP 219.99.163.41:443 tcp
BR 201.76.41.87:443 tcp
US 208.110.80.34:443 tcp
US 8.8.8.8:53 www.billboxrecords.com.br udp
UA 82.193.122.190:443 tcp
UA 91.203.146.30:443 tcp
JP 118.67.65.194:443 tcp
UA 91.196.95.24:443 tcp
US 8.8.8.8:53 www.miltenyibiotec.co.jp udp
DE 45.87.158.7:443 www.miltenyibiotec.co.jp tcp
US 140.177.205.56:443 tcp
US 8.8.8.8:53 m-repo.lib.meiji.ac.jp udp
US 8.8.8.8:53 isu2.tup.km.ua udp
FR 217.182.53.72:443 isu2.tup.km.ua tcp
JP 133.26.200.10:443 m-repo.lib.meiji.ac.jp tcp
JP 202.218.203.244:443 tcp
UA 109.72.122.165:443 tcp
UA 193.178.147.110:443 tcp
DE 37.1.197.107:443 www.treasuryislandcasino.com.ua tcp
BR 177.67.115.135:443 loja.tray.com.br tcp
JP 133.26.200.10:443 m-repo.lib.meiji.ac.jp tcp
JP 211.133.134.87:443 tcp
UA 212.82.216.42:443 tcp
UA 212.42.72.183:443 tcp
US 8.8.8.8:53 www.kajima.co.jp udp
JP 202.241.202.159:443 www.kajima.co.jp tcp
US 8.8.8.8:53 rastu.com.ua udp
US 8.8.8.8:53 newsletter.go udp
JP 130.69.92.68:443 tcp
US 8.8.8.8:53 www.saredrogarias.com.br udp
US 172.67.189.108:443 www.saredrogarias.com.br tcp
US 64.131.68.169:443 tcp
US 8.8.8.8:53 masterkey.com.ua udp
DE 185.53.178.53:443 masterkey.com.ua tcp
BR 201.20.45.207:443 tcp
US 208.110.80.35:443 tcp
RU 185.9.147.4:443 weather.co.ua tcp
US 8.8.8.8:53 www.okilogistics.co.jp udp
US 69.72.149.166:443 tcp
JP 125.53.25.30:443 tcp
RU 185.9.147.4:443 weather.co.ua tcp
UA 212.111.198.59:443 tcp
US 69.72.149.166:443 tcp
DE 193.26.15.243:443 tcp
JP 131.206.55.11:443 tcp
JP 122.219.252.105:443 tcp
JP 202.218.111.122:443 tcp
US 8.8.8.8:53 loja.tray.com.br udp
BR 177.67.115.135:443 loja.tray.com.br tcp
BR 200.234.192.141:443 tcp
US 8.8.8.8:53 www.ristex.jp udp
BR 200.234.192.141:443 tcp
JP 202.214.40.79:443 tcp
JP 210.157.5.25:443 tcp
US 104.21.80.9:443 forums.ubuntulinux.jp tcp
DE 193.26.15.243:443 tcp
US 8.8.8.8:53 www.science-forum.co.jp udp
UA 193.178.147.110:443 tcp
US 208.110.80.36:443 tcp
UA 193.178.147.110:443 tcp
JP 211.133.134.87:443 tcp
JP 202.218.13.230:443 tcp
JP 222.146.58.38:443 tcp
UA 212.42.72.183:443 tcp
US 8.8.8.8:53 www.imusica.com.br udp
UA 212.111.198.59:443 tcp
US 3.162.140.129:443 www.imusica.com.br tcp
UA 62.149.23.110:443 tcp
US 74.125.87.69:443 tcp
UA 77.120.99.240:443 tcp
RU 185.9.147.4:443 weather.co.ua tcp
JP 202.214.40.79:443 tcp
US 8.8.8.8:53 www.jaif.or.jp udp
JP 150.60.251.193:443 www.jaif.or.jp tcp
BR 201.20.45.207:443 tcp
JP 202.191.113.9:443 tcp
US 140.177.205.56:443 tcp
US 8.8.8.8:53 k.jfc.go.jp udp
UA 62.149.23.110:443 tcp
US 8.8.8.8:53 www.mlh.co.jp udp
US 204.74.99.100:443 www.mlh.co.jp tcp
