Malware Analysis Report

2024-09-11 12:19

Sample ID 240617-kh21dawhpp
Target 6b88e58ff534616b9a7383cc614e2630_NeikiAnalytics.exe
SHA256 291d6986985ecb6ef6dc57ce9b049f8cf15653fe4020a8a5b5bd7398d412d58d
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

291d6986985ecb6ef6dc57ce9b049f8cf15653fe4020a8a5b5bd7398d412d58d

Threat Level: Known bad

The file 6b88e58ff534616b9a7383cc614e2630_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Windows security bypass

UAC bypass

Modifies firewall policy service

Sality

Windows security modification

UPX packed file

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 08:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 08:36

Reported

2024-06-17 08:39

Platform

win7-20240611-en

Max time kernel

121s

Max time network

126s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f764efa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f764c4c C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
File created C:\Windows\f76a46a C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 2584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 2584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 2584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 2584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 2584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 2584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2584 wrote to memory of 2192 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764b81.exe
PID 2584 wrote to memory of 2192 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764b81.exe
PID 2584 wrote to memory of 2192 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764b81.exe
PID 2584 wrote to memory of 2192 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764b81.exe
PID 2192 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe C:\Windows\system32\taskhost.exe
PID 2192 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe C:\Windows\system32\Dwm.exe
PID 2192 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe C:\Windows\system32\DllHost.exe
PID 2192 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe C:\Windows\system32\rundll32.exe
PID 2192 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe C:\Windows\SysWOW64\rundll32.exe
PID 2584 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764efa.exe
PID 2584 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764efa.exe
PID 2584 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764efa.exe
PID 2584 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764efa.exe
PID 2584 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7667d7.exe
PID 2584 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7667d7.exe
PID 2584 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7667d7.exe
PID 2584 wrote to memory of 2172 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7667d7.exe
PID 2192 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe C:\Windows\system32\taskhost.exe
PID 2192 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe C:\Windows\system32\Dwm.exe
PID 2192 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe C:\Windows\Explorer.EXE
PID 2192 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe C:\Users\Admin\AppData\Local\Temp\f764efa.exe
PID 2192 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe C:\Users\Admin\AppData\Local\Temp\f764efa.exe
PID 2192 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe C:\Users\Admin\AppData\Local\Temp\f7667d7.exe
PID 2192 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\f764b81.exe C:\Users\Admin\AppData\Local\Temp\f7667d7.exe
PID 2172 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe C:\Windows\system32\taskhost.exe
PID 2172 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe C:\Windows\system32\Dwm.exe
PID 2172 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\f7667d7.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7667d7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764b81.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b88e58ff534616b9a7383cc614e2630_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b88e58ff534616b9a7383cc614e2630_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f764b81.exe

C:\Users\Admin\AppData\Local\Temp\f764b81.exe

C:\Users\Admin\AppData\Local\Temp\f764efa.exe

C:\Users\Admin\AppData\Local\Temp\f764efa.exe

C:\Users\Admin\AppData\Local\Temp\f7667d7.exe

C:\Users\Admin\AppData\Local\Temp\f7667d7.exe

Network

N/A

Files

memory/2584-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f764b81.exe

MD5 d5f0a46918cbb64f792c16ee0fd59269
SHA1 3b80fb9ce95e3c6985c91e5e00142c702f797012
SHA256 85ca6e11cdfb3bf38dbb146e9b765ccce21c8e9f49fbd88737223b43e538ab9f
SHA512 7c77a846e96ecaaa1f9b7b1cfa92d90f445fc2bc7fae93ed83eea1601b734a315987209f8696a8fd9b0d8343dfa56650ad9f7ad6032154d65e2ecf95ec51cf90

memory/2584-10-0x0000000000130000-0x0000000000142000-memory.dmp

memory/2192-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2584-9-0x0000000000130000-0x0000000000142000-memory.dmp

memory/2192-12-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2192-16-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2192-18-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2192-19-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2584-47-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2544-62-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2584-61-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2584-60-0x0000000000210000-0x0000000000222000-memory.dmp

