Malware Analysis Report

2024-09-11 12:58

Sample ID 240612-1pfzgs1hqh
Target 4705fbd0f91a34ad833a8ea5bfdc85d0_NeikiAnalytics.exe
SHA256 ce5637b98e6fbbf66f9197829a977ed8e92b15272fd4b6ae218eba6a9d357403
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce5637b98e6fbbf66f9197829a977ed8e92b15272fd4b6ae218eba6a9d357403

Threat Level: Known bad

The file 4705fbd0f91a34ad833a8ea5bfdc85d0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Sality

Windows security bypass

Modifies firewall policy service

Windows security modification

Executes dropped EXE

UPX packed file

Loads dropped DLL

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-12 21:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 21:49

Reported

2024-06-12 21:51

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7634e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f7632f2 C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
File created C:\Windows\f76845c C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2008 wrote to memory of 2772 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2772 wrote to memory of 2424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763285.exe
PID 2772 wrote to memory of 2424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763285.exe
PID 2772 wrote to memory of 2424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763285.exe
PID 2772 wrote to memory of 2424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763285.exe
PID 2424 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe C:\Windows\system32\taskhost.exe
PID 2424 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe C:\Windows\system32\Dwm.exe
PID 2424 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe C:\Windows\system32\DllHost.exe
PID 2424 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe C:\Windows\system32\rundll32.exe
PID 2424 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe C:\Windows\SysWOW64\rundll32.exe
PID 2424 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe C:\Windows\SysWOW64\rundll32.exe
PID 2772 wrote to memory of 2352 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7634e6.exe
PID 2772 wrote to memory of 2352 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7634e6.exe
PID 2772 wrote to memory of 2352 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7634e6.exe
PID 2772 wrote to memory of 2352 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7634e6.exe
PID 2772 wrote to memory of 1476 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7651b8.exe
PID 2772 wrote to memory of 1476 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7651b8.exe
PID 2772 wrote to memory of 1476 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7651b8.exe
PID 2772 wrote to memory of 1476 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7651b8.exe
PID 2424 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe C:\Windows\system32\taskhost.exe
PID 2424 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe C:\Windows\system32\Dwm.exe
PID 2424 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe C:\Users\Admin\AppData\Local\Temp\f7634e6.exe
PID 2424 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe C:\Users\Admin\AppData\Local\Temp\f7634e6.exe
PID 2424 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe C:\Users\Admin\AppData\Local\Temp\f7651b8.exe
PID 2424 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\f763285.exe C:\Users\Admin\AppData\Local\Temp\f7651b8.exe
PID 1476 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe C:\Windows\system32\taskhost.exe
PID 1476 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe C:\Windows\system32\Dwm.exe
PID 1476 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\f7651b8.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763285.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7651b8.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4705fbd0f91a34ad833a8ea5bfdc85d0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4705fbd0f91a34ad833a8ea5bfdc85d0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f763285.exe

C:\Users\Admin\AppData\Local\Temp\f763285.exe

C:\Users\Admin\AppData\Local\Temp\f7634e6.exe

C:\Users\Admin\AppData\Local\Temp\f7634e6.exe

C:\Users\Admin\AppData\Local\Temp\f7651b8.exe

C:\Users\Admin\AppData\Local\Temp\f7651b8.exe

Network

N/A

Files

memory/2772-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f763285.exe

MD5 4c40d6a8d2436eb0b03a3daa5b96372f
SHA1 9174fcefbd00058097661f51a0225b511a490a8f
SHA256 b4147d83b67a3d0e618cb37dc489bfc0a194ac4af32f5be509c31f8752087334
SHA512 4ea629f10d6152846059052251ef05a813f754a36b3651f938bd6ddd0c49a78a5ccd5e18c34ca125c2524e657a966a5136007a6408ea627f99941a8e3679ec6c

memory/2424-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2772-10-0x00000000001A0000-0x00000000001B2000-memory.dmp

