Malware Analysis Report

2024-09-11 12:23

Sample ID 240611-khc19a1enq
Target 2e84753e8253a24fe43a53ed72fcc0f0_NeikiAnalytics.exe
SHA256 70ff42f621bd88caf16b77c343644b1f6c414016e2d7ee81ce456ab0e51d0ef5
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

70ff42f621bd88caf16b77c343644b1f6c414016e2d7ee81ce456ab0e51d0ef5

Threat Level: Known bad

The file 2e84753e8253a24fe43a53ed72fcc0f0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

UAC bypass

Windows security bypass

Modifies firewall policy service

UPX packed file

Loads dropped DLL

Windows security modification

Executes dropped EXE

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 08:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 08:35

Reported

2024-06-11 08:38

Platform

win7-20240508-en

Max time kernel

120s

Max time network

124s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7611ad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f761084 C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
File created C:\Windows\f7660b6 C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 2740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2740 wrote to memory of 2976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761027.exe
PID 2740 wrote to memory of 2976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761027.exe
PID 2740 wrote to memory of 2976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761027.exe
PID 2740 wrote to memory of 2976 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761027.exe
PID 2976 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe C:\Windows\system32\taskhost.exe
PID 2976 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe C:\Windows\system32\Dwm.exe
PID 2976 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe C:\Windows\Explorer.EXE
PID 2976 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe C:\Windows\system32\DllHost.exe
PID 2976 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe C:\Windows\system32\rundll32.exe
PID 2976 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe C:\Windows\SysWOW64\rundll32.exe
PID 2740 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7611ad.exe
PID 2740 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7611ad.exe
PID 2740 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7611ad.exe
PID 2740 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7611ad.exe
PID 2740 wrote to memory of 1348 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762bf0.exe
PID 2740 wrote to memory of 1348 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762bf0.exe
PID 2740 wrote to memory of 1348 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762bf0.exe
PID 2740 wrote to memory of 1348 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762bf0.exe
PID 2976 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe C:\Windows\system32\taskhost.exe
PID 2976 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe C:\Windows\system32\Dwm.exe
PID 2976 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe C:\Windows\Explorer.EXE
PID 2976 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe C:\Users\Admin\AppData\Local\Temp\f7611ad.exe
PID 2976 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe C:\Users\Admin\AppData\Local\Temp\f7611ad.exe
PID 2976 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe C:\Users\Admin\AppData\Local\Temp\f762bf0.exe
PID 2976 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\f761027.exe C:\Users\Admin\AppData\Local\Temp\f762bf0.exe
PID 1348 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe C:\Windows\system32\taskhost.exe
PID 1348 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe C:\Windows\system32\Dwm.exe
PID 1348 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\f762bf0.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761027.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762bf0.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e84753e8253a24fe43a53ed72fcc0f0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e84753e8253a24fe43a53ed72fcc0f0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761027.exe

C:\Users\Admin\AppData\Local\Temp\f761027.exe

C:\Users\Admin\AppData\Local\Temp\f7611ad.exe

C:\Users\Admin\AppData\Local\Temp\f7611ad.exe

C:\Users\Admin\AppData\Local\Temp\f762bf0.exe

C:\Users\Admin\AppData\Local\Temp\f762bf0.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\f761027.exe

MD5 7743e5c1ff05dabee5b8c45c117b9e60
SHA1 ce3dea681be85a099090a794ca66583e229569ab
SHA256 f6aa335b9f5951b0666e010145519af504c0a8321cdad7ae71b43115d6c87a8b
SHA512 fa770fe2240ecbd374c77466e851515b309f3a4d41fa1c4516220839096f41fa352e0c66add180a7a98c28751999f93583d6f423a733a61fe36f8fb5608c9549

memory/2740-7-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2740-9-0x0000000000130000-0x0000000000142000-memory.dmp

