Malware Analysis Report

2025-01-06 09:01

Sample ID 240601-fq2mcsbe42
Target 8e8904677a103e755f0513905cbfac20_NeikiAnalytics.exe
SHA256 27b5774349c294ace1dc32b0daaa0a0f6e37f64ea5ac428067ccdb69a9297a07
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27b5774349c294ace1dc32b0daaa0a0f6e37f64ea5ac428067ccdb69a9297a07

Threat Level: Known bad

The file 8e8904677a103e755f0513905cbfac20_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Windows security bypass

Modifies Installed Components in the registry

Sets file execution options in registry

Loads dropped DLL

Windows security modification

Executes dropped EXE

Modifies WinLogon

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 05:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 05:05

Reported

2024-06-01 05:07

Platform

win7-20240508-en

Max time kernel

149s

Max time network

120s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{554F5448-4350-4851-554F-544843504851} C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{554F5448-4350-4851-554F-544843504851}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{554F5448-4350-4851-554F-544843504851}\IsInstalled = "1" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{554F5448-4350-4851-554F-544843504851}\StubPath = "C:\\Windows\\system32\\eatmooreab-ikeas.exe" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\apmooxef-ouced.exe" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ovludoot-omeab.dll" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Users\Admin\AppData\Local\Temp\8e8904677a103e755f0513905cbfac20_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\eatmooreab-ikeas.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
File opened for modification C:\Windows\SysWOW64\ovludoot-omeab.dll C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
File created C:\Windows\SysWOW64\ovludoot-omeab.dll C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
File opened for modification C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
File created C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Users\Admin\AppData\Local\Temp\8e8904677a103e755f0513905cbfac20_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\apmooxef-ouced.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
File created C:\Windows\SysWOW64\apmooxef-ouced.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
File opened for modification C:\Windows\SysWOW64\eatmooreab-ikeas.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1548 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\8e8904677a103e755f0513905cbfac20_NeikiAnalytics.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe
PID 1548 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\8e8904677a103e755f0513905cbfac20_NeikiAnalytics.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe
PID 1548 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\8e8904677a103e755f0513905cbfac20_NeikiAnalytics.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe
PID 1548 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\8e8904677a103e755f0513905cbfac20_NeikiAnalytics.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe
PID 1236 wrote to memory of 428 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\system32\winlogon.exe
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1772 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe
PID 1236 wrote to memory of 1772 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe
PID 1236 wrote to memory of 1772 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe
PID 1236 wrote to memory of 1772 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 1236 wrote to memory of 1224 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\8e8904677a103e755f0513905cbfac20_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8e8904677a103e755f0513905cbfac20_NeikiAnalytics.exe"

C:\Windows\SysWOW64\ufxuheax-egoot.exe

"C:\Windows\SysWOW64\ufxuheax-egoot.exe"

C:\Windows\SysWOW64\ufxuheax-egoot.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 yauaeqcw.st udp
US 8.8.8.8:53 yauaeqcw.st udp

Files

\Windows\SysWOW64\ufxuheax-egoot.exe

MD5 305e8a78094641012f172d57f25cb3d8
SHA1 a0da3ad847575443c1ad61ce69cb6d13ba17db94
SHA256 a38d432c5e7b37ac3f0b93cea63b853c630fdf14a7ceabc378399ea2583a0b18
SHA512 d3ae62e41c86ab905be559522f424e0fd4654125f5422699734cf219f138621a899c2a97619d5cbbf0050d417c044d83b56398e028f424c1eb9e41066a11d9db

memory/1548-7-0x0000000000400000-0x0000000000403000-memory.dmp

C:\Windows\SysWOW64\ovludoot-omeab.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

C:\Windows\SysWOW64\apmooxef-ouced.exe

MD5 40799f82c7585504e8d4c8f594d4c621
SHA1 047c1b84b87527290e097efc0f026e5e19f77ed8
SHA256 2ab3f7437ec557148df53e6835e5deac6bca557de5cad6141e6c6cb9064faa7e
SHA512 e8d0b1583311996029640f9e0893c0da3b971a16c2a6f99352924e0f58dfd2c564a598b6a52d4a33775ded2bf78a4e16df9a472e59fbe30735de49dd01c42fa4

