Malware Analysis Report

2024-09-11 11:46

Sample ID 240613-h34nlayflc
Target 689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe
SHA256 9fc5d7feb266c4c6299881160168a49410136d12a28e1eafd13b02b1c65b8dde
Tags
sality backdoor evasion persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9fc5d7feb266c4c6299881160168a49410136d12a28e1eafd13b02b1c65b8dde

Threat Level: Known bad

The file 689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion persistence spyware stealer trojan upx

Modifies firewall policy service

UAC bypass

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Sality

Modifies visibility of file extensions in Explorer

Sets file execution options in registry

Disables RegEdit via registry modification

Windows security modification

UPX packed file

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Drops startup file

Enumerates connected drives

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:16

Reported

2024-06-13 07:19

Platform

win7-20240220-en

Max time kernel

19s

Max time network

122s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M35738\\Ja734618bLay.com\"" C:\Windows\M35738\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O63636Z\\TuxO63636Z.exe\"" C:\Windows\M35738\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M35738\\Ja734618bLay.com\"" C:\Windows\M35738\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O63636Z\\TuxO63636Z.exe\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M35738\\Ja734618bLay.com\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O63636Z\\TuxO63636Z.exe\"" C:\Windows\M35738\EmangEloh.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\M35738\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\M35738\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\M35738\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\M35738\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\M35738\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\M35738\smss.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M35738\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\M35738\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M35738\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M35738\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\M35738\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M35738\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\M35738\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\M35738\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Windows\M35738\EmangEloh.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Windows\M35738\smss.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
N/A N/A C:\Windows\M35738\smss.exe N/A
N/A N/A C:\Windows\M35738\EmangEloh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1357166TT4 = "C:\\Windows\\system32\\5165423751l.exe" C:\Windows\M35738\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T36Z165 = "C:\\Windows\\sa-643166.exe" C:\Windows\M35738\EmangEloh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1357166TT4 = "C:\\Windows\\system32\\5165423751l.exe" C:\Windows\M35738\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T36Z165 = "C:\\Windows\\sa-643166.exe" C:\Windows\M35738\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\T1357166TT4 = "C:\\Windows\\system32\\5165423751l.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T36Z165 = "C:\\Windows\\sa-643166.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\s: C:\Windows\M35738\smss.exe N/A
File opened (read-only) \??\y: C:\Windows\M35738\smss.exe N/A
File opened (read-only) \??\z: C:\Windows\M35738\EmangEloh.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened (read-only) \??\e: C:\Windows\M35738\smss.exe N/A
File opened (read-only) \??\k: C:\Windows\M35738\EmangEloh.exe N/A
File opened (read-only) \??\x: C:\Windows\M35738\smss.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened (read-only) \??\q: C:\Windows\M35738\EmangEloh.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened (read-only) \??\i: C:\Windows\M35738\smss.exe N/A
File opened (read-only) \??\m: C:\Windows\M35738\smss.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened (read-only) \??\i: C:\Windows\M35738\EmangEloh.exe N/A
File opened (read-only) \??\m: C:\Windows\M35738\EmangEloh.exe N/A
File opened (read-only) \??\z: C:\Windows\M35738\smss.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened (read-only) \??\e: C:\Windows\M35738\EmangEloh.exe N/A
File opened (read-only) \??\v: C:\Windows\M35738\EmangEloh.exe N/A
File opened (read-only) \??\t: C:\Windows\M35738\smss.exe N/A
File opened (read-only) \??\v: C:\Windows\M35738\smss.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened (read-only) \??\g: C:\Windows\M35738\EmangEloh.exe N/A
File opened (read-only) \??\h: C:\Windows\M35738\EmangEloh.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened (read-only) \??\r: C:\Windows\M35738\EmangEloh.exe N/A
File opened (read-only) \??\y: C:\Windows\M35738\EmangEloh.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened (read-only) \??\s: C:\Windows\M35738\EmangEloh.exe N/A
File opened (read-only) \??\w: C:\Windows\M35738\EmangEloh.exe N/A
File opened (read-only) \??\o: C:\Windows\M35738\smss.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened (read-only) \??\r: C:\Windows\M35738\smss.exe N/A
File opened (read-only) \??\x: C:\Windows\M35738\EmangEloh.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened (read-only) \??\j: C:\Windows\M35738\EmangEloh.exe N/A
