Malware Analysis Report

2025-01-06 10:33

Sample ID 240601-d4drcagd8t
Target 8be7d9e47a089fc11cc197174ec93b60_NeikiAnalytics.exe
SHA256 473798b0ff65aee4bce5e0b5e72bf914628ab3d51b75930811c76d63300c288a
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

473798b0ff65aee4bce5e0b5e72bf914628ab3d51b75930811c76d63300c288a

Threat Level: Known bad

The file 8be7d9e47a089fc11cc197174ec93b60_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Windows security bypass

Modifies Installed Components in the registry

Sets file execution options in registry

Windows security modification

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 03:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 03:33

Reported

2024-06-01 03:35

Platform

win7-20240221-en

Max time kernel

149s

Max time network

141s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\uvruxan.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{484B554C-4249-4255-484B-554C42494255} C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{484B554C-4249-4255-484B-554C42494255}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{484B554C-4249-4255-484B-554C42494255}\IsInstalled = "1" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{484B554C-4249-4255-484B-554C42494255}\StubPath = "C:\\Windows\\system32\\itsoakid.exe" C:\Windows\SysWOW64\uvruxan.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\irtoonir-efoab.exe" C:\Windows\SysWOW64\uvruxan.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\uvruxan.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\uvruxan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\asfigak.dll" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\uvruxan.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\asfigak.dll C:\Windows\SysWOW64\uvruxan.exe N/A
File opened for modification C:\Windows\SysWOW64\uvruxan.exe C:\Windows\SysWOW64\uvruxan.exe N/A
File opened for modification C:\Windows\SysWOW64\uvruxan.exe C:\Users\Admin\AppData\Local\Temp\8be7d9e47a089fc11cc197174ec93b60_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\uvruxan.exe C:\Users\Admin\AppData\Local\Temp\8be7d9e47a089fc11cc197174ec93b60_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\irtoonir-efoab.exe C:\Windows\SysWOW64\uvruxan.exe N/A
File created C:\Windows\SysWOW64\irtoonir-efoab.exe C:\Windows\SysWOW64\uvruxan.exe N/A
File opened for modification C:\Windows\SysWOW64\itsoakid.exe C:\Windows\SysWOW64\uvruxan.exe N/A
File opened for modification C:\Windows\SysWOW64\asfigak.dll C:\Windows\SysWOW64\uvruxan.exe N/A
File created C:\Windows\SysWOW64\itsoakid.exe C:\Windows\SysWOW64\uvruxan.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8be7d9e47a089fc11cc197174ec93b60_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\uvruxan.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\8be7d9e47a089fc11cc197174ec93b60_NeikiAnalytics.exe C:\Windows\SysWOW64\uvruxan.exe
PID 2420 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\8be7d9e47a089fc11cc197174ec93b60_NeikiAnalytics.exe C:\Windows\SysWOW64\uvruxan.exe
PID 2420 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\8be7d9e47a089fc11cc197174ec93b60_NeikiAnalytics.exe C:\Windows\SysWOW64\uvruxan.exe
PID 2420 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\8be7d9e47a089fc11cc197174ec93b60_NeikiAnalytics.exe C:\Windows\SysWOW64\uvruxan.exe
PID 1168 wrote to memory of 436 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\system32\winlogon.exe
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 2868 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\SysWOW64\uvruxan.exe
PID 1168 wrote to memory of 2868 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\SysWOW64\uvruxan.exe
PID 1168 wrote to memory of 2868 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\SysWOW64\uvruxan.exe
PID 1168 wrote to memory of 2868 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\SysWOW64\uvruxan.exe
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 1168 wrote to memory of 1212 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\8be7d9e47a089fc11cc197174ec93b60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8be7d9e47a089fc11cc197174ec93b60_NeikiAnalytics.exe"

C:\Windows\SysWOW64\uvruxan.exe

"C:\Windows\system32\uvruxan.exe"

C:\Windows\SysWOW64\uvruxan.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 cflcek.ph udp
US 45.79.222.138:80 cflcek.ph tcp
US 8.8.8.8:53 utbidet-ugeas.biz udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 utbidet-ugeas.biz udp
N/A 127.0.0.1:80 tcp
US 44.208.124.139:80 utbidet-ugeas.biz tcp

Files

\Windows\SysWOW64\uvruxan.exe

MD5 8be7d9e47a089fc11cc197174ec93b60
SHA1 ad2e34447d465cd7b66eb55778cc8186fedf6581
SHA256 473798b0ff65aee4bce5e0b5e72bf914628ab3d51b75930811c76d63300c288a
SHA512 b238ba670569b413830132614dda2932f16454a737634b546359314fc659917f14fd14923108c27b2e9b338fa6d63e21be29a2e57aa458e16acb4a98c3383387

memory/2420-10-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Windows\SysWOW64\itsoakid.exe

MD5 9a35b76ddb2273cace4b180a8adf9eb7
SHA1 f88384785bc1e95f0db6392d9888d96366346e74
SHA256 747b96b65005440e85de97d5ed0fd6819045ef71539db117213c57f52d45fab3
SHA512 e9f0e8396e117fff4317916443ff079608daada4a129c3ce9b515d2f0ff704f74df5a26e73a7aef696b785a7b6a98fa2a4e9c8c1f9b5876c06004617500f84bd

C:\Windows\SysWOW64\irtoonir-efoab.exe

MD5 4acce37a85f06bf12ea0dd1982cec3f5
SHA1 f065d01bc5ea5915f3150db16fb3f448d7b37b62
SHA256 d9c0feda850b714e23dd0ef671e0beb1cd2886b567d186d128f805c98b439bb8
SHA512 7079ce0d33d7cd81a9375749591db77306d52d6d7e9fb6f71d1ff0f56c10c30c9a212e3203af4c0b3bcc5db09b2695c20550389fca705ed5b2af42d7cdfe60e3