UA 109.72.122.165:443 tcp
US 76.164.227.58:443 tcp
JP 202.164.228.11:443 tcp
JP 131.113.221.138:443 tcp
US 69.72.149.166:443 tcp
JP 219.99.163.41:443 tcp
US 8.8.8.8:53 ssl876.locaweb.com.br udp
BR 191.252.48.196:443 ssl876.locaweb.com.br tcp
BR 177.67.115.135:443 loja.tray.com.br tcp
JP 183.90.183.210:443 ss1.coressl.jp tcp
US 8.8.8.8:53 www.inde udp
US 104.18.21.243:443 www.marantz.jp tcp
UA 212.111.198.59:443 tcp
JP 202.226.91.62:443 tcp
US 8.8.8.8:53 www.nrw.co.jp udp
UA 62.149.23.110:443 tcp
UA 77.120.99.240:443 tcp
FR 217.182.53.72:443 isu2.tup.km.ua tcp
US 8.8.8.8:53 www.jica.go.jp udp
US 3.162.140.120:443 www.jica.go.jp tcp
US 204.74.99.100:443 www.mlh.co.jp tcp
US 104.21.80.9:443 forums.ubuntulinux.jp tcp
UA 212.82.216.42:443 tcp
JP 203.79.51.228:443 tcp
JP 203.79.51.228:443 tcp
US 8.8.8.8:53 forum.gryada.org.ua udp
BR 201.20.45.207:443 tcp
BR 201.76.41.87:443 tcp
UA 62.149.23.110:443 tcp
BR 200.234.192.141:443 tcp
US 8.8.8.8:53 www.wolfram.co.jp udp
US 140.177.9.54:443 www.wolfram.co.jp tcp
UA 77.120.104.50:443 tcp
DE 116.202.13.71:443 bunker.org.ua tcp
UA 77.120.121.35:443 tcp
US 8.8.8.8:53 www.stone.co.ua udp
JP 202.218.13.230:443 tcp
UA 91.196.95.24:443 tcp
US 76.164.227.59:443 tcp
US 8.8.8.8:53 nodes.com.ua udp
JP 202.218.170.179:443 tcp
US 8.8.8.8:53 ss1.coressl.jp udp
JP 183.90.183.210:443 ss1.coressl.jp tcp
DE 116.202.13.71:443 bunker.org.ua tcp
US 8.8.8.8:53 ssl.form-mailer.jp udp
JP 219.99.163.87:443 ssl.form-mailer.jp tcp
UA 62.149.23.110:443 tcp
US 204.74.99.100:443 www.mlh.co.jp tcp
JP 61.120.56.37:443 tcp
JP 202.218.170.179:443 tcp
JP 202.164.228.11:443 tcp
JP 203.180.136.89:443 tcp
JP 150.60.251.193:443 www.jaif.or.jp tcp
BR 200.192.143.87:443 tcp
JP 133.26.200.10:443 m-repo.lib.meiji.ac.jp tcp
US 8.8.8.8:53 g105.secure.ne.jp udp
JP 202.164.228.11:443 g105.secure.ne.jp tcp
UA 195.182.192.2:443 tcp
BR 201.20.45.207:443 tcp
US 8.8.8.8:53 loja.tray.com.br udp
BR 177.67.115.135:443 loja.tray.com.br tcp
JP 133.26.200.10:443 m-repo.lib.meiji.ac.jp tcp
BR 177.67.115.135:443 loja.tray.com.br tcp
RU 185.9.147.4:443 weather.co.ua tcp
US 8.8.8.8:53 www.kajima.co.jp udp
DE 116.202.13.71:443 bunker.org.ua tcp
JP 202.241.202.159:443 www.kajima.co.jp tcp
UA 193.110.163.66:443 tcp
US 204.74.99.100:443 www.mlh.co.jp tcp
JP 125.53.25.30:443 tcp
RU 185.9.147.4:443 weather.co.ua tcp
UA 77.120.99.240:443 tcp
FR 217.182.53.72:443 isu2.tup.km.ua tcp
FR 217.182.53.72:443 isu2.tup.km.ua tcp
UA 62.149.23.110:443 tcp
UA 195.214.214.53:443 tcp
US 76.164.227.60:443 tcp
JP 210.165.4.71:443 tcp

