Malware Analysis Report

2024-09-11 12:16

Sample ID 240619-gbn86avela
Target 9278f7e4298d6e46b1b5c12cc66d9bd0_NeikiAnalytics.exe
SHA256 0b9e26e1c94d4506b254d1a99717fc0b037370fe7fba7ba0aff509e150231732
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b9e26e1c94d4506b254d1a99717fc0b037370fe7fba7ba0aff509e150231732

Threat Level: Known bad

The file 9278f7e4298d6e46b1b5c12cc66d9bd0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Windows security bypass

Sality

Modifies firewall policy service

Loads dropped DLL

UPX packed file

Executes dropped EXE

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Disable or Modify System Firewall
T1562.004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 05:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 05:38

Reported

2024-06-19 05:40

Platform

win7-20240611-en

Max time kernel

118s

Max time network

119s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f761870 C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
File created C:\Windows\f7668b2 C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
File created C:\Windows\f76823a C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1208 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1208 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1208 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1208 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1208 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1208 wrote to memory of 2848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2848 wrote to memory of 2864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7617f4.exe
PID 2848 wrote to memory of 2864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7617f4.exe
PID 2848 wrote to memory of 2864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7617f4.exe
PID 2848 wrote to memory of 2864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7617f4.exe
PID 2864 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe C:\Windows\system32\taskhost.exe
PID 2864 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe C:\Windows\system32\Dwm.exe
PID 2864 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe C:\Windows\system32\DllHost.exe
PID 2864 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe C:\Windows\system32\rundll32.exe
PID 2864 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe C:\Windows\SysWOW64\rundll32.exe
PID 2864 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe C:\Windows\SysWOW64\rundll32.exe
PID 2848 wrote to memory of 2616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7619a8.exe
PID 2848 wrote to memory of 2616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7619a8.exe
PID 2848 wrote to memory of 2616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7619a8.exe
PID 2848 wrote to memory of 2616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7619a8.exe
PID 2848 wrote to memory of 2732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7633bd.exe
PID 2848 wrote to memory of 2732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7633bd.exe
PID 2848 wrote to memory of 2732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7633bd.exe
PID 2848 wrote to memory of 2732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7633bd.exe
PID 2864 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe C:\Windows\system32\taskhost.exe
PID 2864 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe C:\Windows\system32\Dwm.exe
PID 2864 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe C:\Windows\Explorer.EXE
PID 2864 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe C:\Users\Admin\AppData\Local\Temp\f7619a8.exe
PID 2864 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe C:\Users\Admin\AppData\Local\Temp\f7619a8.exe
PID 2864 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe C:\Users\Admin\AppData\Local\Temp\f7633bd.exe
PID 2864 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\f7617f4.exe C:\Users\Admin\AppData\Local\Temp\f7633bd.exe
PID 2616 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe C:\Windows\system32\taskhost.exe
PID 2616 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe C:\Windows\system32\Dwm.exe
PID 2616 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\f7619a8.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe C:\Windows\system32\taskhost.exe
PID 2732 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe C:\Windows\system32\Dwm.exe
PID 2732 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\f7633bd.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7617f4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7619a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7633bd.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\9278f7e4298d6e46b1b5c12cc66d9bd0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\9278f7e4298d6e46b1b5c12cc66d9bd0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f7617f4.exe

C:\Users\Admin\AppData\Local\Temp\f7617f4.exe

C:\Users\Admin\AppData\Local\Temp\f7619a8.exe

C:\Users\Admin\AppData\Local\Temp\f7619a8.exe

C:\Users\Admin\AppData\Local\Temp\f7633bd.exe

C:\Users\Admin\AppData\Local\Temp\f7633bd.exe

Network

N/A

Files

memory/2848-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f7617f4.exe

MD5 35d6c814d11fe50533ce6b64ac522302
SHA1 15750ed485678b400f7507f14a77c98bc79ff26f
SHA256 e99bd1752ec86b9c651ec9f58274dd1a58615e0f58051b9c028900280fc60f88
SHA512 3337c761ff4097c3b184a0af429a05ee7d1247578381194f019bfed0d364233e6be00e9b92c28ff7c234ef4a1a15f9348272ebd741fd0cadc2fba2599cb7d03c