File opened (read-only) \??\p: C:\Windows\M35738\EmangEloh.exe N/A
File opened (read-only) \??\p: C:\Windows\M35738\smss.exe N/A
File opened (read-only) \??\q: C:\Windows\M35738\smss.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened (read-only) \??\h: C:\Windows\M35738\smss.exe N/A
File opened (read-only) \??\l: C:\Windows\M35738\smss.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened (read-only) \??\N: C:\Windows\M35738\smss.exe N/A
File opened (read-only) \??\w: C:\Windows\M35738\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\M35738\EmangEloh.exe N/A
File opened (read-only) \??\k: C:\Windows\M35738\smss.exe N/A
File opened (read-only) \??\u: C:\Windows\M35738\EmangEloh.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened (read-only) \??\g: C:\Windows\M35738\smss.exe N/A
File opened (read-only) \??\l: C:\Windows\M35738\EmangEloh.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened (read-only) \??\j: C:\Windows\M35738\smss.exe N/A
File opened (read-only) \??\t: C:\Windows\M35738\EmangEloh.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\5165423751l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\005165423751l.exe C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\5165423751l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\5165423751l.exe C:\Windows\M35738\EmangEloh.exe N/A
File opened for modification C:\Windows\SysWOW64\X48123go\Z5165cie.cmd C:\Windows\M35738\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\M35738\smss.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\IME\shared\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created \??\c:\Windows\SysWOW64\IME\shared\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\IME\shared\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created C:\Windows\SysWOW64\005165423751l.exe C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\M35738\EmangEloh.exe N/A
File created C:\Windows\SysWOW64\5165423751l.exe C:\Windows\M35738\EmangEloh.exe N/A
File opened for modification C:\Windows\SysWOW64\5165423751l.exe C:\Windows\M35738\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\X48123go\Z5165cie.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File created C:\Windows\SysWOW64\5165423751l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\X48123go\Z005165cie.cmd C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\5165423751l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\X48123go\Z5165cie.cmd C:\Windows\M35738\EmangEloh.exe N/A
File created C:\Windows\SysWOW64\X48123go\Z5165cie.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created C:\Windows\SysWOW64\5165423751l.exe C:\Windows\M35738\smss.exe N/A
File created \??\c:\Windows\SysWOW64\IME\shared\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Windows Sidebar\Shared Gadgets\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened for modification \??\c:\Program Files\Windows Sidebar\Shared Gadgets\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created \??\c:\Program Files (x86)\Common Files\microsoft shared\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created \??\c:\Program Files\Common Files\Microsoft Shared\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\Download\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created \??\c:\Program Files\DVD Maker\Shared\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened for modification \??\c:\Program Files\DVD Maker\Shared\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created \??\c:\Program Files (x86)\Google\Update\Download\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\M35738\Ja734618bLay.com C:\Windows\M35738\smss.exe N/A
File created \??\c:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened for modification \??\c:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created C:\Windows\M35738\EmangEloh.exe C:\Windows\M35738\smss.exe N/A
File created C:\Windows\Ti423751ta.exe C:\Windows\M35738\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\M35738\EmangEloh.exe N/A
File created C:\Windows\M35738\Ja734618bLay.com C:\Windows\M35738\EmangEloh.exe N/A
File opened for modification C:\Windows\Ti423751ta.exe C:\Windows\M35738\EmangEloh.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\M35738\smss.exe N/A
File created C:\Windows\sa-643166.exe C:\Windows\M35738\smss.exe N/A
File opened for modification C:\Windows\sa-643166.exe C:\Windows\M35738\smss.exe N/A
File opened for modification C:\Windows\M35738 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File created C:\Windows\f763237 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\M35738 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created C:\Windows\sa-643166.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created C:\Windows\[TheMoonlight].txt C:\Windows\M35738\EmangEloh.exe N/A
File opened for modification \??\c:\Windows\ServiceProfiles\NetworkService\Downloads\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened for modification \??\c:\Windows\SoftwareDistribution\Download\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created C:\Windows\M35738\EmangEloh.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created C:\Windows\Ti423751ta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened for modification C:\Windows\sa-643166.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened for modification C:\Windows\M35738 C:\Windows\M35738\EmangEloh.exe N/A
