Analysis Overview
SHA256
3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4
Threat Level: Known bad
The file 3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Boot or Logon Autostart Execution: Active Setup
Event Triggered Execution: Image File Execution Options Injection
Loads dropped DLL
Windows security modification
Executes dropped EXE
Modifies WinLogon
Indicator Removal: Clear Persistence
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 21:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 21:40
Reported
2024-11-13 21:42
Platform
win7-20241023-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{504A4353-444d-5250-504A-4353444D5250} | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{504A4353-444d-5250-504A-4353444D5250}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{504A4353-444d-5250-504A-4353444D5250}\IsInstalled = "1" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{504A4353-444d-5250-504A-4353444D5250}\StubPath = "C:\\Windows\\system32\\ebbikeat.exe" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ekkovoag.exe" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ucsifoot-egum.dll" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\eahrikeat.exe | C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe | N/A |
| File created | C:\Windows\SysWOW64\eahrikeat.exe | C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ebbikeat.exe | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| File created | C:\Windows\SysWOW64\ebbikeat.exe | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eahrikeat.exe | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ekkovoag.exe | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| File created | C:\Windows\SysWOW64\ekkovoag.exe | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ucsifoot-egum.dll | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| File created | C:\Windows\SysWOW64\ucsifoot-egum.dll | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe
"C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe"
C:\Windows\SysWOW64\eahrikeat.exe
"C:\Windows\SysWOW64\eahrikeat.exe"
C:\Windows\SysWOW64\eahrikeat.exe
ùù¿çç¤
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ttwdwiqsnqk.nu | udp |
| US | 8.8.8.8:53 | ttwdwiqsnqk.nu | udp |
Files
C:\Windows\SysWOW64\eahrikeat.exe
| MD5 | dbfafb48b373c94216c4d150358b7261 |
| SHA1 | b391da66953d1dc9f8d30d8a9e1a4968cd432569 |
| SHA256 | 3e13ca27070cbefe95e76205eb8fcdf073670144fe7f5a447bb2e116d19e5a80 |
| SHA512 | e8a1b6c1c8e24ca8f3990ff95e5c0c2e5d0f3d80e8cd2be9cc706147792103835d16d8b5d5156e2c1104f9cb5975b7835d5431fe03eb69950cf67331a71fed9d |
memory/108-7-0x0000000000400000-0x0000000000403000-memory.dmp
C:\Windows\SysWOW64\ebbikeat.exe
| MD5 | 69b20518dc7559d7d9184bb330f1a86f |
| SHA1 | 9db320dd78e87d21674723a187d3e22d721942bf |
| SHA256 | bf52e753212c67f5b1f6e2ddc0d0e362ecae042ddda6b1f74bd7541d51482f99 |
| SHA512 | a64ec984e5bd9162c3b4a8a9b71cc04d9679c5fe04b8912005bf0602de9d9b2da2c3ff729ad9c1d0308596bb95aac08cdbebc7e670ddfa0cf7f4a22dbe838302 |
C:\Windows\SysWOW64\ekkovoag.exe
| MD5 | b44e779d92edabbcb0db2138a1e314db |
| SHA1 | dd8c81a588e91ef31172520954b0c2251ab52126 |
| SHA256 | 6b21280df93225a50dda8a169142bdccab1933324fef4eb0fe1fba0afec001ff |
| SHA512 | 1b4e54b61be7236563c571a637451a8d8bdde69ffcae6d53037b7b9a9f0ac34b3ecacef0830cedd8c50777f5261c275f0266216d039e2b192ee80c087c84f1e2 |
C:\Windows\SysWOW64\ucsifoot-egum.dll
| MD5 | f37b21c00fd81bd93c89ce741a88f183 |
| SHA1 | b2796500597c68e2f5638e1101b46eaf32676c1c |
| SHA256 | 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0 |
| SHA512 | 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4 |
memory/2024-47-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1948-51-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 21:40
Reported
2024-11-13 21:42