memory/2192-59-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2584-57-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2192-22-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2584-37-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2584-38-0x0000000000200000-0x0000000000201000-memory.dmp

memory/1236-28-0x0000000000390000-0x0000000000392000-memory.dmp

memory/2192-17-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2192-50-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2192-14-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2192-21-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2192-48-0x00000000004A0000-0x00000000004A1000-memory.dmp

memory/2192-15-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2192-64-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2192-20-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2192-63-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2192-65-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2192-66-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2192-67-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2192-69-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2192-70-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2172-84-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2584-82-0x0000000000130000-0x0000000000136000-memory.dmp

memory/2584-80-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2584-74-0x00000000002C0000-0x00000000002D2000-memory.dmp

memory/2192-85-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2192-87-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2192-88-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2192-91-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2192-92-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2544-104-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2172-114-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2172-113-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2544-112-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2544-103-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2544-156-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2192-155-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2192-154-0x00000000006C0000-0x000000000177A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 a3ead860a0e85c0ad5191c443ffc570a
SHA1 cf0f62100d03754cc50498d2a455e027e256bf89
SHA256 61396fbe6e5366d3bbe19c9b51e827403c19676e51d011311f5dbf92c35abc2e
SHA512 e82c08ae994461a8bf802bc93f762dbe26a06e3070946accd770a18e4d363c26f868d3551a4cc6010a932fa667dafc495b7f2ca2cd098b12df251c5b8f76b7bb

memory/2172-165-0x0000000000900000-0x00000000019BA000-memory.dmp

memory/2172-197-0x0000000000900000-0x00000000019BA000-memory.dmp

memory/2172-196-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 08:36

Reported

2024-06-17 08:39

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

147s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e583728.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e583812.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e585956 C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A
File created C:\Windows\e5801a1 C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4188 wrote to memory of 4184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4188 wrote to memory of 4184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4188 wrote to memory of 4184 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4184 wrote to memory of 944 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fe26.exe
PID 4184 wrote to memory of 944 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fe26.exe
PID 4184 wrote to memory of 944 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fe26.exe
PID 944 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\system32\fontdrvhost.exe
PID 944 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\system32\fontdrvhost.exe
PID 944 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\system32\dwm.exe
PID 944 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\system32\sihost.exe
PID 944 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\system32\svchost.exe
PID 944 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\system32\taskhostw.exe
PID 944 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\Explorer.EXE
PID 944 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\system32\svchost.exe
PID 944 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\system32\DllHost.exe
PID 944 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 944 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\System32\RuntimeBroker.exe
PID 944 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 944 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\System32\RuntimeBroker.exe
PID 944 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\System32\RuntimeBroker.exe
PID 944 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 944 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 944 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 944 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 944 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 944 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 944 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 944 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 944 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\system32\rundll32.exe
PID 944 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\SysWOW64\rundll32.exe
PID 944 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\SysWOW64\rundll32.exe
PID 4184 wrote to memory of 4616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e58050c.exe
PID 4184 wrote to memory of 4616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e58050c.exe
PID 4184 wrote to memory of 4616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e58050c.exe
PID 944 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\system32\fontdrvhost.exe
PID 944 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\system32\fontdrvhost.exe
PID 944 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\system32\dwm.exe
PID 944 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\system32\sihost.exe
PID 944 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\system32\svchost.exe
PID 944 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\system32\taskhostw.exe
PID 944 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\Explorer.EXE
PID 944 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\system32\svchost.exe
PID 944 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\system32\DllHost.exe
PID 944 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 944 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\System32\RuntimeBroker.exe
PID 944 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 944 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\System32\RuntimeBroker.exe
PID 944 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\System32\RuntimeBroker.exe
PID 944 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 944 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 944 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 944 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 944 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 944 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 944 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 944 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 944 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Windows\system32\rundll32.exe
PID 944 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Users\Admin\AppData\Local\Temp\e58050c.exe
PID 944 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\e57fe26.exe C:\Users\Admin\AppData\Local\Temp\e58050c.exe
PID 4184 wrote to memory of 4504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e583728.exe
PID 4184 wrote to memory of 4504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e583728.exe
PID 4184 wrote to memory of 4504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e583728.exe
PID 4184 wrote to memory of 1492 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e583812.exe
PID 4184 wrote to memory of 1492 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e583812.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57fe26.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e58050c.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b4,0x7ffdb24e2e98,0x7ffdb24e2ea4,0x7ffdb24e2eb0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2268 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3228 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3336 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5396 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5524 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b88e58ff534616b9a7383cc614e2630_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b88e58ff534616b9a7383cc614e2630_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57fe26.exe