File created C:\Windows\M35738\Ja734618bLay.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened for modification C:\Windows\M35738\Ja734618bLay.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created C:\Windows\f7608f6 C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\M35738\Ja734618bLay.com C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\M35738 C:\Windows\M35738\smss.exe N/A
File created C:\Windows\sa-643166.exe C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File created C:\Windows\M35738\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created C:\Windows\sa-643166.exe C:\Windows\M35738\EmangEloh.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created C:\Windows\M35738\smss.exe C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Ti423751ta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created C:\Windows\M35738\smss.exe C:\Windows\M35738\smss.exe N/A
File created C:\Windows\Ti423751ta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened for modification \??\c:\Windows\Downloaded Program Files\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created \??\c:\Windows\ServiceProfiles\LocalService\Downloads\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File created C:\Windows\M35738\Ja734618bLay.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created C:\Windows\M35738\smss.exe C:\Windows\M35738\EmangEloh.exe N/A
File opened for modification C:\Windows\M35738\EmangEloh.exe C:\Windows\M35738\smss.exe N/A
File created C:\Windows\M35738\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File opened for modification \??\c:\Windows\ServiceProfiles\LocalService\Downloads\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created C:\Windows\M35738\Ja734618bLay.com C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\M35738\EmangEloh.exe C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\sa-643166.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File created C:\Windows\M35738\EmangEloh.exe C:\Windows\M35738\EmangEloh.exe N/A
File opened for modification C:\Windows\Ti423751ta.exe C:\Windows\M35738\smss.exe N/A
File created C:\Windows\M35738\EmangEloh.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File created \??\c:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened for modification C:\Windows\M35738 C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\M35738\EmangEloh.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened for modification C:\Windows\M35738\EmangEloh.exe C:\Windows\M35738\EmangEloh.exe N/A
File opened for modification C:\Windows\M35738\Ja734618bLay.com C:\Windows\M35738\EmangEloh.exe N/A
File created C:\Windows\sa-643166.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
File created \??\c:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File created C:\Windows\Ti423751ta.exe C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Ti423751ta.exe C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\M35738\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\M35738\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\M35738\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\M35738\EmangEloh.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A
N/A N/A C:\Windows\M35738\EmangEloh.exe N/A
N/A N/A C:\Windows\M35738\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 3064 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 3064 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 3064 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 3064 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe
PID 3064 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe
PID 3064 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe
PID 3064 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe
PID 3064 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\M35738\smss.exe
PID 3064 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\M35738\smss.exe
PID 3064 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\M35738\smss.exe
PID 3064 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\M35738\smss.exe
PID 3064 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\M35738\EmangEloh.exe
PID 3064 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\M35738\EmangEloh.exe
PID 3064 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\M35738\EmangEloh.exe
PID 3064 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\M35738\EmangEloh.exe
PID 3064 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe
PID 3064 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe
PID 3064 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe
PID 3064 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe
PID 2144 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe C:\Windows\system32\Dwm.exe
PID 2144 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe C:\Windows\Explorer.EXE
PID 2144 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe C:\Windows\system32\taskhost.exe
PID 2144 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe C:\Windows\M35738\smss.exe
PID 2144 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe C:\Windows\M35738\smss.exe
PID 2144 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe C:\Windows\M35738\EmangEloh.exe
PID 2144 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe C:\Windows\M35738\EmangEloh.exe
PID 2144 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe
PID 2144 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe N/A