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47554D4C-4e4c-4645-4755-4D4C4E4C4645} | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47554D4C-4e4c-4645-4755-4D4C4E4C4645}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47554D4C-4e4c-4645-4755-4D4C4E4C4645}\IsInstalled = "1" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47554D4C-4e4c-4645-4755-4D4C4E4C4645}\StubPath = "C:\\Windows\\system32\\ebbikeat.exe" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ekkovoag.exe" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ucsifoot-egum.dll" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ekkovoag.exe | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ebbikeat.exe | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ucsifoot-egum.dll | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| File created | C:\Windows\SysWOW64\ebbikeat.exe | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| File created | C:\Windows\SysWOW64\ucsifoot-egum.dll | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eahrikeat.exe | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eahrikeat.exe | C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe | N/A |
| File created | C:\Windows\SysWOW64\eahrikeat.exe | C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ekkovoag.exe | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\eahrikeat.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4980 wrote to memory of 632 | N/A | C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe | C:\Windows\SysWOW64\eahrikeat.exe |
| PID 4980 wrote to memory of 632 | N/A | C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe | C:\Windows\SysWOW64\eahrikeat.exe |
| PID 4980 wrote to memory of 632 | N/A | C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe | C:\Windows\SysWOW64\eahrikeat.exe |
| PID 632 wrote to memory of 4952 | N/A | C:\Windows\SysWOW64\eahrikeat.exe | C:\Windows\SysWOW64\eahrikeat.exe |
| PID 632 wrote to memory of 4952 | N/A | C:\Windows\SysWOW64\eahrikeat.exe | C:\Windows\SysWOW64\eahrikeat.exe |
| PID 632 wrote to memory of 4952 | N/A | C:\Windows\SysWOW64\eahrikeat.exe | C:\Windows\SysWOW64\eahrikeat.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe
"C:\Users\Admin\AppData\Local\Temp\3460b7fa2321a47ff4e541c7b9e202e0bf845599f96eec3821e94f8e397cb6f4N.exe"
C:\Windows\SysWOW64\eahrikeat.exe
"C:\Windows\SysWOW64\eahrikeat.exe"
C:\Windows\SysWOW64\eahrikeat.exe
ùù¿çç¤
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ruibflkkmeasi.st | udp |
| US | 8.8.8.8:53 | ruibflkkmeasi.st | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\eahrikeat.exe
| MD5 | dbfafb48b373c94216c4d150358b7261 |
| SHA1 | b391da66953d1dc9f8d30d8a9e1a4968cd432569 |
| SHA256 | 3e13ca27070cbefe95e76205eb8fcdf073670144fe7f5a447bb2e116d19e5a80 |
| SHA512 | e8a1b6c1c8e24ca8f3990ff95e5c0c2e5d0f3d80e8cd2be9cc706147792103835d16d8b5d5156e2c1104f9cb5975b7835d5431fe03eb69950cf67331a71fed9d |
memory/4980-4-0x0000000000400000-0x0000000000403000-memory.dmp
C:\Windows\SysWOW64\ebbikeat.exe
| MD5 | aee907c848e80a39f3cc50c1228060a9 |
| SHA1 | 02ab81f2117977ed38c1e63c119778e1e2100712 |
| SHA256 | 6984d4ee6dec303fc2d787e88f76a0ac1410cdc98c7690266def91e7415d58c3 |
| SHA512 | fe79a64e890934e6c990f403f7aa5c52a6ba1d1cdbdabbfae404225ef1e17a98d287c845a0b626cf9fd88c164617162e47b39f49f7946a4f035cbdf1ca19f800 |
C:\Windows\SysWOW64\ekkovoag.exe
| MD5 | e6282cab5aa33a3e3ec838f7c05129a9 |
| SHA1 | fd1d12f6010d4bb0581268340691074ea0117fbb |
| SHA256 | e976a6e46807a91d763f614439d1d3a38926963be13206e5caee2087ae61c925 |
| SHA512 | 3f8618774bcef1c26b246c5c64e91d7894fa7a137180a90e9f6254090d0a94e6d35f3da913752cef337f7145feed39d4420f354afb6fa571a945fd69c8ef6af9 |
C:\Windows\SysWOW64\ucsifoot-egum.dll
| MD5 | f37b21c00fd81bd93c89ce741a88f183 |
| SHA1 | b2796500597c68e2f5638e1101b46eaf32676c1c |
| SHA256 | 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0 |
| SHA512 | 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4 |
memory/632-44-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4952-45-0x0000000000400000-0x0000000000414000-memory.dmp