Analysis Overview
SHA256
3493ee438d9443ec8e17b3dcbcbf401a31b166646abbdecaab322417e5c873f9
Threat Level: Known bad
The file dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Sality
Windows security bypass
Modifies firewall policy service
Loads dropped DLL
Windows security modification
Executes dropped EXE
UPX packed file
Enumerates connected drives
Checks whether UAC is enabled
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-19 15:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 15:13
Reported
2024-05-19 15:16
Platform
win7-20240221-en
Max time kernel
51s
Max time network
124s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
Sality
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| N/A | N/A | \??\c:\245c45946461cdfe96491f1b5e\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| N/A | N/A | \??\c:\245c45946461cdfe96491f1b5e\Setup.exe | N/A |
| N/A | N/A | \??\c:\245c45946461cdfe96491f1b5e\Setup.exe | N/A |
| N/A | N/A | \??\c:\245c45946461cdfe96491f1b5e\Setup.exe | N/A |
| N/A | N/A | \??\c:\245c45946461cdfe96491f1b5e\Setup.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
Enumerates connected drives
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\f76c468 | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| File created | C:\Windows\f762378 | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\Wininit | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\245c45946461cdfe96491f1b5e\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\245c45946461cdfe96491f1b5e\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| N/A | N/A | \??\c:\245c45946461cdfe96491f1b5e\Setup.exe | N/A |
| N/A | N/A | \??\c:\245c45946461cdfe96491f1b5e\Setup.exe | N/A |
| N/A | N/A | \??\c:\245c45946461cdfe96491f1b5e\Setup.exe | N/A |
| N/A | N/A | \??\c:\245c45946461cdfe96491f1b5e\Setup.exe | N/A |
| N/A | N/A | \??\c:\245c45946461cdfe96491f1b5e\Setup.exe | N/A |
| N/A | N/A | \??\c:\245c45946461cdfe96491f1b5e\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe"
\??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe
c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe
\??\c:\245c45946461cdfe96491f1b5e\Setup.exe
c:\245c45946461cdfe96491f1b5e\Setup.exe
Network
Files
memory/2104-0-0x0000000000400000-0x0000000000778000-memory.dmp
memory/2104-1-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-5-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-7-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-10-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-4-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-20-0x0000000000390000-0x0000000000392000-memory.dmp
memory/2104-26-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/2104-25-0x00000000003A0000-0x00000000003A1000-memory.dmp
memory/2104-21-0x00000000003A0000-0x00000000003A1000-memory.dmp
memory/1104-13-0x0000000002050000-0x0000000002052000-memory.dmp
memory/2104-12-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-11-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-9-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-8-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-6-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-3-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-31-0x0000000000390000-0x0000000000392000-memory.dmp
memory/2104-32-0x0000000000390000-0x0000000000392000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0F762674_Rar\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe
| MD5 | b6d4a469dfc5247caf19b783b5c4262b |
| SHA1 | 6c920d73ec22213ddcab617ea9339f93ff1b6787 |
| SHA256 | 05fc4c2e2a80a0d06601cd587c69a3ae22dcc07a8bab8e8f5f70c320a60c8542 |
