Malware Analysis Report

2024-09-11 12:48

Sample ID 240611-2vgnmsvflj
Target 0a8fa5e8e0eb0ad7e0cac93d9cb974d0_NeikiAnalytics.exe
SHA256 8a502125238d7f5bc13932a0b4aab6207313a53e60db95007ee5a813ec79edc1
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a502125238d7f5bc13932a0b4aab6207313a53e60db95007ee5a813ec79edc1

Threat Level: Known bad

The file 0a8fa5e8e0eb0ad7e0cac93d9cb974d0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

UAC bypass

Windows security bypass

Modifies firewall policy service

Loads dropped DLL

Windows security modification

UPX packed file

Executes dropped EXE

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 22:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 22:53

Reported

2024-06-11 22:56

Platform

win7-20240419-en

Max time kernel

118s

Max time network

122s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f761fe0 C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
File created C:\Windows\f767031 C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 876 wrote to memory of 2412 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761f63.exe
PID 876 wrote to memory of 2412 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761f63.exe
PID 876 wrote to memory of 2412 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761f63.exe
PID 876 wrote to memory of 2412 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761f63.exe
PID 2412 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe C:\Windows\system32\taskhost.exe
PID 2412 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe C:\Windows\system32\Dwm.exe
PID 2412 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe C:\Windows\Explorer.EXE
PID 2412 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe C:\Windows\system32\DllHost.exe
PID 2412 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe C:\Windows\system32\rundll32.exe
PID 2412 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe C:\Windows\SysWOW64\rundll32.exe
PID 2412 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe C:\Windows\SysWOW64\rundll32.exe
PID 876 wrote to memory of 2924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762194.exe
PID 876 wrote to memory of 2924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762194.exe
PID 876 wrote to memory of 2924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762194.exe
PID 876 wrote to memory of 2924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762194.exe
PID 876 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763acf.exe
PID 876 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763acf.exe
PID 876 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763acf.exe
PID 876 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763acf.exe
PID 2412 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe C:\Windows\system32\taskhost.exe
PID 2412 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe C:\Windows\system32\Dwm.exe
PID 2412 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe C:\Windows\Explorer.EXE
PID 2412 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe C:\Users\Admin\AppData\Local\Temp\f762194.exe
PID 2412 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe C:\Users\Admin\AppData\Local\Temp\f762194.exe
PID 2412 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe C:\Users\Admin\AppData\Local\Temp\f763acf.exe
PID 2412 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\f761f63.exe C:\Users\Admin\AppData\Local\Temp\f763acf.exe
PID 3020 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe C:\Windows\system32\taskhost.exe
PID 3020 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe C:\Windows\system32\Dwm.exe
PID 3020 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f763acf.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761f63.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763acf.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a8fa5e8e0eb0ad7e0cac93d9cb974d0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a8fa5e8e0eb0ad7e0cac93d9cb974d0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761f63.exe

C:\Users\Admin\AppData\Local\Temp\f761f63.exe

C:\Users\Admin\AppData\Local\Temp\f762194.exe

C:\Users\Admin\AppData\Local\Temp\f762194.exe

C:\Users\Admin\AppData\Local\Temp\f763acf.exe

C:\Users\Admin\AppData\Local\Temp\f763acf.exe

Network

N/A

Files

memory/876-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f761f63.exe

MD5 d96afdff464bda57fa5ac1a3b2b0c52f
SHA1 023e5e7fb1c33636f2862346b3a2bde42879778b
SHA256 ce7ce0912f3b0c5a579e3352fbccc8ac0e1f3a564ffd9ce8ce851abc8093c861
SHA512 75f12ea0598bf4043e20aacc38b1cf4218e68e0211541a504d1029c09c6e546cf6f4bf14bdf30c1ec759b40d836127274056ac0af7df3f2e2f3f662d8c67df0e

memory/876-9-0x00000000000C0000-0x00000000000D2000-memory.dmp

memory/876-8-0x00000000000C0000-0x00000000000D2000-memory.dmp

memory/2412-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2412-12-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2412-14-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2412-15-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/876-40-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2924-53-0x0000000000400000-0x0000000000412000-memory.dmp

