Malware Analysis Report

2024-11-16 13:20

Sample ID 240519-tgggqaec29
Target ebfca5eb1fe5314acf04624ea5227f80_NeikiAnalytics.exe
SHA256 b7536f7eec8be8da8b3ab2252ce1e750e4d631941ab286ad14b5ae76642ec494
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b7536f7eec8be8da8b3ab2252ce1e750e4d631941ab286ad14b5ae76642ec494

Threat Level: Known bad

The file ebfca5eb1fe5314acf04624ea5227f80_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

UAC bypass

Sality

Windows security bypass

Executes dropped EXE

Loads dropped DLL

Windows security modification

UPX packed file

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 16:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 16:01

Reported

2024-05-19 16:04

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f7623a7 C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
File created C:\Windows\f767407 C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2088 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2088 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2088 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2088 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2088 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2088 wrote to memory of 2356 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2356 wrote to memory of 2328 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76230b.exe
PID 2356 wrote to memory of 2328 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76230b.exe
PID 2356 wrote to memory of 2328 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76230b.exe
PID 2356 wrote to memory of 2328 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76230b.exe
PID 2328 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe C:\Windows\system32\taskhost.exe
PID 2328 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe C:\Windows\system32\Dwm.exe
PID 2328 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe C:\Windows\Explorer.EXE
PID 2328 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe C:\Windows\system32\DllHost.exe
PID 2328 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe C:\Windows\system32\rundll32.exe
PID 2328 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe C:\Windows\SysWOW64\rundll32.exe
PID 2328 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe C:\Windows\SysWOW64\rundll32.exe
PID 2356 wrote to memory of 2468 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7624cf.exe
PID 2356 wrote to memory of 2468 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7624cf.exe
PID 2356 wrote to memory of 2468 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7624cf.exe
PID 2356 wrote to memory of 2468 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7624cf.exe
PID 2356 wrote to memory of 1660 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763eb5.exe
PID 2356 wrote to memory of 1660 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763eb5.exe
PID 2356 wrote to memory of 1660 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763eb5.exe
PID 2356 wrote to memory of 1660 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763eb5.exe
PID 2328 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe C:\Windows\system32\taskhost.exe
PID 2328 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe C:\Windows\system32\Dwm.exe
PID 2328 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe C:\Windows\Explorer.EXE
PID 2328 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe C:\Users\Admin\AppData\Local\Temp\f7624cf.exe
PID 2328 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe C:\Users\Admin\AppData\Local\Temp\f7624cf.exe
PID 2328 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe C:\Users\Admin\AppData\Local\Temp\f763eb5.exe
PID 2328 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\f76230b.exe C:\Users\Admin\AppData\Local\Temp\f763eb5.exe
PID 1660 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe C:\Windows\system32\taskhost.exe
PID 1660 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe C:\Windows\system32\Dwm.exe
PID 1660 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76230b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ebfca5eb1fe5314acf04624ea5227f80_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ebfca5eb1fe5314acf04624ea5227f80_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f76230b.exe

C:\Users\Admin\AppData\Local\Temp\f76230b.exe

C:\Users\Admin\AppData\Local\Temp\f7624cf.exe

C:\Users\Admin\AppData\Local\Temp\f7624cf.exe

C:\Users\Admin\AppData\Local\Temp\f763eb5.exe

C:\Users\Admin\AppData\Local\Temp\f763eb5.exe

Network

N/A

Files

memory/2356-3-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2356-2-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2356-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2356-0-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f76230b.exe