| SHA512 | 10153d47f732cd87bd3a026db76f8430980a2775018ba1e73a0e313bf7fa70898bfdb8a08da72c33900c16b441ce80f8d46e74ee27a0f08a8c5b523768aaea8e |
memory/2104-46-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-45-0x0000000002230000-0x00000000032EA000-memory.dmp
\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe
| MD5 | 2ebe7b204aa13f112e5f914a31ab015f |
| SHA1 | 49a6efe315ff0853f5eb864ef2be3c56eef0c7f6 |
| SHA256 | 97fb96a9f51143d49c666a4704690c4ea167613bf4bb8c7bbff8f2b66d608492 |
| SHA512 | 3ee72a41e82f1caf00c3013152cd69e933aa112e1f7ea6d155918b874386eb24f3489d9b2c866e546fb010c927c2aa76192f3cc8d029756c3ceae97fdb13a7ee |
memory/2576-55-0x0000000001000000-0x00000000014E8000-memory.dmp
memory/2104-56-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-54-0x0000000005C50000-0x0000000006138000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0F7630F0_Rar\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe
| MD5 | cede02d7af62449a2c38c49abecc0cd3 |
| SHA1 | b84b83a8a6741a17bfb5f3578b983c1de512589d |
| SHA256 | 66b797b3b4f99488f53c2b676610dfe9868984c779536891a8d8f73ee214bc4b |
| SHA512 | d2d99e06d49a5990b449cf31d82a33104a6b45164e76fbeb34c43d10bcd25c3622af52e59a2d4b7f5f45f83c3ba4d23cf1a5fc0c03b3606f42426988e63a9770 |
\245c45946461cdfe96491f1b5e\Setup.exe
| MD5 | 9a1141fbceeb2e196ae1ba115fd4bee6 |
| SHA1 | 922eacb654f091bc609f1b7f484292468d046bd1 |
| SHA256 | 28563d908450eb7b7e9ed07a934e0d68135b5bb48e866e0a1c913bd776a44fef |
| SHA512 | b044600acb16fc3be991d8a6dbc75c2ca45d392e66a4d19eacac4aee282d2ada0d411d832b76d25ef505cc542c7fa1fdb7098da01f84034f798b08baa4796168 |
\245c45946461cdfe96491f1b5e\SetupEngine.dll
| MD5 | a030c6b93740cbaa232ffaa08ccd3396 |
| SHA1 | 6f7236a30308fbf02d88e228f0b5b5ec7f61d3eb |
| SHA256 | 0507720d52ae856bbf5ff3f01172a390b6c19517cb95514cd53f4a59859e8d63 |
| SHA512 | 6787195b7e693744ce3b70c3b3ef04eaf81c39621e33d9f40b9c52f1a2c1d6094eceaebbc9b2906649351f5fc106eed085cef71bb606a9dc7890eafd200cfd42 |
\245c45946461cdfe96491f1b5e\sqmapi.dll
| MD5 | 3f0363b40376047eff6a9b97d633b750 |
| SHA1 | 4eaf6650eca5ce931ee771181b04263c536a948b |
| SHA256 | bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c |
| SHA512 | 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8 |
C:\Users\Admin\AppData\Local\Temp\HFI3525.tmp.html
| MD5 | f0dbeb751dc7b704e73f6d2389cb6bab |
| SHA1 | 5f09fef2b5f1ad763c5164dfe5cc6b189d6a49e8 |
| SHA256 | 69ec74a07d5fa2dbaed0092fe0c470abeee3523be5d634b2406ec7d4f594a5f2 |
| SHA512 | d61a6ba9daa4b7cc4a689aedadc0c58cbe0c3226afcf18a8ed5cf44a36be4f6d4f819ec74f0bb04a21d08fbae7215f1977eee81a64013e7d0cf239fa8a3c38e3 |
\??\c:\245c45946461cdfe96491f1b5e\UiInfo.xml
| MD5 | 4f90fcef3836f5fc49426ad9938a1c60 |
| SHA1 | 89eba3b81982d5d5c457ffa7a7096284a10de64a |
| SHA256 | 66a0299ce7ee12dd9fc2cfead3c3211e59bfb54d6c0627d044d44cef6e70367b |
| SHA512 | 4ce2731c1d32d7ca3a4f644f4b3111f06223de96c1e241fcc86f5fe665f4db18c8a241dae4e8a7e278d6afbf91b235a2c3517a40d4d22d9866880e19a7221160 |
\??\c:\245c45946461cdfe96491f1b5e\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
\??\c:\245c45946461cdfe96491f1b5e\ParameterInfo.xml
| MD5 | 46db5d342d306778cab61e413a84fece |
| SHA1 | d0885ae1f706e014015cacb0cd67ca786d0962c2 |
| SHA256 | 227bd903261486663665ba232b753781bafd7afba68b5614ad93d6d1f5a1e16b |
| SHA512 | 5de734ce86888ae41db113be13b8b6652f67de8e7ff0dc062a3e217e078ccafacf44117bbfff6e26d6c7e4fa369855e87b4926e9bdfa96f466a89a9d9c67a5bc |
\??\c:\245c45946461cdfe96491f1b5e\3082\LocalizedData.xml
| MD5 | 5397a12d466d55d566b4209e0e4f92d3 |
| SHA1 | fcffd8961fb487995543fc173521fdf5df6e243b |
| SHA256 | f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89 |
| SHA512 | 7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b |
\??\c:\245c45946461cdfe96491f1b5e\2052\LocalizedData.xml