memory/876-51-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/876-50-0x00000000002E0000-0x00000000002F2000-memory.dmp

memory/876-49-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2412-18-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2412-38-0x0000000003030000-0x0000000003031000-memory.dmp

memory/876-30-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/876-29-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1088-21-0x00000000020F0000-0x00000000020F2000-memory.dmp

memory/2412-17-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2412-41-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2412-19-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2412-20-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2412-39-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2412-16-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2412-54-0x00000000017B0000-0x00000000017B2000-memory.dmp

memory/2412-56-0x00000000017B0000-0x00000000017B2000-memory.dmp

memory/2412-61-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2412-62-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2412-63-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2412-64-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2412-65-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2412-67-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/876-78-0x00000000000C0000-0x00000000000C2000-memory.dmp

memory/876-76-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3020-80-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2412-81-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2412-82-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2412-84-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2412-86-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2924-96-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2924-103-0x0000000000220000-0x0000000000222000-memory.dmp

memory/3020-104-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/3020-102-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/3020-101-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2924-95-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2412-105-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2412-152-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2412-151-0x00000000005F0000-0x00000000016AA000-memory.dmp

memory/2412-150-0x00000000017B0000-0x00000000017B2000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 03d0b37000d9f1c506edb14c7ec33056
SHA1 ea869e9772065c80a1380ce27bfca760f4b0970c
SHA256 f9d33e2ca01b900b2f24bc05ee63d08c90afef0574f7d22ddb9e09cf47461efc
SHA512 ff37c93057a3e1fd54187d4b8232fa78ff7f9e376c0323e412309e61c17eac013d33cf30ba02e84700f529eef582321ebad912ad74fc0a5bb630bacd4b313848

memory/2924-163-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3020-169-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/3020-207-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/3020-206-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 22:53

Reported

2024-06-11 22:56

Platform

win10v2004-20240611-en

Max time kernel

122s

Max time network

126s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e573827 C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
File created C:\Windows\e57882b C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 4976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2344 wrote to memory of 4976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2344 wrote to memory of 4976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4976 wrote to memory of 632 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5737e8.exe
PID 4976 wrote to memory of 632 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5737e8.exe
PID 4976 wrote to memory of 632 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5737e8.exe
PID 632 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\fontdrvhost.exe
PID 632 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\fontdrvhost.exe
PID 632 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\dwm.exe
PID 632 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\sihost.exe
PID 632 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\svchost.exe
PID 632 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\taskhostw.exe
PID 632 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\svchost.exe
PID 632 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\DllHost.exe
PID 632 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 632 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\System32\RuntimeBroker.exe
PID 632 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 632 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\System32\RuntimeBroker.exe
PID 632 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 632 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\System32\RuntimeBroker.exe
PID 632 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\backgroundTaskHost.exe
PID 632 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\backgroundTaskHost.exe
PID 632 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\BackgroundTaskHost.exe
PID 632 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\rundll32.exe
PID 632 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\SysWOW64\rundll32.exe
PID 632 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\SysWOW64\rundll32.exe
PID 4976 wrote to memory of 4396 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573930.exe
PID 4976 wrote to memory of 4396 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573930.exe
PID 4976 wrote to memory of 4396 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573930.exe
PID 4976 wrote to memory of 3268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57609e.exe
PID 4976 wrote to memory of 3268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57609e.exe
PID 4976 wrote to memory of 3268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57609e.exe
PID 632 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\fontdrvhost.exe
PID 632 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\fontdrvhost.exe
PID 632 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\dwm.exe
PID 632 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\sihost.exe
PID 632 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\svchost.exe
PID 632 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\taskhostw.exe
PID 632 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\Explorer.EXE
PID 632 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\svchost.exe
PID 632 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\DllHost.exe
PID 632 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 632 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\System32\RuntimeBroker.exe
PID 632 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 632 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\System32\RuntimeBroker.exe
PID 632 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 632 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\System32\RuntimeBroker.exe
PID 632 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\system32\backgroundTaskHost.exe
PID 632 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Users\Admin\AppData\Local\Temp\e573930.exe
PID 632 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Users\Admin\AppData\Local\Temp\e573930.exe
PID 632 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\System32\RuntimeBroker.exe
PID 632 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Windows\System32\RuntimeBroker.exe
PID 632 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Users\Admin\AppData\Local\Temp\e57609e.exe
PID 632 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\e5737e8.exe C:\Users\Admin\AppData\Local\Temp\e57609e.exe
PID 3268 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e57609e.exe C:\Windows\system32\fontdrvhost.exe
PID 3268 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\e57609e.exe C:\Windows\system32\fontdrvhost.exe
PID 3268 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\e57609e.exe C:\Windows\system32\dwm.exe
PID 3268 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e57609e.exe C:\Windows\system32\sihost.exe
PID 3268 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\e57609e.exe C:\Windows\system32\svchost.exe
PID 3268 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e57609e.exe C:\Windows\system32\taskhostw.exe
PID 3268 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\e57609e.exe C:\Windows\Explorer.EXE
PID 3268 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\e57609e.exe C:\Windows\system32\svchost.exe
PID 3268 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\e57609e.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5737e8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57609e.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\BackgroundTaskHost.exe