Files

memory/2928-0-0x0000000070000000-0x000000007000B000-memory.dmp

\Windows\SysWOW64\wuaucldt.exe

MD5 080d6cb9a1b7d17f5047d64a739a4670
SHA1 ec817d6a722ed59c550b16b7099f46174352982f
SHA256 600b6df1fa279556cb7bfcbba34a3fc80c04e85f0b1923de0318b06b5f1ca955
SHA512 614bedc411f76d5c6f472f9627c5dd525a144235949488214ba37975f8aa4f8c06814bc4684bd4d726834d26eabf2fabada12b1c110f2b1faac3c14b6cbf5121

memory/3000-20-0x0000000070000000-0x000000007000B000-memory.dmp

memory/1916-22-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1916-25-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1916-31-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1916-30-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1916-27-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1916-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1916-32-0x0000000000080000-0x0000000000089000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 14:18

Reported

2024-05-26 14:20

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\wuaucldt.exe N/A
N/A N/A \??\c:\users\admin\wuaucldt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\windows\\system32\\wuaucldt.exe" \??\c:\users\admin\wuaucldt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\users\\admin\\wuaucldt.exe" \??\c:\users\admin\wuaucldt.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\wuaucldt.exe C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe N/A
File created \??\c:\windows\SysWOW64\wuaucldt.exe \??\c:\windows\SysWOW64\wuaucldt.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4608 set thread context of 2348 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe \??\c:\windows\SysWOW64\wuaucldt.exe
PID 4888 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe \??\c:\windows\SysWOW64\wuaucldt.exe
PID 4888 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe \??\c:\windows\SysWOW64\wuaucldt.exe
PID 4040 wrote to memory of 4608 N/A \??\c:\windows\SysWOW64\wuaucldt.exe \??\c:\users\admin\wuaucldt.exe
PID 4040 wrote to memory of 4608 N/A \??\c:\windows\SysWOW64\wuaucldt.exe \??\c:\users\admin\wuaucldt.exe
PID 4040 wrote to memory of 4608 N/A \??\c:\windows\SysWOW64\wuaucldt.exe \??\c:\users\admin\wuaucldt.exe
PID 4608 wrote to memory of 2348 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 4608 wrote to memory of 2348 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 4608 wrote to memory of 2348 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 4608 wrote to memory of 2348 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 4608 wrote to memory of 2348 N/A \??\c:\users\admin\wuaucldt.exe C:\Windows\SysWOW64\svchost.exe
PID 4888 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4040 wrote to memory of 4416 N/A \??\c:\windows\SysWOW64\wuaucldt.exe C:\Windows\SysWOW64\cmd.exe
PID 4040 wrote to memory of 4416 N/A \??\c:\windows\SysWOW64\wuaucldt.exe C:\Windows\SysWOW64\cmd.exe
PID 4040 wrote to memory of 4416 N/A \??\c:\windows\SysWOW64\wuaucldt.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\wuaucldt.exe

c:\windows\system32\wuaucldt.exe

\??\c:\users\admin\wuaucldt.exe

c:\users\admin\wuaucldt.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del c:\users\admin\appdata\local\temp\080D6C~1.EXE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del c:\windows\syswow64\wuaucldt.exe