| MD5 | 52b1dc12ce4153aa759fb3bbe04d01fc |
| SHA1 | bf21f8591c473d1fce68a9faf1e5942f486f6eba |
| SHA256 | d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3 |
| SHA512 | 418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623 |
\??\c:\245c45946461cdfe96491f1b5e\1049\LocalizedData.xml
| MD5 | 0eeb554d0b9f9fcdb22401e2532e9cd0 |
| SHA1 | 08799520b72a1ef92ac5b94a33509d1eddf6caf8 |
| SHA256 | beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c |
| SHA512 | 2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d |
\??\c:\245c45946461cdfe96491f1b5e\1042\LocalizedData.xml
| MD5 | 71dfd70ae141f1d5c1366cb661b354b2 |
| SHA1 | c4b22590e6f6dd5d39e5158b831ae217ce17a776 |
| SHA256 | cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331 |
| SHA512 | 5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a |
\245c45946461cdfe96491f1b5e\SetupUi.dll
| MD5 | c744ec120e54027c57318c4720b4d6be |
| SHA1 | ab65fc4e68ad553520af049129fae4f88c7eff74 |
| SHA256 | d1610b0a94a4dadc85ee32a7e5ffd6533ea42347d6f2d6871beb03157b89a857 |
| SHA512 | 6dcd0ab7b8671e17d1c15db030ee5349ab3a123595c546019cf9391ce05f9f63806149c3ec2f2c71635cb811ab65ad47bcd7031e2eff7a59059577e47dd600a7 |
\??\c:\245c45946461cdfe96491f1b5e\SetupUi.xsd
| MD5 | 2fadd9e618eff8175f2a6e8b95c0cacc |
| SHA1 | 9ab1710a217d15b192188b19467932d947b0a4f8 |
| SHA256 | 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093 |
| SHA512 | a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca |
\??\c:\245c45946461cdfe96491f1b5e\Strings.xml
| MD5 | 332adf643747297b9bfa9527eaefe084 |
| SHA1 | 670f933d778eca39938a515a39106551185205e9 |
| SHA256 | e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca |
| SHA512 | bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0 |
\245c45946461cdfe96491f1b5e\1033\SetupResources.dll
| MD5 | 718ab3eb3f43c9bcf16276c1eb17f2c1 |
| SHA1 | a3091fd7784a9469309b3edb370e24a0323e30ac |
| SHA256 | e1a13f5b763d73271a1a205a88e64c6611c25d5f434cfa5da14feb8e4272ffaa |
| SHA512 | 9fa8a8d9645a9b490257c2dce3d31f1585f6d6069f9471f9e00dfaa9e457ff1db4c9176a91e02d7f0b61bae0c1fc76b56061eff04888a58aeb5ad2e8692fcf8a |
\??\c:\245c45946461cdfe96491f1b5e\watermark.bmp
| MD5 | 1a5caafacfc8c7766e404d019249cf67 |
| SHA1 | 35d4878db63059a0f25899f4be00b41f430389bf |
| SHA256 | 2e87d5742413254db10f7bd0762b6cdb98ff9c46ca9acddfd9b1c2e5418638f2 |
| SHA512 | 202c13ded002d234117f08b18ca80d603246e6a166e18ba422e30d394ada7e47153dd3cce9728affe97128fdd797fe6302c74dc6882317e2ba254c8a6db80f46 |
\??\c:\245c45946461cdfe96491f1b5e\header.bmp
| MD5 | 3ad1a8c3b96993bcdf45244be2c00eef |
| SHA1 | 308f98e199f74a43d325115a8e7072d5f2c6202d |
| SHA256 | 133b86a4f1c67a159167489fdaeab765bfa1050c23a7ae6d5c517188fb45f94a |
| SHA512 | 133442c4a65269f817675adf01adcf622e509aa7ec7583bca8cd9a7eb6018d2aab56066054f75657038efb947cd3b3e5dc4fe7f0863c8b3b1770a8fa4fe2e658 |
\??\c:\245c45946461cdfe96491f1b5e\graphics\setup.ico
| MD5 | 3d25d679e0ff0b8c94273dcd8b07049d |
| SHA1 | a517fc5e96bc68a02a44093673ee7e076ad57308 |
| SHA256 | 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f |
| SHA512 | 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255 |
\??\c:\245c45946461cdfe96491f1b5e\graphics\save.ico
| MD5 | 7d62e82d960a938c98da02b1d5201bd5 |
| SHA1 | 194e96b0440bf8631887e5e9d3cc485f8e90fbf5 |
| SHA256 | ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5 |
| SHA512 | ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67 |
\??\c:\245c45946461cdfe96491f1b5e\graphics\print.ico
| MD5 | 7e55ddc6d611176e697d01c90a1212cf |
| SHA1 | e2620da05b8e4e2360da579a7be32c1b225deb1b |
| SHA256 | ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed |
| SHA512 | 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e |
\??\c:\245c45946461cdfe96491f1b5e\1041\LocalizedData.xml