C:\Windows\SysWOW64\eatmooreab-ikeas.exe

MD5 2ef65d974a22d47413f06a8d6d463575
SHA1 acc060c31d49fe7e8b5f320e1016635514a45cbd
SHA256 875925d793b3410027739354b3448b91ba20206c0d6cf3bb5ac21eaf57461b73
SHA512 a35267f3dbc79f5cae974c32bdc5d0597254b31892c3880ff61ee18fa26f274ce3b74df94b509e3ca6e7a1b28e6b0ba74eadfe3afeea41c0659b2109c15e2e17

memory/1236-53-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1772-54-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 05:05

Reported

2024-06-01 05:07

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

127s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47594C51-574a-434e-4759-4C51574A434e} C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47594C51-574a-434e-4759-4C51574A434e}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47594C51-574a-434e-4759-4C51574A434e}\IsInstalled = "1" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47594C51-574a-434e-4759-4C51574A434e}\StubPath = "C:\\Windows\\system32\\eatmooreab-ikeas.exe" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\apmooxef-ouced.exe" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ovludoot-omeab.dll" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Users\Admin\AppData\Local\Temp\8e8904677a103e755f0513905cbfac20_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\apmooxef-ouced.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
File opened for modification C:\Windows\SysWOW64\eatmooreab-ikeas.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
File created C:\Windows\SysWOW64\ovludoot-omeab.dll C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
File opened for modification C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
File opened for modification C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Users\Admin\AppData\Local\Temp\8e8904677a103e755f0513905cbfac20_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\apmooxef-ouced.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
File created C:\Windows\SysWOW64\eatmooreab-ikeas.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
File opened for modification C:\Windows\SysWOW64\ovludoot-omeab.dll C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A
N/A N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 792 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\8e8904677a103e755f0513905cbfac20_NeikiAnalytics.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe
PID 792 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\8e8904677a103e755f0513905cbfac20_NeikiAnalytics.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe
PID 792 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\8e8904677a103e755f0513905cbfac20_NeikiAnalytics.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe
PID 3524 wrote to memory of 2784 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe
PID 3524 wrote to memory of 2784 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe
PID 3524 wrote to memory of 2784 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\SysWOW64\ufxuheax-egoot.exe
PID 3524 wrote to memory of 612 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\system32\winlogon.exe
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE
PID 3524 wrote to memory of 3444 N/A C:\Windows\SysWOW64\ufxuheax-egoot.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\8e8904677a103e755f0513905cbfac20_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8e8904677a103e755f0513905cbfac20_NeikiAnalytics.exe"

C:\Windows\SysWOW64\ufxuheax-egoot.exe

"C:\Windows\SysWOW64\ufxuheax-egoot.exe"

C:\Windows\SysWOW64\ufxuheax-egoot.exe

--k33p

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4108,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=3248 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 gaokl.tk udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gaokl.tk udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/792-3-0x0000000000400000-0x0000000000403000-memory.dmp

C:\Windows\SysWOW64\ufxuheax-egoot.exe

MD5 305e8a78094641012f172d57f25cb3d8
SHA1 a0da3ad847575443c1ad61ce69cb6d13ba17db94
SHA256 a38d432c5e7b37ac3f0b93cea63b853c630fdf14a7ceabc378399ea2583a0b18
SHA512 d3ae62e41c86ab905be559522f424e0fd4654125f5422699734cf219f138621a899c2a97619d5cbbf0050d417c044d83b56398e028f424c1eb9e41066a11d9db

C:\Windows\SysWOW64\eatmooreab-ikeas.exe

MD5 82d87cd7705540a97c902bb3776aba26
SHA1 a2bbbe506ff4c956614977a930c7e9bdc76be5bb
SHA256 879ff7a1ed3e5882230813f470504ae1b4d0c19a6297c9043fc4805321d895c0
SHA512 a65ee880b35c10f70501f6ac25944652505f775a38c66faba0cae86e0fd235fe37e42cb1e9da9d880bcce6c544a305edeaf1a276efb0ae716cf4b1e5d0849b6f

C:\Windows\SysWOW64\ovludoot-omeab.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

C:\Windows\SysWOW64\apmooxef-ouced.exe

MD5 8615976adf8a1ecd02f872bd80a7796d
SHA1 7d5ec9d8d2d8e5381bdeaf74f79110ec17ea8f2c
SHA256 34504e86a6f7daf833065b7da90df7fcba9b9aa2465c2c24f0c4a5948c5e2c62
SHA512 8d780fb15f09efd77a4711be08321aa4a6716b209f4ba692f619b86325208669f029580a5bafc0f7669640624d5fffe6c2fedf38c5125a733ff3d3a716ee662b

memory/3524-47-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2784-48-0x0000000000400000-0x0000000000414000-memory.dmp