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\service.exe"

C:\Windows\M35738\smss.exe

"C:\Windows\M35738\smss.exe"

C:\Windows\M35738\EmangEloh.exe

"C:\Windows\M35738\EmangEloh.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O63636Z\winlogon.exe"

Network

N/A

Files

memory/3064-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3064-4-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/3064-5-0x0000000000280000-0x0000000000282000-memory.dmp

C:\Windows\M35738\EmangEloh.exe

MD5 689f2429f487490ae6174f4b46bcba10
SHA1 bf19586720f5af2b0228c7a32237079c45f7db0c
SHA256 9fc5d7feb266c4c6299881160168a49410136d12a28e1eafd13b02b1c65b8dde
SHA512 b4d76f1cd54cafebce529b8c9562c86512d02749209a357e550803f3df592266b875996e2a4d45fb315b9f384a0a723fe5d2fd2c9a483f84cc99a2efd1fdb268

memory/3064-7-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/3064-8-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/3064-11-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/3064-10-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/3064-13-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/3064-14-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/3064-55-0x0000000003100000-0x0000000003102000-memory.dmp

memory/3064-54-0x0000000003100000-0x0000000003102000-memory.dmp

memory/3064-53-0x0000000003110000-0x0000000003111000-memory.dmp

memory/3064-51-0x0000000003110000-0x0000000003111000-memory.dmp

memory/3064-50-0x0000000003100000-0x0000000003102000-memory.dmp

memory/1040-43-0x0000000001F90000-0x0000000001F92000-memory.dmp

memory/3064-12-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/3064-9-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/3064-15-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/3064-65-0x0000000005590000-0x00000000055A0000-memory.dmp

memory/2144-71-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3064-73-0x0000000005A10000-0x0000000005A3D000-memory.dmp

memory/3064-72-0x0000000005A10000-0x0000000005A3D000-memory.dmp

memory/3064-77-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2144-82-0x0000000000260000-0x0000000000262000-memory.dmp

memory/3064-76-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2684-105-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3064-104-0x0000000005C90000-0x0000000005CBD000-memory.dmp

memory/3064-103-0x0000000005C90000-0x0000000005CBD000-memory.dmp

memory/3064-102-0x00000000006B0000-0x000000000176A000-memory.dmp

C:\Windows\system\msvbvm60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

memory/1852-112-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3064-111-0x00000000066B0000-0x00000000066DD000-memory.dmp

C:\Windows\[TheMoonlight].txt

MD5 68c7836c8ff19e87ca33a7959a2bdff5
SHA1 cc5d0205bb71c10bbed22fe47e59b1f6817daab7
SHA256 883b19ec550f7ddb1e274a83d58d66c771ab10fefd136bab79483f2eb84e7fec
SHA512 3656005148788ed7ac8f5b5f8f6f4736c2dc4a94771291170e61666beb81e63be2a1a0f2913233b0e3f12ddfa7f1e89da9cd8323306413395ee78b2ece7fbfe8

memory/3064-142-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/3064-145-0x0000000006700000-0x000000000672D000-memory.dmp

memory/3064-143-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/3064-163-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2144-223-0x0000000003D00000-0x0000000004DBA000-memory.dmp

memory/2144-218-0x0000000003D00000-0x0000000004DBA000-memory.dmp

memory/2144-243-0x00000000027B0000-0x00000000027B1000-memory.dmp

memory/2144-226-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 b207664e855ff477d8c1001f9c40b954
SHA1 694cc928ea0ebe0a71e20d8f72633edf1da7c014
SHA256 c9e1c276458bc90a85c8d87233352fbc5fe413d47ace1c7e8788ee1c0ad4cad4
SHA512 774161c2819fd3dab89281830c1411f522e56a6aca0d3cdd375edd2861706a86e9ebf99a618d3fde8fb7cb6970b0511f2347fd1da777deaa10343ba485e62ecc