| MD5 | 7fcfbc308b0c42dcbd8365ba62bada05 |
| SHA1 | 18a0f0e89b36818c94de0ad795cc593d0e3e29a9 |
| SHA256 | 01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2 |
| SHA512 | cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649 |
\??\c:\245c45946461cdfe96491f1b5e\1040\LocalizedData.xml
| MD5 | 0af948fe4142e34092f9dd47a4b8c275 |
| SHA1 | b3d6dd5c126280398d9055f90e2c2c26dbae4eaa |
| SHA256 | c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248 |
| SHA512 | d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9 |
\??\c:\245c45946461cdfe96491f1b5e\1036\LocalizedData.xml
| MD5 | e382abc19294f779d2833287242e7bc6 |
| SHA1 | 1ceae32d6b24a3832f9244f5791382865b668a72 |
| SHA256 | 43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf |
| SHA512 | 06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e |
\??\c:\245c45946461cdfe96491f1b5e\1031\LocalizedData.xml
| MD5 | b83c3803712e61811c438f6e98790369 |
| SHA1 | 61a0bc59388786ced045acd82621bee8578cae5a |
| SHA256 | 2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6 |
| SHA512 | e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38 |
\??\c:\245c45946461cdfe96491f1b5e\1028\LocalizedData.xml
| MD5 | 7fc06a77d9aafca9fb19fafa0f919100 |
| SHA1 | e565740e7d582cd73f8d3b12de2f4579ff18bb41 |
| SHA256 | a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a |
| SHA512 | 466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf |
\??\c:\245c45946461cdfe96491f1b5e\1033\LocalizedData.xml
| MD5 | d642e322d1e8b739510ca540f8e779f9 |
| SHA1 | 36279c76d9f34c09ebddc84fd33fcc7d4b9a896c |
| SHA256 | 5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9 |
| SHA512 | e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d |
memory/2104-176-0x0000000000400000-0x0000000000778000-memory.dmp
memory/2576-192-0x0000000000480000-0x0000000000481000-memory.dmp
memory/2104-188-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/1844-200-0x00000000003D0000-0x00000000003D2000-memory.dmp
memory/1844-199-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/2576-193-0x0000000000470000-0x0000000000472000-memory.dmp
memory/2104-189-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-202-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-203-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-204-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-205-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-209-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-211-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-212-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-213-0x0000000002230000-0x00000000032EA000-memory.dmp
memory/2104-225-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/2104-230-0x0000000000390000-0x0000000000392000-memory.dmp
memory/2104-280-0x0000000000400000-0x0000000000778000-memory.dmp
memory/2104-281-0x0000000002230000-0x00000000032EA000-memory.dmp
C:\Windows\SYSTEM.INI
| MD5 | 000d478b15c9e6b5e9bfc955e7df2487 |
| SHA1 | 03707fdf2457ad3bb586b7a3cd16e159e97ac6b4 |
| SHA256 | 8c7183be6734c4e92eca11bf2adc23ec23a1b4a299a3f9820116e969c5523729 |
| SHA512 | 3fd94fee2f72be52df2bbb900d884634116a7e40cf887deccef1daffb609a979c7656427722e605937b5c52d73d1d88f8b60d1f4a75f3820b529361d9a5a66c0 |
C:\bcrdub.pif
| MD5 | 3ba2ded692e13030da80714b70b4a8ba |
| SHA1 | 8213a4eb036e58a5e7e4850fee4c7f20ddb7ccdd |
| SHA256 | 9ff58298866a770da5a5a66032bd0e9711944835e7f49866199d084b26eea1ab |
| SHA512 | bed663cae075dbe845130d703c8168fe6daa48481246f436ae55fcfd4d7069a7546e2946d1ee75ba552890284b61c57e45b38027696b749a7e684c71167d383a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 15:13
Reported
2024-05-19 15:16
Platform
win10v2004-20240426-en
Max time kernel
23s