"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a8fa5e8e0eb0ad7e0cac93d9cb974d0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a8fa5e8e0eb0ad7e0cac93d9cb974d0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e5737e8.exe

C:\Users\Admin\AppData\Local\Temp\e5737e8.exe

C:\Users\Admin\AppData\Local\Temp\e573930.exe

C:\Users\Admin\AppData\Local\Temp\e573930.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e57609e.exe

C:\Users\Admin\AppData\Local\Temp\e57609e.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4976-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5737e8.exe

MD5 d96afdff464bda57fa5ac1a3b2b0c52f
SHA1 023e5e7fb1c33636f2862346b3a2bde42879778b
SHA256 ce7ce0912f3b0c5a579e3352fbccc8ac0e1f3a564ffd9ce8ce851abc8093c861
SHA512 75f12ea0598bf4043e20aacc38b1cf4218e68e0211541a504d1029c09c6e546cf6f4bf14bdf30c1ec759b40d836127274056ac0af7df3f2e2f3f662d8c67df0e

memory/632-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/632-6-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-8-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-11-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-24-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-25-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4396-35-0x0000000000400000-0x0000000000412000-memory.dmp

memory/632-32-0x00000000004E0000-0x00000000004E2000-memory.dmp

memory/4976-31-0x00000000004F0000-0x00000000004F2000-memory.dmp

memory/632-13-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-29-0x00000000004E0000-0x00000000004E2000-memory.dmp

memory/4976-18-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/4976-27-0x00000000004F0000-0x00000000004F2000-memory.dmp

memory/4976-17-0x00000000004F0000-0x00000000004F2000-memory.dmp

memory/632-10-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-14-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-12-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-20-0x00000000004F0000-0x00000000004F1000-memory.dmp

memory/632-26-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-36-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-37-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-38-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-39-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-40-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-42-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-43-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3268-48-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4976-49-0x00000000004F0000-0x00000000004F2000-memory.dmp

memory/4396-54-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4396-53-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4396-55-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3268-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3268-57-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3268-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/632-61-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-62-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-63-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-65-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-67-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-70-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-71-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-77-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-78-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-80-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-84-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-91-0x00000000004E0000-0x00000000004E2000-memory.dmp

memory/632-86-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/632-103-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 a760a648911800e9154bae93cb468f17
SHA1 d96e1a2ee872a7c5db4130286e3faf6b46da4af3
SHA256 12c2431221be006f8c5f0b09443647a87f242cbb783bb39c789372bcb21b2275
SHA512 5f1c2ae7478096cd53946e2be975c1306200ea6b30d5110267a127d3ec7656349b465562caab4d967bb32d743f8962a4d5115c995ac5d008740ebdece678d6bb

memory/4396-124-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3268-120-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/3268-158-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3268-157-0x0000000000B30000-0x0000000001BEA000-memory.dmp