memory/2848-6-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2848-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2864-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2864-15-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2864-20-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2864-16-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2864-18-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2864-17-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2864-22-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2864-21-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2864-14-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2864-19-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2864-48-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

memory/2864-49-0x0000000003CD0000-0x0000000003CD2000-memory.dmp

memory/2864-46-0x0000000004230000-0x0000000004231000-memory.dmp

memory/2848-45-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2848-37-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2848-36-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1116-29-0x0000000001F90000-0x0000000001F92000-memory.dmp

memory/2864-23-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2848-56-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2616-60-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2848-59-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2848-58-0x0000000000220000-0x0000000000232000-memory.dmp

memory/2864-61-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2864-62-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2864-63-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2864-64-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2864-65-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2848-74-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2732-77-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2864-79-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2864-80-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2616-90-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2616-89-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2732-94-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2732-95-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2732-97-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2616-96-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2864-98-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2864-99-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2864-102-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2864-104-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2864-107-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2864-138-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2864-139-0x0000000000520000-0x00000000015DA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 4e990df44f62667dfbf0dafd1236a37b
SHA1 48a119a46ea7b51145f2bf6e377c50055cb6f04f
SHA256 d41a5ddb0098f08b82fbaf219ada2fcfdbdd6d733f3e404695a5843b6bbd1ce9
SHA512 f80a9245619a48a80438fe7376e03e1ced45ddb5df694b50ecd1351047e6eba88b0addbe2e688c75be8c8f3350d9245716457b87ec6a6669708bf05207f97998

memory/2616-151-0x00000000009C0000-0x0000000001A7A000-memory.dmp

memory/2616-173-0x00000000009C0000-0x0000000001A7A000-memory.dmp

memory/2616-172-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2732-207-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 05:38

Reported

2024-06-19 05:40

Platform

win10v2004-20240611-en

Max time kernel

146s

Max time network

132s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57d4f3 C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
File created C:\Windows\e5829da C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
File created C:\Windows\e5845ed C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1036 wrote to memory of 512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1036 wrote to memory of 512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1036 wrote to memory of 512 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 512 wrote to memory of 3636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe
PID 512 wrote to memory of 3636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe
PID 512 wrote to memory of 3636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe
PID 3636 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\fontdrvhost.exe
PID 3636 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\fontdrvhost.exe
PID 3636 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\dwm.exe
PID 3636 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\sihost.exe
PID 3636 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\svchost.exe
PID 3636 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\taskhostw.exe
PID 3636 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\Explorer.EXE
PID 3636 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\svchost.exe
PID 3636 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\DllHost.exe
PID 3636 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3636 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\System32\RuntimeBroker.exe
PID 3636 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3636 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\System32\RuntimeBroker.exe
PID 3636 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3636 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3636 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3636 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\System32\RuntimeBroker.exe
PID 3636 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3636 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3636 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3636 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3636 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3636 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\rundll32.exe
PID 3636 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\SysWOW64\rundll32.exe
PID 3636 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\SysWOW64\rundll32.exe
PID 512 wrote to memory of 840 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57db3d.exe
PID 512 wrote to memory of 840 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57db3d.exe
PID 512 wrote to memory of 840 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57db3d.exe
PID 512 wrote to memory of 3276 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57f77f.exe
PID 512 wrote to memory of 3276 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57f77f.exe
PID 512 wrote to memory of 3276 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57f77f.exe
PID 3636 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\fontdrvhost.exe
PID 3636 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\fontdrvhost.exe
PID 3636 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\dwm.exe
PID 3636 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\sihost.exe
PID 3636 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\svchost.exe
PID 3636 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\taskhostw.exe
PID 3636 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\Explorer.EXE
PID 3636 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\svchost.exe
PID 3636 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\DllHost.exe
PID 3636 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3636 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\System32\RuntimeBroker.exe
PID 3636 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3636 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\System32\RuntimeBroker.exe
PID 3636 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3636 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3636 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3636 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\System32\RuntimeBroker.exe
PID 3636 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3636 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3636 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3636 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3636 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3636 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Users\Admin\AppData\Local\Temp\e57db3d.exe
PID 3636 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Users\Admin\AppData\Local\Temp\e57db3d.exe
PID 3636 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\System32\RuntimeBroker.exe
PID 3636 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Windows\System32\RuntimeBroker.exe
PID 3636 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57db3d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57f77f.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x23c,0x240,0x244,0x238,0x250,0x7ff95ed54ef8,0x7ff95ed54f04,0x7ff95ed54f10