MD5 83ba9a6df62dc7feaa3cd75a79cc5fcc
SHA1 37ed27be3fbbb254bc9f3aff2b5182c8b2d516a4
SHA256 11ca568df897952a6f1b3bd146adf2f1f47c4bf776f4a88a17a3a77e633b01c5
SHA512 4970493956aa717dd56d02eb30af0efbf79859eaa795137705fcf2b527d13c47db845774332096781639babad6a892df48580f096aac55c16e01ddbd78e9a6e6

memory/2328-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2356-12-0x0000000000170000-0x0000000000182000-memory.dmp

memory/2328-15-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2328-19-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2328-22-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2328-45-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2328-55-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2356-53-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2356-44-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2356-35-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2356-34-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/1116-26-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2328-24-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2328-23-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2328-21-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2328-20-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2328-18-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2328-17-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2328-64-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2328-25-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2468-63-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2356-62-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2356-61-0x00000000001C0000-0x00000000001D2000-memory.dmp

memory/2328-65-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2328-66-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2328-67-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2328-68-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2328-69-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2328-71-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2328-72-0x0000000000560000-0x000000000161A000-memory.dmp

memory/1660-85-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2356-84-0x0000000000170000-0x0000000000172000-memory.dmp

memory/2328-86-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2328-88-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2328-90-0x0000000000560000-0x000000000161A000-memory.dmp

memory/1660-110-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2468-109-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1660-108-0x0000000000220000-0x0000000000222000-memory.dmp

memory/1660-107-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2468-102-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2468-101-0x0000000000330000-0x0000000000331000-memory.dmp

memory/2328-129-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2328-154-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2328-155-0x0000000000560000-0x000000000161A000-memory.dmp

memory/1660-170-0x0000000000900000-0x00000000019BA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 d0573f67fe73c6c8a9883776c776aa8e
SHA1 2dcc4861083f4bac751266201007ab5fe972a394
SHA256 de879d0039f20b33679dff7ffbd96bc336352c3053b0fece27d262c1ba67ab8b
SHA512 8d48a533e54a0fa8065d7236eb4676614f1a4574651b78f5431f85682d80d1475859a60dd005f7940ca231165b79c38bb376a0243e36402035ad1412ba4ae1d8

memory/1660-209-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1660-208-0x0000000000900000-0x00000000019BA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 16:01

Reported

2024-05-19 16:04

Platform

win10v2004-20240508-en

Max time kernel

131s

Max time network

145s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e580c6f C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
File created C:\Windows\e5862fb C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5036 wrote to memory of 4916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5036 wrote to memory of 4916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5036 wrote to memory of 4916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4916 wrote to memory of 4224 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e580c20.exe
PID 4916 wrote to memory of 4224 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e580c20.exe
PID 4916 wrote to memory of 4224 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e580c20.exe
PID 4224 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\fontdrvhost.exe
PID 4224 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\fontdrvhost.exe
PID 4224 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\dwm.exe
PID 4224 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\sihost.exe
PID 4224 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\svchost.exe
PID 4224 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\taskhostw.exe
PID 4224 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\Explorer.EXE
PID 4224 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\svchost.exe
PID 4224 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\DllHost.exe
PID 4224 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4224 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\System32\RuntimeBroker.exe
PID 4224 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4224 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\System32\RuntimeBroker.exe
PID 4224 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4224 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\System32\RuntimeBroker.exe
PID 4224 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4224 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4224 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\rundll32.exe
PID 4224 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\SysWOW64\rundll32.exe
PID 4224 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\SysWOW64\rundll32.exe
PID 4916 wrote to memory of 212 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e580d2a.exe
PID 4916 wrote to memory of 212 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e580d2a.exe
PID 4916 wrote to memory of 212 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e580d2a.exe
PID 4224 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\fontdrvhost.exe
PID 4224 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\fontdrvhost.exe
PID 4224 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\dwm.exe
PID 4224 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\sihost.exe
PID 4224 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\svchost.exe
PID 4224 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\taskhostw.exe
PID 4224 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\Explorer.EXE
PID 4224 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\svchost.exe
PID 4224 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\DllHost.exe
PID 4224 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4224 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\System32\RuntimeBroker.exe
PID 4224 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4224 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\System32\RuntimeBroker.exe
PID 4224 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4224 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\System32\RuntimeBroker.exe
PID 4224 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4224 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4224 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\system32\rundll32.exe
PID 4224 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Users\Admin\AppData\Local\Temp\e580d2a.exe
PID 4224 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Users\Admin\AppData\Local\Temp\e580d2a.exe
PID 4224 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\System32\RuntimeBroker.exe
PID 4224 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\e580c20.exe C:\Windows\System32\RuntimeBroker.exe
PID 4916 wrote to memory of 4496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e583bac.exe
PID 4916 wrote to memory of 4496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e583bac.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e580c20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e583bac.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x25c,0x7ff9889bceb8,0x7ff9889bcec4,0x7ff9889bced0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2300,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=2296 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1936,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=2532 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2408,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=3312 /prefetch:8