C:\Windows\SysWOW64\asfigak.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

memory/1168-55-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2868-56-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 03:33

Reported

2024-06-01 03:36

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\uvruxan.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F41494C-5643-4e59-4F41-494C56434e59} C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F41494C-5643-4e59-4F41-494C56434e59}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F41494C-5643-4e59-4F41-494C56434e59}\IsInstalled = "1" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F41494C-5643-4e59-4F41-494C56434e59}\StubPath = "C:\\Windows\\system32\\itsoakid.exe" C:\Windows\SysWOW64\uvruxan.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\irtoonir-efoab.exe" C:\Windows\SysWOW64\uvruxan.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\uvruxan.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\uvruxan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\asfigak.dll" C:\Windows\SysWOW64\uvruxan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\uvruxan.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\itsoakid.exe C:\Windows\SysWOW64\uvruxan.exe N/A
File opened for modification C:\Windows\SysWOW64\uvruxan.exe C:\Windows\SysWOW64\uvruxan.exe N/A
File opened for modification C:\Windows\SysWOW64\asfigak.dll C:\Windows\SysWOW64\uvruxan.exe N/A
File created C:\Windows\SysWOW64\asfigak.dll C:\Windows\SysWOW64\uvruxan.exe N/A
File opened for modification C:\Windows\SysWOW64\uvruxan.exe C:\Users\Admin\AppData\Local\Temp\8be7d9e47a089fc11cc197174ec93b60_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\uvruxan.exe C:\Users\Admin\AppData\Local\Temp\8be7d9e47a089fc11cc197174ec93b60_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\irtoonir-efoab.exe C:\Windows\SysWOW64\uvruxan.exe N/A
File created C:\Windows\SysWOW64\irtoonir-efoab.exe C:\Windows\SysWOW64\uvruxan.exe N/A
File opened for modification C:\Windows\SysWOW64\itsoakid.exe C:\Windows\SysWOW64\uvruxan.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A
N/A N/A C:\Windows\SysWOW64\uvruxan.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8be7d9e47a089fc11cc197174ec93b60_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\uvruxan.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4616 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\8be7d9e47a089fc11cc197174ec93b60_NeikiAnalytics.exe C:\Windows\SysWOW64\uvruxan.exe
PID 4616 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\8be7d9e47a089fc11cc197174ec93b60_NeikiAnalytics.exe C:\Windows\SysWOW64\uvruxan.exe
PID 4616 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\8be7d9e47a089fc11cc197174ec93b60_NeikiAnalytics.exe C:\Windows\SysWOW64\uvruxan.exe
PID 2220 wrote to memory of 4760 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\SysWOW64\uvruxan.exe
PID 2220 wrote to memory of 4760 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\SysWOW64\uvruxan.exe
PID 2220 wrote to memory of 4760 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\SysWOW64\uvruxan.exe
PID 2220 wrote to memory of 616 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\system32\winlogon.exe
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE
PID 2220 wrote to memory of 3360 N/A C:\Windows\SysWOW64\uvruxan.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\8be7d9e47a089fc11cc197174ec93b60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8be7d9e47a089fc11cc197174ec93b60_NeikiAnalytics.exe"

C:\Windows\SysWOW64\uvruxan.exe

"C:\Windows\system32\uvruxan.exe"

C:\Windows\SysWOW64\uvruxan.exe

--k33p

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 smmcqouchyumi.vg udp
DE 88.198.29.97:80 smmcqouchyumi.vg tcp
US 8.8.8.8:53 utbidet-ugeas.biz udp
US 8.8.8.8:53 97.29.198.88.in-addr.arpa udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 utbidet-ugeas.biz udp
US 44.208.124.139:80 utbidet-ugeas.biz tcp
US 8.8.8.8:53 139.124.208.44.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

C:\Windows\SysWOW64\uvruxan.exe

MD5 8be7d9e47a089fc11cc197174ec93b60
SHA1 ad2e34447d465cd7b66eb55778cc8186fedf6581
SHA256 473798b0ff65aee4bce5e0b5e72bf914628ab3d51b75930811c76d63300c288a
SHA512 b238ba670569b413830132614dda2932f16454a737634b546359314fc659917f14fd14923108c27b2e9b338fa6d63e21be29a2e57aa458e16acb4a98c3383387

memory/4616-6-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Windows\SysWOW64\itsoakid.exe

MD5 dae5741bc9c9fe44a90b0484d59aa376
SHA1 30c0320a23e30aa1c4c7a49136ccb37e2f24e656
SHA256 fcb1eb4438d333885710bb4a3edc28306960ec906ef3cca067c568a814093b9e
SHA512 1590b8c156d48cbea93d043bb1969a18e3a3d41df8fa8eab2e41b28ef163e561d5187f6bc69fa5e6138fb51b26cb598d46a20336b2cc6e8c38478f3bb4d0d5a3

C:\Windows\SysWOW64\irtoonir-efoab.exe

MD5 23747a6160babf6a63d08fa9b0415f8f
SHA1 2ede35a81707e68eff82b1f1da9a676ef2b6181f
SHA256 20d8fdf531f51efc9a77bd038cbd63ddea9724f56d2f03f219c55577435180f4
SHA512 c6913fb3e69616f99ee60e1fec98d6e56450ee64f7f3e1ba6c21fd7c5c2bd98ba08fa745d89b8783bf09c43651097c51a5e0e7b837dd11f902e550c22dac5348

C:\Windows\SysWOW64\asfigak.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

memory/2220-49-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4760-50-0x0000000000400000-0x0000000000414000-memory.dmp