C:\Users\Admin\AppData\Local\Temp\e57fe26.exe

C:\Users\Admin\AppData\Local\Temp\e58050c.exe

C:\Users\Admin\AppData\Local\Temp\e58050c.exe

C:\Users\Admin\AppData\Local\Temp\e583728.exe

C:\Users\Admin\AppData\Local\Temp\e583728.exe

C:\Users\Admin\AppData\Local\Temp\e583812.exe

C:\Users\Admin\AppData\Local\Temp\e583812.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 142.250.184.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 i.pki.goog udp
US 8.8.8.8:53 i.pki.goog udp
US 8.8.8.8:53 202.184.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 i.pki.goog udp
US 8.8.8.8:53 i.pki.goog udp
DE 172.217.18.3:80 i.pki.goog tcp
DE 172.217.18.3:80 i.pki.goog tcp
US 8.8.8.8:53 3.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/4184-0-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57fe26.exe

MD5 d5f0a46918cbb64f792c16ee0fd59269
SHA1 3b80fb9ce95e3c6985c91e5e00142c702f797012
SHA256 85ca6e11cdfb3bf38dbb146e9b765ccce21c8e9f49fbd88737223b43e538ab9f
SHA512 7c77a846e96ecaaa1f9b7b1cfa92d90f445fc2bc7fae93ed83eea1601b734a315987209f8696a8fd9b0d8343dfa56650ad9f7ad6032154d65e2ecf95ec51cf90

memory/944-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/944-7-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/944-9-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/944-11-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/944-14-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/944-13-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/944-12-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/944-10-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/944-18-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/944-31-0x00000000037A0000-0x00000000037A2000-memory.dmp

memory/4616-35-0x0000000000400000-0x0000000000412000-memory.dmp

memory/944-32-0x00000000037A0000-0x00000000037A2000-memory.dmp

memory/4184-29-0x0000000000C80000-0x0000000000C82000-memory.dmp

memory/944-27-0x0000000004370000-0x0000000004371000-memory.dmp

memory/4184-25-0x0000000000C80000-0x0000000000C82000-memory.dmp

memory/4184-24-0x0000000001010000-0x0000000001011000-memory.dmp

memory/4184-23-0x0000000000C80000-0x0000000000C82000-memory.dmp

memory/944-15-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/944-17-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4616-40-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4616-39-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/944-36-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/944-37-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4616-41-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4504-47-0x0000000000400000-0x0000000000412000-memory.dmp

memory/944-42-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4184-51-0x0000000000C80000-0x0000000000C82000-memory.dmp

memory/944-56-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/944-55-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/944-58-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/944-59-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/944-78-0x0000000000400000-0x0000000000412000-memory.dmp

memory/944-66-0x00000000037A0000-0x00000000037A2000-memory.dmp

memory/944-62-0x0000000000830000-0x00000000018EA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 f45770d49443428a62f6fb9f2474232d
SHA1 a138a5d7ede2bd32728662d7027e026c63192d6c
SHA256 b0f0850b9c09eb7c1aacf891a987c7bfc8b449e37e2eb26dd75cbd360697fca4
SHA512 3315c381eb5c40b90948a0145fbb7c9c46bc624e7843b990c14e02b6b9b91652459a45e7b32f9314178068c8b518911461d37046442aff023a4cf694b708d1c2

memory/4616-90-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/4616-81-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/4616-82-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/4616-85-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/1492-99-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1492-101-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4504-100-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4504-97-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4616-89-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/4616-87-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/4616-86-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/4616-88-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/4616-84-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/4616-83-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/4616-132-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/4616-133-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4504-137-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1492-141-0x0000000000400000-0x0000000000412000-memory.dmp