memory/2740-8-0x0000000000130000-0x0000000000142000-memory.dmp

memory/2976-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2976-19-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2976-14-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2976-16-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2976-20-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2976-22-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2976-51-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2976-21-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2460-63-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2740-62-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2740-39-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2740-38-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2740-61-0x0000000000340000-0x0000000000352000-memory.dmp

memory/2976-60-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/1052-29-0x0000000002170000-0x0000000002172000-memory.dmp

memory/2976-18-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2976-15-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2976-23-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2740-58-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2976-49-0x0000000000520000-0x0000000000521000-memory.dmp

memory/2740-48-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2976-17-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2976-64-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2976-65-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2976-66-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2976-68-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2976-67-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2976-70-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2976-71-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/1348-85-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2740-84-0x0000000000360000-0x0000000000372000-memory.dmp

memory/2740-82-0x0000000000130000-0x0000000000132000-memory.dmp

memory/2740-79-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2976-86-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2976-89-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2976-90-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2460-102-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2460-101-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1348-112-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1348-111-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2460-110-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2976-127-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2976-156-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2976-161-0x0000000000630000-0x00000000016EA000-memory.dmp

memory/2460-162-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2976-157-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/1348-168-0x00000000009C0000-0x0000000001A7A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 32eaed1b04089bc541b77e1bdbece5cc
SHA1 a2c257c2213cd7340de4bed2d5661fe15e74f7f8
SHA256 a9596f4f4faa40b3e8b8fb942c6007ad2960e693037acdb19397f453e9672fcf
SHA512 5b43f2faabd4930df96b76dc5353bb643720a043bc27f0af31e364ae045414e6b9356669dba924460a0a3edf50aef2eef3377a0cfc71c3145cb8837d3087ce88

memory/1348-212-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1348-213-0x00000000009C0000-0x0000000001A7A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 08:35

Reported

2024-06-11 08:38

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

151s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e581ba1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e581865 C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
File created C:\Windows\e586b29 C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2548 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2356 wrote to memory of 3224 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5815a6.exe
PID 2356 wrote to memory of 3224 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5815a6.exe
PID 2356 wrote to memory of 3224 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5815a6.exe
PID 3224 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\system32\fontdrvhost.exe
PID 3224 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\system32\fontdrvhost.exe
PID 3224 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\system32\dwm.exe
PID 3224 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\system32\sihost.exe
PID 3224 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\system32\svchost.exe
PID 3224 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\system32\taskhostw.exe
PID 3224 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\Explorer.EXE
PID 3224 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\system32\svchost.exe
PID 3224 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\system32\DllHost.exe
PID 3224 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3224 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\System32\RuntimeBroker.exe
PID 3224 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3224 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\System32\RuntimeBroker.exe
PID 3224 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\System32\RuntimeBroker.exe
PID 3224 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3224 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\System32\RuntimeBroker.exe
PID 3224 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3224 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3224 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3224 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3224 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3224 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3224 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3224 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\system32\rundll32.exe
PID 3224 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\SysWOW64\rundll32.exe
PID 3224 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\SysWOW64\rundll32.exe
PID 2356 wrote to memory of 4268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e581ba1.exe
PID 2356 wrote to memory of 4268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e581ba1.exe
PID 2356 wrote to memory of 4268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e581ba1.exe
PID 2356 wrote to memory of 4132 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5823fe.exe
PID 2356 wrote to memory of 4132 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5823fe.exe
PID 2356 wrote to memory of 4132 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5823fe.exe
PID 3224 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\system32\fontdrvhost.exe
PID 3224 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\system32\fontdrvhost.exe
PID 3224 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\system32\dwm.exe
PID 3224 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\system32\sihost.exe
PID 3224 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\system32\svchost.exe
PID 3224 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\system32\taskhostw.exe
PID 3224 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\Explorer.EXE
PID 3224 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\system32\svchost.exe
PID 3224 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\system32\DllHost.exe
PID 3224 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3224 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\System32\RuntimeBroker.exe
PID 3224 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3224 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\System32\RuntimeBroker.exe
PID 3224 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\System32\RuntimeBroker.exe
PID 3224 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3224 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Windows\System32\RuntimeBroker.exe
PID 3224 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3224 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3224 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3224 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3224 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3224 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3224 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3224 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Users\Admin\AppData\Local\Temp\e581ba1.exe
PID 3224 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Users\Admin\AppData\Local\Temp\e581ba1.exe
PID 3224 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\e5815a6.exe C:\Users\Admin\AppData\Local\Temp\e5823fe.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5815a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5823fe.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7fffce9e2e98,0x7fffce9e2ea4,0x7fffce9e2eb0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3084 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3204 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3384 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5408 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5416 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e84753e8253a24fe43a53ed72fcc0f0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e84753e8253a24fe43a53ed72fcc0f0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e5815a6.exe