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ebfca5eb1fe5314acf04624ea5227f80_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ebfca5eb1fe5314acf04624ea5227f80_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e580c20.exe

C:\Users\Admin\AppData\Local\Temp\e580c20.exe

C:\Users\Admin\AppData\Local\Temp\e580d2a.exe

C:\Users\Admin\AppData\Local\Temp\e580d2a.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1504,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=1288 /prefetch:8

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e583bac.exe

C:\Users\Admin\AppData\Local\Temp\e583bac.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
BE 88.221.83.211:443 www.bing.com tcp
US 8.8.8.8:53 211.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4916-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/4224-4-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e580c20.exe

MD5 83ba9a6df62dc7feaa3cd75a79cc5fcc
SHA1 37ed27be3fbbb254bc9f3aff2b5182c8b2d516a4
SHA256 11ca568df897952a6f1b3bd146adf2f1f47c4bf776f4a88a17a3a77e633b01c5
SHA512 4970493956aa717dd56d02eb30af0efbf79859eaa795137705fcf2b527d13c47db845774332096781639babad6a892df48580f096aac55c16e01ddbd78e9a6e6

memory/4224-6-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4224-9-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4916-16-0x00000000043C0000-0x00000000043C2000-memory.dmp

memory/4224-15-0x0000000001B10000-0x0000000001B11000-memory.dmp

memory/4916-13-0x0000000004A00000-0x0000000004A01000-memory.dmp

memory/4916-12-0x00000000043C0000-0x00000000043C2000-memory.dmp

memory/4224-11-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4224-10-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4224-28-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4224-24-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4916-32-0x00000000043C0000-0x00000000043C2000-memory.dmp

memory/212-31-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4224-25-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4224-33-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4224-34-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4224-30-0x0000000001B00000-0x0000000001B02000-memory.dmp

memory/4224-26-0x0000000001B00000-0x0000000001B02000-memory.dmp

memory/4224-36-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4224-35-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4224-37-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4224-38-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4224-39-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4224-40-0x0000000000770000-0x000000000182A000-memory.dmp

memory/212-42-0x0000000000870000-0x0000000000871000-memory.dmp

memory/212-43-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/212-44-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/4224-46-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4496-54-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4224-55-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4224-56-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4224-58-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4224-59-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4224-61-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4224-62-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4224-65-0x0000000000770000-0x000000000182A000-memory.dmp

memory/4224-76-0x0000000001B00000-0x0000000001B02000-memory.dmp

memory/4224-68-0x0000000000770000-0x000000000182A000-memory.dmp

memory/212-89-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4224-85-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 b0cf52e579f853c386bfca5ebd48c7ba
SHA1 38b17cffb60221f4dbdbe6cc4015fc15b0952778
SHA256 df9471032810e7142b411715658c7e0675f8b0ac9f5e2b8a154e8a44aa0bc973
SHA512 9429207fa47b8ebc652dc5c250fa2480fd84c55e1b53ff10352cde155ba27b91a36e5cafdf0ff0613423e998863578174e5fe02e9778ca71294c31ee7c56ff07

memory/4496-95-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4496-101-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4496-108-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

memory/4496-107-0x0000000001BB0000-0x0000000001BB2000-memory.dmp

memory/4496-144-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4496-145-0x00000000007B0000-0x000000000186A000-memory.dmp