Network

Country Destination Domain Proto
US 64.56.68.34:443 tcp
UA 195.214.214.53:443 tcp
BR 200.234.223.237:443 tcp
UA 62.149.23.110:443 tcp
UA 82.193.122.190:443 tcp
UA 212.111.198.59:443 tcp
JP 133.87.45.189:443 tcp
US 74.125.87.69:443 tcp
US 8.8.8.8:53 newsletter.go udp
US 8.8.8.8:53 global-host.com.ua udp
US 8.8.8.8:53 shop.poziti udp
US 8.8.8.8:53 hosting.cnrg.com.ua udp
US 8.8.8.8:53 cps-h3.ep.sci.hokudai.ac.jp udp
US 8.8.8.8:53 wow.merlin.org.ua udp
US 8.8.8.8:53 www.imagemfolheados.com.br udp
N/A 224.0.0.251:5353 udp
UA 77.120.104.50:443 tcp
US 8.8.8.8:53 mst.com.ua udp
JP 164.46.227.120:443 tcp
NL 82.196.6.164:443 mst.com.ua tcp
UA 193.138.146.141:443 wow.merlin.org.ua tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BR 143.137.190.15:443 www.imagemfolheados.com.br tcp
US 8.8.8.8:53 www.nrw.co.jp udp
UA 77.120.110.76:443 tcp
N/A 10.127.0.215:443 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 15.190.137.143.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 www.digimer.com.br udp
UA 195.182.192.2:443 tcp
JP 202.218.170.179:443 tcp
US 8.8.8.8:53 cg.ces.kyutech.ac.jp udp
US 8.8.8.8:53 loja.tray.com.br udp
BR 177.67.115.135:443 loja.tray.com.br tcp
US 3.162.140.102:443 www.digimer.com.br tcp
US 8.8.8.8:53 nodes.com.ua udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 weather.co.ua udp
RU 185.9.147.4:443 weather.co.ua tcp
JP 203.180.136.89:443 tcp
US 8.8.8.8:53 102.140.162.3.in-addr.arpa udp
US 8.8.8.8:53 2.192.182.195.in-addr.arpa udp
US 8.8.8.8:53 135.115.67.177.in-addr.arpa udp
US 8.8.8.8:53 4.147.9.185.in-addr.arpa udp
BR 201.20.45.207:443 tcp
JP 222.146.58.38:443 tcp
RU 185.9.147.4:443 weather.co.ua tcp
US 8.8.8.8:53 www.inde udp
UA 212.111.198.59:443 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 64.56.68.36:443 tcp
US 8.8.8.8:53 hosting.cnrg.com.ua udp
US 8.8.8.8:53 ssl876.locaweb.com.br udp
US 8.8.8.8:53 newsletter.go udp
US 8.8.8.8:53 www.billboxrecords.com.br udp
JP 131.113.221.138:443 tcp
US 8.8.8.8:53 spooky.cartoons.org.ua udp
US 207.44.220.4:443 tcp
JP 133.26.200.10:443 tcp
US 69.57.128.35:443 tcp
US 8.8.8.8:53 isu2.tup.km.ua udp
UA 82.193.122.190:443 tcp
BR 200.234.192.141:443 tcp
BR 143.137.190.15:443 www.imagemfolheados.com.br tcp
FR 217.182.53.72:443 isu2.tup.km.ua tcp
BR 191.252.48.196:443 ssl876.locaweb.com.br tcp
US 64.131.68.169:443 tcp
US 65.74.140.3:443 tcp
US 8.8.8.8:53 www.jaif.or.jp udp
US 8.8.8.8:53 72.53.182.217.in-addr.arpa udp
UA 212.82.216.42:443 tcp
JP 150.60.251.193:443 www.jaif.or.jp tcp
US 8.8.8.8:53 www.365.e-secom.jp udp
US 8.8.8.8:53 www.wolfram.co.jp udp
US 8.8.8.8:53 193.251.60.150.in-addr.arpa udp
US 8.8.8.8:53 196.48.252.191.in-addr.arpa udp
UA 109.72.122.165:443 tcp
US 140.177.9.54:443 www.wolfram.co.jp tcp
UA 82.193.122.190:443 tcp
UA 109.72.122.165:443 tcp
UA 77.120.99.240:443 tcp
US 207.44.220.4:443 tcp
UA 79.171.122.236:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
BR 177.67.115.135:443 loja.tray.com.br tcp
US 208.110.80.34:443 tcp
US 8.8.8.8:53 la2.meganet.org.ua udp
US 8.8.8.8:53 www.aandd.jp udp
US 172.67.220.141:443 la2.meganet.org.ua tcp
US 8.8.8.8:53 m-repo.lib.meiji.ac.jp udp
JP 202.218.111.122:443 tcp
US 172.67.205.214:443 www.aandd.jp tcp
US 8.8.8.8:53 www.irt udp