Max time network
135s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
Sality
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| N/A | N/A | \??\c:\ab26d1c462a0351508f66542\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\ab26d1c462a0351508f66542\Setup.exe | N/A |
| N/A | N/A | \??\c:\ab26d1c462a0351508f66542\Setup.exe | N/A |
| N/A | N/A | \??\c:\ab26d1c462a0351508f66542\Setup.exe | N/A |
| N/A | N/A | \??\c:\ab26d1c462a0351508f66542\Setup.exe | N/A |
| N/A | N/A | \??\c:\ab26d1c462a0351508f66542\Setup.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\J: | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| File opened (read-only) | \??\K: | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| File opened (read-only) | \??\E: | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| File opened (read-only) | \??\G: | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| File opened (read-only) | \??\H: | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
| File opened (read-only) | \??\I: | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\e573ff7 | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\Wininit | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\e576b9b | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\ab26d1c462a0351508f66542\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\ab26d1c462a0351508f66542\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | \??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe | N/A |
Processes
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe"
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
\??\c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe
c:\users\admin\appdata\local\temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
\??\c:\ab26d1c462a0351508f66542\Setup.exe
c:\ab26d1c462a0351508f66542\Setup.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\explorer.exe
explorer.exe /LOADSAVEDWINDOWS
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 201.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/2280-0-0x0000000000400000-0x0000000000778000-memory.dmp
memory/2280-7-0x0000000004070000-0x0000000004071000-memory.dmp
memory/2280-4-0x00000000025B0000-0x000000000366A000-memory.dmp
memory/2280-9-0x0000000002490000-0x0000000002492000-memory.dmp
memory/2280-5-0x00000000025B0000-0x000000000366A000-memory.dmp
memory/2280-21-0x00000000044F0000-0x00000000044F1000-memory.dmp
memory/2280-16-0x00000000025B0000-0x000000000366A000-memory.dmp
memory/2280-18-0x00000000025B0000-0x000000000366A000-memory.dmp
memory/2280-24-0x00000000025B0000-0x000000000366A000-memory.dmp
memory/2280-20-0x00000000025B0000-0x000000000366A000-memory.dmp
memory/2280-25-0x00000000025B0000-0x000000000366A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0E5741EB_Rar\dfdd960489c26d9b24f1168d0c34d570_NeikiAnalytics.exe
| MD5 | b6d4a469dfc5247caf19b783b5c4262b |
| SHA1 | 6c920d73ec22213ddcab617ea9339f93ff1b6787 |
| SHA256 | 05fc4c2e2a80a0d06601cd587c69a3ae22dcc07a8bab8e8f5f70c320a60c8542 |
| SHA512 | 10153d47f732cd87bd3a026db76f8430980a2775018ba1e73a0e313bf7fa70898bfdb8a08da72c33900c16b441ce80f8d46e74ee27a0f08a8c5b523768aaea8e |
memory/2280-8-0x00000000025B0000-0x000000000366A000-memory.dmp
memory/2280-17-0x0000000002490000-0x0000000002492000-memory.dmp
memory/2280-10-0x00000000025B0000-0x000000000366A000-memory.dmp
memory/2280-3-0x00000000025B0000-0x000000000366A000-memory.dmp
memory/2280-6-0x0000000002490000-0x0000000002492000-memory.dmp
memory/2280-1-0x00000000025B0000-0x000000000366A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe
| MD5 | 2ebe7b204aa13f112e5f914a31ab015f |
| SHA1 | 49a6efe315ff0853f5eb864ef2be3c56eef0c7f6 |