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1712,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1884,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=3184 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2392,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=3648 /prefetch:8

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\9278f7e4298d6e46b1b5c12cc66d9bd0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\9278f7e4298d6e46b1b5c12cc66d9bd0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe

C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe

C:\Users\Admin\AppData\Local\Temp\e57db3d.exe

C:\Users\Admin\AppData\Local\Temp\e57db3d.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4164,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=3444 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\e57f77f.exe

C:\Users\Admin\AppData\Local\Temp\e57f77f.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\e57d4a5.exe

MD5 35d6c814d11fe50533ce6b64ac522302
SHA1 15750ed485678b400f7507f14a77c98bc79ff26f
SHA256 e99bd1752ec86b9c651ec9f58274dd1a58615e0f58051b9c028900280fc60f88
SHA512 3337c761ff4097c3b184a0af429a05ee7d1247578381194f019bfed0d364233e6be00e9b92c28ff7c234ef4a1a15f9348272ebd741fd0cadc2fba2599cb7d03c

memory/512-2-0x0000000010000000-0x0000000010020000-memory.dmp

memory/3636-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3636-6-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-8-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-10-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-11-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-13-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-9-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-12-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-19-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-21-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-22-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-20-0x0000000000880000-0x000000000193A000-memory.dmp

memory/512-28-0x0000000004900000-0x0000000004902000-memory.dmp

memory/3636-30-0x0000000000880000-0x000000000193A000-memory.dmp

memory/840-37-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3636-23-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-34-0x0000000000670000-0x0000000000672000-memory.dmp

memory/512-33-0x0000000004900000-0x0000000004902000-memory.dmp

memory/3636-32-0x0000000000670000-0x0000000000672000-memory.dmp

memory/3636-27-0x0000000001B40000-0x0000000001B41000-memory.dmp

memory/512-25-0x0000000004990000-0x0000000004991000-memory.dmp

memory/512-24-0x0000000004900000-0x0000000004902000-memory.dmp

memory/3636-38-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-39-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-40-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3276-48-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3636-50-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-51-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-53-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3276-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/840-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3276-57-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/840-55-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3276-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/840-60-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3636-62-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-64-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-65-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-66-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-69-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-71-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-72-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-74-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-75-0x0000000000880000-0x000000000193A000-memory.dmp

memory/3636-80-0x0000000000670000-0x0000000000672000-memory.dmp

memory/3636-94-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 bd8f399fcc1385a983a0850c33f9eda3
SHA1 998b8ecb10a35f988ba440c0be36590cfb16440c
SHA256 588a5e2067d668df01ad090972e0f4c18e25b839eb0d96a4b8cd539314daa831
SHA512 4f0402f825f4f7e40b441fa707c1863c85ea85d692d3bc6eb814a142da61120ae856d4db03ac44a45f6b9246f7100a4199b9a0b7859349d060accde17839f108

memory/840-106-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/840-119-0x0000000000400000-0x0000000000412000-memory.dmp

memory/840-120-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/3276-143-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3276-144-0x0000000000B20000-0x0000000001BDA000-memory.dmp

memory/3276-145-0x0000000000B20000-0x0000000001BDA000-memory.dmp