C:\Users\Admin\AppData\Local\Temp\e5815a6.exe

C:\Users\Admin\AppData\Local\Temp\e581ba1.exe

C:\Users\Admin\AppData\Local\Temp\e581ba1.exe

C:\Users\Admin\AppData\Local\Temp\e5823fe.exe

C:\Users\Admin\AppData\Local\Temp\e5823fe.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3784 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/2356-0-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5815a6.exe

MD5 7743e5c1ff05dabee5b8c45c117b9e60
SHA1 ce3dea681be85a099090a794ca66583e229569ab
SHA256 f6aa335b9f5951b0666e010145519af504c0a8321cdad7ae71b43115d6c87a8b
SHA512 fa770fe2240ecbd374c77466e851515b309f3a4d41fa1c4516220839096f41fa352e0c66add180a7a98c28751999f93583d6f423a733a61fe36f8fb5608c9549

memory/3224-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3224-6-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-9-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-11-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-12-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-8-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-10-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-13-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-20-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-21-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-14-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-26-0x0000000004370000-0x0000000004371000-memory.dmp

memory/3224-28-0x0000000001B30000-0x0000000001B32000-memory.dmp

memory/2356-27-0x00000000013F0000-0x00000000013F2000-memory.dmp

memory/2356-24-0x00000000048D0000-0x00000000048D1000-memory.dmp

memory/2356-23-0x00000000013F0000-0x00000000013F2000-memory.dmp

memory/2356-22-0x00000000013F0000-0x00000000013F2000-memory.dmp

memory/3224-31-0x0000000001B30000-0x0000000001B32000-memory.dmp

memory/4268-36-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3224-30-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-32-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-37-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2356-43-0x00000000013F0000-0x00000000013F2000-memory.dmp

memory/3224-45-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-46-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-48-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-49-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-50-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-52-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-55-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-58-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/4268-60-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4268-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4268-65-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4132-66-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4132-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4132-62-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3224-67-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-70-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-71-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-73-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-76-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-78-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-80-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-81-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-83-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/3224-90-0x0000000001B30000-0x0000000001B32000-memory.dmp

memory/3224-102-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3224-85-0x00000000007E0000-0x000000000189A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 53462016ffe319fa072dcc5738c89363
SHA1 ae2d27e088ef09d2ed476d8140e46aab87ce3e8b
SHA256 fc7bc67e2e95335b83cf1795cd0bb45703da5128e446efa0e9670ded5911d530
SHA512 baf12aa586ed89fbd8aa001860eeb9212cf0e37826195d5910cd207dc6b7d8a3a76de688c1b4c26a89744a03aa713da6438d84b3fae260ed01d20cdb047088e9

memory/4268-123-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4132-114-0x0000000000B70000-0x0000000001C2A000-memory.dmp

memory/4132-140-0x0000000000B70000-0x0000000001C2A000-memory.dmp

memory/4132-141-0x0000000000400000-0x0000000000412000-memory.dmp