| SHA256 | 97fb96a9f51143d49c666a4704690c4ea167613bf4bb8c7bbff8f2b66d608492 |
| SHA512 | 3ee72a41e82f1caf00c3013152cd69e933aa112e1f7ea6d155918b874386eb24f3489d9b2c866e546fb010c927c2aa76192f3cc8d029756c3ceae97fdb13a7ee |
memory/4512-41-0x0000000001000000-0x00000000014E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0E574556_Rar\dfdd960489c26d9b24f1168d0c34d570_neikianalytics.exe
| MD5 | cede02d7af62449a2c38c49abecc0cd3 |
| SHA1 | b84b83a8a6741a17bfb5f3578b983c1de512589d |
| SHA256 | 66b797b3b4f99488f53c2b676610dfe9868984c779536891a8d8f73ee214bc4b |
| SHA512 | d2d99e06d49a5990b449cf31d82a33104a6b45164e76fbeb34c43d10bcd25c3622af52e59a2d4b7f5f45f83c3ba4d23cf1a5fc0c03b3606f42426988e63a9770 |
memory/2280-46-0x00000000025B0000-0x000000000366A000-memory.dmp
memory/2280-45-0x00000000025B0000-0x000000000366A000-memory.dmp
memory/2280-51-0x00000000025B0000-0x000000000366A000-memory.dmp
memory/2280-64-0x0000000000400000-0x0000000000778000-memory.dmp
C:\ab26d1c462a0351508f66542\Setup.exe
| MD5 | 9a1141fbceeb2e196ae1ba115fd4bee6 |
| SHA1 | 922eacb654f091bc609f1b7f484292468d046bd1 |
| SHA256 | 28563d908450eb7b7e9ed07a934e0d68135b5bb48e866e0a1c913bd776a44fef |
| SHA512 | b044600acb16fc3be991d8a6dbc75c2ca45d392e66a4d19eacac4aee282d2ada0d411d832b76d25ef505cc542c7fa1fdb7098da01f84034f798b08baa4796168 |
C:\ab26d1c462a0351508f66542\sqmapi.dll
| MD5 | 3f0363b40376047eff6a9b97d633b750 |
| SHA1 | 4eaf6650eca5ce931ee771181b04263c536a948b |
| SHA256 | bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c |
| SHA512 | 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8 |
C:\Users\Admin\AppData\Local\Temp\HFI4A0A.tmp.html
| MD5 | 7078f81b6bcdea228ffd28a702888884 |
| SHA1 | aa0a413431f5959d6bb6656f508a70867855e366 |
| SHA256 | 8ffe803d37f0967ddbec5d5c6e52c6a658754241e40f101ed07faa18f7f160e2 |
| SHA512 | 9712d50ec278e045111ead3117f586362c6d9fe8cab6313ed6ccabc4ca7fd180fbdcdf72430cc21be825d78249893f48159e0903cc3bc48850a18d5046129f07 |
\??\c:\ab26d1c462a0351508f66542\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\ab26d1c462a0351508f66542\SetupEngine.dll
| MD5 | a030c6b93740cbaa232ffaa08ccd3396 |
| SHA1 | 6f7236a30308fbf02d88e228f0b5b5ec7f61d3eb |
| SHA256 | 0507720d52ae856bbf5ff3f01172a390b6c19517cb95514cd53f4a59859e8d63 |
| SHA512 | 6787195b7e693744ce3b70c3b3ef04eaf81c39621e33d9f40b9c52f1a2c1d6094eceaebbc9b2906649351f5fc106eed085cef71bb606a9dc7890eafd200cfd42 |
\??\c:\ab26d1c462a0351508f66542\UiInfo.xml
| MD5 | 4f90fcef3836f5fc49426ad9938a1c60 |
| SHA1 | 89eba3b81982d5d5c457ffa7a7096284a10de64a |
| SHA256 | 66a0299ce7ee12dd9fc2cfead3c3211e59bfb54d6c0627d044d44cef6e70367b |
| SHA512 | 4ce2731c1d32d7ca3a4f644f4b3111f06223de96c1e241fcc86f5fe665f4db18c8a241dae4e8a7e278d6afbf91b235a2c3517a40d4d22d9866880e19a7221160 |
\??\c:\ab26d1c462a0351508f66542\ParameterInfo.xml
| MD5 | 46db5d342d306778cab61e413a84fece |
| SHA1 | d0885ae1f706e014015cacb0cd67ca786d0962c2 |
| SHA256 | 227bd903261486663665ba232b753781bafd7afba68b5614ad93d6d1f5a1e16b |
| SHA512 | 5de734ce86888ae41db113be13b8b6652f67de8e7ff0dc062a3e217e078ccafacf44117bbfff6e26d6c7e4fa369855e87b4926e9bdfa96f466a89a9d9c67a5bc |
\??\c:\ab26d1c462a0351508f66542\1033\LocalizedData.xml
| MD5 | d642e322d1e8b739510ca540f8e779f9 |
| SHA1 | 36279c76d9f34c09ebddc84fd33fcc7d4b9a896c |
| SHA256 | 5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9 |
| SHA512 | e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d |
\??\c:\ab26d1c462a0351508f66542\1031\LocalizedData.xml
| MD5 | b83c3803712e61811c438f6e98790369 |
| SHA1 | 61a0bc59388786ced045acd82621bee8578cae5a |
| SHA256 | 2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6 |
| SHA512 | e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38 |
\??\c:\ab26d1c462a0351508f66542\2052\LocalizedData.xml