memory/2144-224-0x0000000003D00000-0x0000000004DBA000-memory.dmp

memory/2144-222-0x0000000003D00000-0x0000000004DBA000-memory.dmp

memory/2144-225-0x0000000003D00000-0x0000000004DBA000-memory.dmp

memory/2684-477-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 07:16

Reported

2024-06-13 07:19

Platform

win10v2004-20240508-en

Max time kernel

26s

Max time network

116s

Command Line

"fontdrvhost.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O64747Z\\TuxO64747Z.exe\"" C:\Windows\M46840\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M46840\\Ja67831bLay.com\"" C:\Windows\M46840\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O64747Z\\TuxO64747Z.exe\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M46840\\Ja67831bLay.com\"" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O64747Z\\TuxO64747Z.exe\"" C:\Windows\M46840\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M46840\\Ja67831bLay.com\"" C:\Windows\M46840\smss.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\M46840\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\M46840\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\M46840\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\M46840\EmangEloh.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\M46840\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\M46840\EmangEloh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\M46840\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M46840\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M46840\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M46840\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\M46840\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Windows\M46840\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\M46840\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\M46840\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Windows\M46840\smss.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Windows\M46840\EmangEloh.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
N/A N/A C:\Windows\M46840\smss.exe N/A
N/A N/A C:\Windows\M46840\EmangEloh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T47Z274 = "C:\\Windows\\sa-865388.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1468388TT4 = "C:\\Windows\\system32\\227487655073l.exe" C:\Windows\M46840\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T47Z274 = "C:\\Windows\\sa-865388.exe" C:\Windows\M46840\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1468388TT4 = "C:\\Windows\\system32\\227487655073l.exe" C:\Windows\M46840\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T47Z274 = "C:\\Windows\\sa-865388.exe" C:\Windows\M46840\EmangEloh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1468388TT4 = "C:\\Windows\\system32\\227487655073l.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\v: C:\Windows\M46840\EmangEloh.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened (read-only) \??\p: C:\Windows\M46840\smss.exe N/A
File opened (read-only) \??\t: C:\Windows\M46840\smss.exe N/A
File opened (read-only) \??\y: C:\Windows\M46840\smss.exe N/A
File opened (read-only) \??\s: C:\Windows\M46840\EmangEloh.exe N/A
File opened (read-only) \??\m: C:\Windows\M46840\smss.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened (read-only) \??\o: C:\Windows\M46840\smss.exe N/A
File opened (read-only) \??\e: C:\Windows\M46840\EmangEloh.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened (read-only) \??\r: C:\Windows\M46840\smss.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened (read-only) \??\p: C:\Windows\M46840\EmangEloh.exe N/A
File opened (read-only) \??\y: C:\Windows\M46840\EmangEloh.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened (read-only) \??\l: C:\Windows\M46840\EmangEloh.exe N/A
File opened (read-only) \??\z: C:\Windows\M46840\EmangEloh.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened (read-only) \??\k: C:\Windows\M46840\smss.exe N/A
File opened (read-only) \??\l: C:\Windows\M46840\smss.exe N/A
File opened (read-only) \??\h: C:\Windows\M46840\EmangEloh.exe N/A
File opened (read-only) \??\i: C:\Windows\M46840\EmangEloh.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened (read-only) \??\s: C:\Windows\M46840\smss.exe N/A
File opened (read-only) \??\x: C:\Windows\M46840\smss.exe N/A
File opened (read-only) \??\z: C:\Windows\M46840\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\M46840\EmangEloh.exe N/A
File opened (read-only) \??\i: C:\Windows\M46840\smss.exe N/A
File opened (read-only) \??\v: C:\Windows\M46840\smss.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened (read-only) \??\j: C:\Windows\M46840\EmangEloh.exe N/A
File opened (read-only) \??\w: C:\Windows\M46840\EmangEloh.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened (read-only) \??\N: C:\Windows\M46840\smss.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened (read-only) \??\k: C:\Windows\M46840\EmangEloh.exe N/A
File opened (read-only) \??\m: C:\Windows\M46840\EmangEloh.exe N/A
File opened (read-only) \??\t: C:\Windows\M46840\EmangEloh.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened (read-only) \??\q: C:\Windows\M46840\EmangEloh.exe N/A
File opened (read-only) \??\r: C:\Windows\M46840\EmangEloh.exe N/A
File opened (read-only) \??\x: C:\Windows\M46840\EmangEloh.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened (read-only) \??\e: C:\Windows\M46840\smss.exe N/A
File opened (read-only) \??\g: C:\Windows\M46840\smss.exe N/A
File opened (read-only) \??\q: C:\Windows\M46840\smss.exe N/A
File opened (read-only) \??\u: C:\Windows\M46840\smss.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened (read-only) \??\h: C:\Windows\M46840\smss.exe N/A
File opened (read-only) \??\w: C:\Windows\M46840\smss.exe N/A
File opened (read-only) \??\g: C:\Windows\M46840\EmangEloh.exe N/A
File opened (read-only) \??\o: C:\Windows\M46840\EmangEloh.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\227487655073l.exe C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\227487655073l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created C:\Windows\SysWOW64\227487655073l.exe C:\Windows\M46840\EmangEloh.exe N/A
File opened for modification C:\Windows\SysWOW64\X61345go\Z227487cie.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File created C:\Windows\SysWOW64\227487655073l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File created \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\X61345go\Z227487cie.cmd C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\227487655073l.exe C:\Windows\M46840\EmangEloh.exe N/A
File opened for modification C:\Windows\SysWOW64\227487655073l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\IME\SHARED\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\X61345go\Z227487cie.cmd C:\Windows\M46840\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\X61345go\Z227487cie.cmd C:\Windows\M46840\EmangEloh.exe N/A
File created \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\M46840\smss.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\227487655073l.exe C:\Windows\M46840\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\X61345go\Z227487cie.cmd C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created C:\Windows\SysWOW64\227487655073l.exe C:\Windows\M46840\smss.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\IME\SHARED\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\M46840\EmangEloh.exe N/A
File created \??\c:\Windows\SysWOW64\IME\SHARED\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\SysWOW64\IME\SHARED\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created C:\Windows\SysWOW64\227487655073l.exe C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\227487655073l.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Windows Sidebar\Shared Gadgets\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Program Files\Common Files\microsoft shared\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification \??\c:\Program Files\Windows Sidebar\Shared Gadgets\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Program Files (x86)\Common Files\Microsoft Shared\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Microsoft Shared\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Program Files (x86)\Google\Update\Download\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Program Files\dotnet\shared\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Program Files\Microsoft Office\Updates\Download\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\Download\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification \??\c:\Program Files\dotnet\shared\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\Updates\Download\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\M46840\EmangEloh.exe C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File created C:\Windows\Ti655073ta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification C:\Windows\Ti655073ta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_de598551b74a3964\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_8fafa997b9980bea\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_b53f8b98f2b3a373\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification C:\Windows\Ti655073ta.exe C:\Windows\M46840\EmangEloh.exe N/A