JP 202.214.40.79:443 tcp
FR 217.182.53.72:443 isu2.tup.km.ua tcp
US 8.8.8.8:53 www.stone.co.ua udp
UA 109.72.122.165:443 tcp
US 8.8.8.8:53 center.umin.ac.jp udp
JP 133.26.200.10:443 m-repo.lib.meiji.ac.jp tcp
JP 202.191.113.9:443 tcp
JP 211.133.134.87:443 tcp
US 8.8.8.8:53 141.220.67.172.in-addr.arpa udp
US 8.8.8.8:53 214.205.67.172.in-addr.arpa udp
JP 210.165.4.71:443 tcp
JP 202.218.111.122:443 tcp
JP 211.133.134.87:443 tcp
UA 193.178.147.110:443 tcp
US 64.79.197.143:443 tcp
JP 211.133.134.87:443 tcp
US 8.8.8.8:53 110.147.178.193.in-addr.arpa udp
JP 202.214.40.79:443 tcp
US 74.125.87.69:443 tcp
US 8.8.8.8:53 www.irt udp
UA 91.196.95.24:443 tcp
JP 210.171.131.16:443 tcp
US 208.110.80.35:443 tcp
US 65.74.140.3:443 tcp
UA 77.120.121.35:443 tcp
US 64.79.197.143:443 tcp
BR 200.143.10.165:443 tcp
JP 210.171.131.16:443 tcp
PL 193.23.48.228:443 tcp
US 8.8.8.8:53 www.epra udp
BR 201.49.212.100:443 tcp
US 8.8.8.8:53 cg.ces.kyutech.ac.jp udp
UA 77.120.110.76:443 tcp
JP 210.165.4.71:443 tcp
US 8.8.8.8:53 newsletter.go udp
US 8.8.8.8:53 masterkey.com.ua udp
US 8.8.8.8:53 www.science-forum.co.jp udp
DE 185.53.178.53:443 masterkey.com.ua tcp
BR 200.234.192.141:443 tcp
UA 193.178.147.110:443 tcp
JP 203.79.51.228:443 tcp
US 8.8.8.8:53 53.178.53.185.in-addr.arpa udp
US 8.8.8.8:53 228.51.79.203.in-addr.arpa udp
BR 201.20.45.207:443 tcp
JP 125.53.25.30:443 tcp
US 8.8.8.8:53 loja.tray.com.br udp
BR 177.67.115.135:443 loja.tray.com.br tcp
US 8.8.8.8:53 www.saredrogarias.com.br udp
US 104.21.49.86:443 www.saredrogarias.com.br tcp
US 8.8.8.8:53 www.digimer.com.br udp
US 140.177.205.56:443 tcp
US 3.162.140.122:443 www.digimer.com.br tcp
US 8.8.8.8:53 86.49.21.104.in-addr.arpa udp
US 8.8.8.8:53 122.140.162.3.in-addr.arpa udp
US 8.8.8.8:53 itmedia.smartseminar.jp udp
IE 18.66.171.62:443 itmedia.smartseminar.jp tcp
US 8.8.8.8:53 62.171.66.18.in-addr.arpa udp
JP 164.46.227.120:443 tcp
US 8.8.8.8:53 nodes.com.ua udp
BR 200.234.223.237:443 tcp
US 208.110.80.36:443 tcp
US 8.8.8.8:53 www.stone.co.ua udp
NL 87.239.184.105:443 tcp
JP 203.180.136.89:443 tcp
JP 202.218.170.179:443 tcp
UA 193.110.163.66:443 tcp
US 8.8.8.8:53 www.gsec.keio.ac.jp udp
US 74.125.87.69:443 tcp
RU 185.9.147.4:443 weather.co.ua tcp
US 8.8.8.8:53 66.163.110.193.in-addr.arpa udp
JP 222.146.58.38:443 tcp
UA 195.214.214.53:443 tcp
JP 222.146.58.38:443 tcp
US 8.8.8.8:53 direct.ips.co.jp udp
JP 202.218.13.170:443 direct.ips.co.jp tcp
UA 195.182.192.2:443 tcp
RU 185.9.147.4:443 weather.co.ua tcp
BR 177.67.115.135:443 loja.tray.com.br tcp
US 104.21.49.86:443 www.saredrogarias.com.br tcp
US 8.8.8.8:53 170.13.218.202.in-addr.arpa udp
US 8.8.8.8:53 www.epra udp
US 74.125.87.69:443 tcp
BR 201.20.45.207:443 tcp
US 8.8.8.8:53 k.jfc.go.jp udp
US 65.74.140.3:443 tcp
DE 193.26.15.243:443 tcp
US 8.8.8.8:53 www.nrw.co.jp udp
US 140.177.9.54:443 www.wolfram.co.jp tcp
BR 201.20.45.207:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
JP 133.26.200.10:443 m-repo.lib.meiji.ac.jp tcp
UA 91.203.146.30:443 tcp
JP 202.218.170.179:443 tcp
US 8.8.8.8:53 www.inde udp
US 69.57.128.35:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 76.164.227.58:443 tcp
NL 87.239.184.105:443 tcp
JP 210.171.131.16:443 tcp
DE 193.26.15.243:443 tcp