| MD5 | 52b1dc12ce4153aa759fb3bbe04d01fc |
| SHA1 | bf21f8591c473d1fce68a9faf1e5942f486f6eba |
| SHA256 | d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3 |
| SHA512 | 418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623 |
\??\c:\ab26d1c462a0351508f66542\3082\LocalizedData.xml
| MD5 | 5397a12d466d55d566b4209e0e4f92d3 |
| SHA1 | fcffd8961fb487995543fc173521fdf5df6e243b |
| SHA256 | f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89 |
| SHA512 | 7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b |
\??\c:\ab26d1c462a0351508f66542\1049\LocalizedData.xml
| MD5 | 0eeb554d0b9f9fcdb22401e2532e9cd0 |
| SHA1 | 08799520b72a1ef92ac5b94a33509d1eddf6caf8 |
| SHA256 | beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c |
| SHA512 | 2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d |
\??\c:\ab26d1c462a0351508f66542\1042\LocalizedData.xml
| MD5 | 71dfd70ae141f1d5c1366cb661b354b2 |
| SHA1 | c4b22590e6f6dd5d39e5158b831ae217ce17a776 |
| SHA256 | cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331 |
| SHA512 | 5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a |
\??\c:\ab26d1c462a0351508f66542\1041\LocalizedData.xml
| MD5 | 7fcfbc308b0c42dcbd8365ba62bada05 |
| SHA1 | 18a0f0e89b36818c94de0ad795cc593d0e3e29a9 |
| SHA256 | 01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2 |
| SHA512 | cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649 |
\??\c:\ab26d1c462a0351508f66542\1040\LocalizedData.xml
| MD5 | 0af948fe4142e34092f9dd47a4b8c275 |
| SHA1 | b3d6dd5c126280398d9055f90e2c2c26dbae4eaa |
| SHA256 | c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248 |
| SHA512 | d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9 |
\??\c:\ab26d1c462a0351508f66542\1036\LocalizedData.xml
| MD5 | e382abc19294f779d2833287242e7bc6 |
| SHA1 | 1ceae32d6b24a3832f9244f5791382865b668a72 |
| SHA256 | 43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf |
| SHA512 | 06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e |
\??\c:\ab26d1c462a0351508f66542\1028\LocalizedData.xml
| MD5 | 7fc06a77d9aafca9fb19fafa0f919100 |
| SHA1 | e565740e7d582cd73f8d3b12de2f4579ff18bb41 |
| SHA256 | a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a |
| SHA512 | 466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf |
C:\ab26d1c462a0351508f66542\SetupUi.dll
| MD5 | c744ec120e54027c57318c4720b4d6be |
| SHA1 | ab65fc4e68ad553520af049129fae4f88c7eff74 |
| SHA256 | d1610b0a94a4dadc85ee32a7e5ffd6533ea42347d6f2d6871beb03157b89a857 |
| SHA512 | 6dcd0ab7b8671e17d1c15db030ee5349ab3a123595c546019cf9391ce05f9f63806149c3ec2f2c71635cb811ab65ad47bcd7031e2eff7a59059577e47dd600a7 |
\??\c:\ab26d1c462a0351508f66542\SetupUi.xsd
| MD5 | 2fadd9e618eff8175f2a6e8b95c0cacc |
| SHA1 | 9ab1710a217d15b192188b19467932d947b0a4f8 |
| SHA256 | 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093 |
| SHA512 | a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca |
\??\c:\ab26d1c462a0351508f66542\Strings.xml
| MD5 | 332adf643747297b9bfa9527eaefe084 |
| SHA1 | 670f933d778eca39938a515a39106551185205e9 |
| SHA256 | e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca |
| SHA512 | bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0 |
C:\ab26d1c462a0351508f66542\1033\SetupResources.dll
| MD5 | 718ab3eb3f43c9bcf16276c1eb17f2c1 |
| SHA1 | a3091fd7784a9469309b3edb370e24a0323e30ac |
| SHA256 | e1a13f5b763d73271a1a205a88e64c6611c25d5f434cfa5da14feb8e4272ffaa |
| SHA512 | 9fa8a8d9645a9b490257c2dce3d31f1585f6d6069f9471f9e00dfaa9e457ff1db4c9176a91e02d7f0b61bae0c1fc76b56061eff04888a58aeb5ad2e8692fcf8a |
\??\c:\ab26d1c462a0351508f66542\watermark.bmp
| MD5 | 1a5caafacfc8c7766e404d019249cf67 |
| SHA1 | 35d4878db63059a0f25899f4be00b41f430389bf |