File opened for modification \??\c:\Windows\ServiceProfiles\LocalService\Downloads\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification C:\Windows\M46840 C:\Windows\M46840\smss.exe N/A
File opened for modification C:\Windows\sa-865388.exe C:\Windows\M46840\smss.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_93c5f32b7859ec4f\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_1c68775f06732f08\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\Data DosenKu .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification C:\Windows\M46840\EmangEloh.exe C:\Windows\M46840\smss.exe N/A
File created \??\c:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\Titip Folder Jangan DiHapus .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\THe Best Ungu .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created C:\Windows\M46840\Ja67831bLay.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File opened for modification C:\Windows\sa-865388.exe C:\Windows\M46840\EmangEloh.exe N/A
File opened for modification C:\Windows\Ti655073ta.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_c494b3b28da10665\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.19041.1_none_cb69bad627df9263\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification \??\c:\Windows\ServiceProfiles\NetworkService\Downloads\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\Norman virus Control 5.18 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\New mp3 BaraT !! .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\M46840\smss.exe N/A
File created C:\Windows\sa-865388.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification \??\c:\Windows\Downloaded Program Files\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_6242879b1c08046f\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created C:\Windows\M46840\smss.exe C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File created C:\Windows\M46840\smss.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\TutoriaL HAcking .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created C:\Windows\e574b90 C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification C:\Windows\M46840\EmangEloh.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\Love Song .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_7d9dab4e456449b1\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Windows\M46840\smss.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_67a96afcfa248327\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created C:\Windows\M46840\EmangEloh.exe C:\Windows\M46840\smss.exe N/A
File opened for modification \??\c:\Windows\SystemResources\Windows.ShellCommon.SharedResources\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File opened for modification C:\Windows\M46840 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File created \??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\Blink 182 .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\Gallery .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\Lagu - Server .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_cee95e04c201c860\RaHasIA .exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
File created C:\Windows\sa-865388.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
File created \??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\Windows Vista setup .scr C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\M46840\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\M46840\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Windows\M46840\EmangEloh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Windows\M46840\EmangEloh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A
N/A N/A C:\Windows\M46840\smss.exe N/A
N/A N/A C:\Windows\M46840\EmangEloh.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5092 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 5092 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 5092 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 5092 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 5092 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 5092 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 5092 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 5092 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 5092 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 5092 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 5092 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 5092 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 5092 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 5092 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 5092 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 5092 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe
PID 5092 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe
PID 5092 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe
PID 5092 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\M46840\smss.exe
PID 5092 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\M46840\smss.exe
PID 5092 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\M46840\smss.exe
PID 5092 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\M46840\EmangEloh.exe
PID 5092 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\M46840\EmangEloh.exe
PID 5092 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Windows\M46840\EmangEloh.exe
PID 5092 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe
PID 5092 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe
PID 5092 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe
PID 3964 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\system32\fontdrvhost.exe
PID 3964 wrote to memory of 776 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\system32\fontdrvhost.exe
PID 3964 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\system32\dwm.exe
PID 3964 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\system32\sihost.exe
PID 3964 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\system32\svchost.exe
PID 3964 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\system32\taskhostw.exe
PID 3964 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\Explorer.EXE
PID 3964 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\system32\svchost.exe
PID 3964 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\system32\DllHost.exe
PID 3964 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3964 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\System32\RuntimeBroker.exe
PID 3964 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3964 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\System32\RuntimeBroker.exe
PID 3964 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\System32\RuntimeBroker.exe
PID 3964 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3964 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\M46840\smss.exe
PID 3964 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\M46840\smss.exe
PID 3964 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\M46840\EmangEloh.exe
PID 3964 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\M46840\EmangEloh.exe
PID 3964 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe
PID 3964 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe
PID 3964 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\system32\fontdrvhost.exe
PID 3964 wrote to memory of 776 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\system32\fontdrvhost.exe
PID 3964 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\system32\dwm.exe
PID 3964 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\system32\sihost.exe
PID 3964 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\system32\svchost.exe
PID 3964 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\system32\taskhostw.exe
PID 3964 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\Explorer.EXE
PID 3964 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\system32\svchost.exe
PID 3964 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\system32\DllHost.exe
PID 3964 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3964 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\System32\RuntimeBroker.exe
PID 3964 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3964 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\System32\RuntimeBroker.exe
PID 3964 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\System32\RuntimeBroker.exe
PID 3964 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\689f2429f487490ae6174f4b46bcba10_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\service.exe"