JP 202.218.13.230:443 tcp
BR 200.192.143.87:443 tcp
US 8.8.8.8:53 www.nrw.co.jp udp
JP 133.26.200.10:443 m-repo.lib.meiji.ac.jp tcp
US 8.8.8.8:53 www.rulez.org.ua udp
BR 177.67.115.135:443 loja.tray.com.br tcp
US 3.162.140.122:443 www.digimer.com.br tcp
JP 202.218.13.170:443 direct.ips.co.jp tcp
JP 203.179.38.26:443 tcp
US 8.8.8.8:53 www.kajima.co.jp udp
JP 202.241.202.159:443 www.kajima.co.jp tcp
US 104.21.49.86:443 www.saredrogarias.com.br tcp
UA 77.120.121.35:443 tcp
US 8.8.8.8:53 forum.gryada.org.ua udp
US 172.67.205.214:443 www.aandd.jp tcp
US 8.8.8.8:53 shop.poziti udp
NL 87.239.184.105:443 tcp
US 8.8.8.8:53 form.cao.go.jp udp
JP 210.148.118.162:443 form.cao.go.jp tcp
JP 130.69.92.68:443 tcp
US 69.57.128.35:443 tcp
US 8.8.8.8:53 162.118.148.210.in-addr.arpa udp
BR 177.67.115.135:443 loja.tray.com.br tcp
BR 200.143.10.165:443 tcp
BR 177.67.115.135:443 loja.tray.com.br tcp
UA 212.82.216.42:443 tcp
US 104.21.49.86:443 www.saredrogarias.com.br tcp
JP 202.226.91.62:443 tcp
US 76.164.227.59:443 tcp
BR 177.67.115.135:443 loja.tray.com.br tcp
US 204.13.248.107:443 tcp
UA 212.111.198.59:443 tcp
JP 202.218.13.230:443 tcp
BR 201.49.212.100:443 tcp
JP 210.171.131.16:443 tcp
US 8.8.8.8:53 accounts.comodo.od.ua udp
US 162.255.25.25:443 accounts.comodo.od.ua tcp
US 8.8.8.8:53 www.science-forum.co.jp udp
JP 222.146.58.38:443 tcp
US 8.8.8.8:53 www.jica.go.jp udp
US 3.162.140.73:443 www.jica.go.jp tcp
UA 77.120.121.35:443 tcp
US 8.8.8.8:53 73.140.162.3.in-addr.arpa udp
JP 202.218.203.244:443 tcp
US 3.162.140.73:443 www.jica.go.jp tcp
JP 210.148.118.162:443 form.cao.go.jp tcp
US 74.125.87.69:443 tcp
UA 77.120.99.240:443 tcp
US 8.8.8.8:53 www.okilogistics.co.jp udp
US 140.177.9.54:443 www.wolfram.co.jp tcp
US 8.8.8.8:53 ss1.coressl.jp udp
JP 183.90.183.210:443 ss1.coressl.jp tcp
JP 202.218.170.179:443 tcp
US 8.8.8.8:53 210.183.90.183.in-addr.arpa udp
UA 77.120.104.50:443 tcp
US 8.8.8.8:53 shop.poziti udp
NL 87.239.184.105:443 tcp
JP 183.90.183.210:443 ss1.coressl.jp tcp
JP 164.46.227.120:443 tcp
UA 77.120.104.50:443 tcp
US 76.164.227.60:443 tcp
UA 82.193.122.190:443 tcp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp
US 8.8.8.8:53 www.365.e-secom.jp udp
UA 77.120.99.240:443 tcp
UA 79.171.122.236:443 tcp
UA 212.111.198.59:443 tcp
US 8.8.8.8:53 loja.tray.com.br udp
BR 177.67.115.135:443 loja.tray.com.br tcp
UA 82.193.122.190:443 tcp

Files

C:\Windows\SysWOW64\wuaucldt.exe

MD5 080d6cb9a1b7d17f5047d64a739a4670
SHA1 ec817d6a722ed59c550b16b7099f46174352982f
SHA256 600b6df1fa279556cb7bfcbba34a3fc80c04e85f0b1923de0318b06b5f1ca955
SHA512 614bedc411f76d5c6f472f9627c5dd525a144235949488214ba37975f8aa4f8c06814bc4684bd4d726834d26eabf2fabada12b1c110f2b1faac3c14b6cbf5121

memory/4888-4-0x0000000070000000-0x000000007000B000-memory.dmp

memory/4608-11-0x0000000070000000-0x000000007000B000-memory.dmp

memory/2348-14-0x0000000000E00000-0x0000000000E09000-memory.dmp

memory/2348-15-0x0000000000E00000-0x0000000000E09000-memory.dmp

memory/2348-16-0x0000000000E00000-0x0000000000E09000-memory.dmp

memory/2348-19-0x0000000000E00000-0x0000000000E09000-memory.dmp

memory/2348-20-0x0000000000E00000-0x0000000000E09000-memory.dmp

memory/2348-21-0x0000000000E00000-0x0000000000E09000-memory.dmp