| SHA256 | 2e87d5742413254db10f7bd0762b6cdb98ff9c46ca9acddfd9b1c2e5418638f2 |
| SHA512 | 202c13ded002d234117f08b18ca80d603246e6a166e18ba422e30d394ada7e47153dd3cce9728affe97128fdd797fe6302c74dc6882317e2ba254c8a6db80f46 |
\??\c:\ab26d1c462a0351508f66542\header.bmp
| MD5 | 3ad1a8c3b96993bcdf45244be2c00eef |
| SHA1 | 308f98e199f74a43d325115a8e7072d5f2c6202d |
| SHA256 | 133b86a4f1c67a159167489fdaeab765bfa1050c23a7ae6d5c517188fb45f94a |
| SHA512 | 133442c4a65269f817675adf01adcf622e509aa7ec7583bca8cd9a7eb6018d2aab56066054f75657038efb947cd3b3e5dc4fe7f0863c8b3b1770a8fa4fe2e658 |
\??\c:\ab26d1c462a0351508f66542\graphics\setup.ico
| MD5 | 3d25d679e0ff0b8c94273dcd8b07049d |
| SHA1 | a517fc5e96bc68a02a44093673ee7e076ad57308 |
| SHA256 | 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f |
| SHA512 | 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255 |
\??\c:\ab26d1c462a0351508f66542\graphics\save.ico
| MD5 | 7d62e82d960a938c98da02b1d5201bd5 |
| SHA1 | 194e96b0440bf8631887e5e9d3cc485f8e90fbf5 |
| SHA256 | ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5 |
| SHA512 | ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67 |
\??\c:\ab26d1c462a0351508f66542\graphics\print.ico
| MD5 | 7e55ddc6d611176e697d01c90a1212cf |
| SHA1 | e2620da05b8e4e2360da579a7be32c1b225deb1b |
| SHA256 | ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed |
| SHA512 | 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e |
C:\Windows\SYSTEM.INI
| MD5 | fe83376bc18c598013283dfd7bbb2963 |
| SHA1 | 3ef18b65a98aa5c29ee0d9a6e3c646c135f10f21 |
| SHA256 | 8f8f94b1a86aea739b6cf3bf5ee562b4f479ac16af99ef123096fe8a8c5601f8 |
| SHA512 | 6990bf4b07dbd4c97910977a0400c6d63f99e7312a3f4f5c7144950ac18c2c62b401f596a9c906556889c969f9913136134d0f5b7971944f68faa0559f62cc95 |
memory/4512-181-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/5012-190-0x00000000024B0000-0x00000000024B2000-memory.dmp
memory/5012-189-0x00000000024C0000-0x00000000024C1000-memory.dmp
memory/4512-187-0x00000000009C0000-0x00000000009C1000-memory.dmp
memory/4512-184-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-185-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-194-0x0000000000720000-0x0000000000722000-memory.dmp
memory/4512-192-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-183-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-182-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-180-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-179-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-177-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-191-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-200-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-199-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-201-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-202-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-203-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-205-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-206-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-207-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-208-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-211-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-212-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-213-0x0000000004C40000-0x0000000005CFA000-memory.dmp
memory/4512-216-0x0000000004C40000-0x0000000005CFA000-memory.dmp
C:\kjwslg.pif
| MD5 | 30a6d505de54cae367f4c99d2a280ea1 |
| SHA1 | d7fc63bba56f00204ac071bbdf8090100ee357b9 |
| SHA256 | 5d96332cc1cb79a0ed50e9e31ba10ad4880860f4c9fdd699e90edc2c1a064148 |
| SHA512 | e25fe985d0911be1199ca8a6c815d62be1df79e1f3185fbee14eff48061f69ec7b770a5da8970111d317537fe12323adac8e750e6ce95d2765ddd6442ce16b72 |