C:\Windows\M46840\smss.exe

"C:\Windows\M46840\smss.exe"

C:\Windows\M46840\EmangEloh.exe

"C:\Windows\M46840\EmangEloh.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O64747Z\winlogon.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\explorer.exe

explorer.exe /LOADSAVEDWINDOWS

Network

Files

memory/5092-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/5092-1-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/5092-3-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/5092-7-0x0000000003510000-0x0000000003511000-memory.dmp

memory/5092-19-0x00000000034F0000-0x00000000034F2000-memory.dmp

memory/5092-8-0x00000000007C0000-0x000000000187A000-memory.dmp

C:\Windows\M46840\EmangEloh.exe

MD5 689f2429f487490ae6174f4b46bcba10
SHA1 bf19586720f5af2b0228c7a32237079c45f7db0c
SHA256 9fc5d7feb266c4c6299881160168a49410136d12a28e1eafd13b02b1c65b8dde
SHA512 b4d76f1cd54cafebce529b8c9562c86512d02749209a357e550803f3df592266b875996e2a4d45fb315b9f384a0a723fe5d2fd2c9a483f84cc99a2efd1fdb268

memory/5092-22-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/5092-11-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/5092-55-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/5092-62-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/5092-14-0x0000000003500000-0x0000000003502000-memory.dmp

memory/5092-13-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/5092-10-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/5092-5-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3964-74-0x0000000000400000-0x000000000042D000-memory.dmp

memory/5092-9-0x0000000003500000-0x0000000003502000-memory.dmp

memory/5092-6-0x0000000003500000-0x0000000003502000-memory.dmp

memory/4012-79-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3964-78-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4012-105-0x0000000000540000-0x0000000000542000-memory.dmp

memory/5112-137-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\system\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/5092-139-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/5092-179-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\[TheMoonlight].txt

MD5 68c7836c8ff19e87ca33a7959a2bdff5
SHA1 cc5d0205bb71c10bbed22fe47e59b1f6817daab7
SHA256 883b19ec550f7ddb1e274a83d58d66c771ab10fefd136bab79483f2eb84e7fec
SHA512 3656005148788ed7ac8f5b5f8f6f4736c2dc4a94771291170e61666beb81e63be2a1a0f2913233b0e3f12ddfa7f1e89da9cd8323306413395ee78b2ece7fbfe8

memory/5092-168-0x0000000003500000-0x0000000003502000-memory.dmp

memory/5092-165-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/5092-140-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3964-250-0x0000000002FA0000-0x000000000405A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 8c9594c994d7b7b6294cfd477010dd75
SHA1 0ac9723c0a3d2602b0231cf6fc7a6f6d4488acb4
SHA256 5581acdef90d13724f746c4fb6d0b3ce7913d2b3cbdf2176d59062a13f079873
SHA512 b11dae4f6485bb1d3296bfa44dc282125490116973c63edec4052aa0fdc201149b545cff27aa63c36547f7e49778bebf999159ac9fb4eebfbe2af8707f494ec3

memory/3964-254-0x0000000002FA0000-0x000000000405A000-memory.dmp

memory/3964-252-0x0000000002FA0000-0x000000000405A000-memory.dmp

memory/3964-258-0x0000000002FA0000-0x000000000405A000-memory.dmp

memory/3964-257-0x0000000002FA0000-0x000000000405A000-memory.dmp

memory/3964-253-0x0000000002FA0000-0x000000000405A000-memory.dmp

memory/2920-279-0x0000000000730000-0x0000000000732000-memory.dmp

memory/3964-260-0x0000000002FA0000-0x000000000405A000-memory.dmp

memory/5112-278-0x0000000002090000-0x0000000002092000-memory.dmp

memory/4012-277-0x0000000002DC0000-0x0000000002DC2000-memory.dmp

memory/3964-276-0x0000000002360000-0x0000000002362000-memory.dmp

memory/3964-256-0x0000000002FA0000-0x000000000405A000-memory.dmp

memory/3964-255-0x0000000002FA0000-0x000000000405A000-memory.dmp

memory/2920-270-0x00000000007E0000-0x00000000007E1000-memory.dmp

memory/5112-268-0x0000000002C00000-0x0000000002C01000-memory.dmp

memory/4012-266-0x00000000033E0000-0x00000000033E1000-memory.dmp

memory/3964-264-0x0000000002C80000-0x0000000002C81000-memory.dmp

memory/3964-259-0x0000000002FA0000-0x000000000405A000-memory.dmp

memory/3964-284-0x0000000002FA0000-0x000000000405A000-memory.dmp

memory/3964-285-0x0000000002FA0000-0x000000000405A000-memory.dmp

memory/3964-290-0x0000000002FA0000-0x000000000405A000-memory.dmp

memory/2920-300-0x0000000000400000-0x000000000042D000-memory.dmp

memory/5112-299-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4012-298-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3964-297-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3964-301-0x0000000002FA0000-0x000000000405A000-memory.dmp

memory/3964-302-0x0000000002FA0000-0x000000000405A000-memory.dmp

memory/3964-304-0x0000000002FA0000-0x000000000405A000-memory.dmp

C:\qgcl.pif

MD5 f49988849532f902b2ff2e368d809650
SHA1 d3c7e864f1b38c93a77272143743854efe531eae
SHA256 2e4d4f65fbcd10dfe4e3797cf75f0bee75080663297b94372568a7e8d0fd76fa
SHA512 9ada69441ceb8a5eec94696ee97d2a065b5b92f86d87a6c56e4ff029acdf7a3d65fbdc7acf19eccab984f4b44c8ec380b2345c29557c9aaa229011072c9b3bac