memory/2772-9-0x00000000001A0000-0x00000000001B2000-memory.dmp

memory/2424-17-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2424-12-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2424-20-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2424-14-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2424-19-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2424-18-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2424-16-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2424-15-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2424-45-0x00000000004E0000-0x00000000004E1000-memory.dmp

memory/2772-51-0x0000000000220000-0x0000000000232000-memory.dmp

memory/2424-50-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2424-47-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2772-39-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2772-37-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2772-36-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/1060-24-0x0000000001F50000-0x0000000001F52000-memory.dmp

memory/2424-22-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2424-21-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2772-57-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2352-62-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2772-61-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2772-60-0x0000000000220000-0x0000000000232000-memory.dmp

memory/2424-52-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2424-63-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2424-58-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2424-65-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2424-64-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2424-67-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2424-68-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2424-69-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2424-70-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2424-75-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1476-85-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2424-83-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2772-80-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2424-100-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1476-102-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2352-101-0x0000000000360000-0x0000000000362000-memory.dmp

memory/1476-99-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1476-98-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2352-94-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2424-148-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2424-147-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 9681c4d3a13bd87600698cd5205a753b
SHA1 44cfa1785f121f84ce0e1d247cfb9e164200b893
SHA256 ad860c3dd9a9eaf4d1002524f667a6be96cb41ebbd115a2dc500b95cceed778c
SHA512 bc627de67b70159a7d4b120ee8c6834fd8cf489a7e4940b9ff453924aaa99b9b7f956f9eeb8fa28eb54447df9fc489b5ef60db95d7019d5fa9889b6ca5c4050b

memory/1476-160-0x0000000000940000-0x00000000019FA000-memory.dmp

memory/2352-177-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1476-207-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1476-206-0x0000000000940000-0x00000000019FA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 21:49

Reported

2024-06-12 21:51

Platform

win10v2004-20240508-en

Max time kernel

42s

Max time network

52s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5752c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57517b C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
File created C:\Windows\e57a21c C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1148 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1148 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1148 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 4936 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57513d.exe
PID 2984 wrote to memory of 4936 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57513d.exe
PID 2984 wrote to memory of 4936 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57513d.exe
PID 4936 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\system32\fontdrvhost.exe
PID 4936 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\system32\fontdrvhost.exe
PID 4936 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\system32\dwm.exe
PID 4936 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\system32\sihost.exe
PID 4936 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\system32\svchost.exe
PID 4936 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\system32\taskhostw.exe
PID 4936 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\Explorer.EXE
PID 4936 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\system32\svchost.exe
PID 4936 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\system32\DllHost.exe
PID 4936 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4936 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\System32\RuntimeBroker.exe
PID 4936 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4936 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\System32\RuntimeBroker.exe
PID 4936 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\System32\RuntimeBroker.exe
PID 4936 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4936 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4936 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\system32\rundll32.exe
PID 4936 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\SysWOW64\rundll32.exe
PID 4936 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 3264 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5752c3.exe
PID 2984 wrote to memory of 3264 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5752c3.exe
PID 2984 wrote to memory of 3264 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5752c3.exe
PID 2984 wrote to memory of 1876 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576d02.exe
PID 2984 wrote to memory of 1876 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576d02.exe
PID 2984 wrote to memory of 1876 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576d02.exe
PID 2984 wrote to memory of 3280 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576d21.exe
PID 2984 wrote to memory of 3280 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576d21.exe
PID 2984 wrote to memory of 3280 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576d21.exe
PID 4936 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\system32\fontdrvhost.exe
PID 4936 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\system32\fontdrvhost.exe
PID 4936 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\system32\dwm.exe
PID 4936 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\system32\sihost.exe
PID 4936 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\system32\svchost.exe
PID 4936 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\system32\taskhostw.exe
PID 4936 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\Explorer.EXE
PID 4936 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\system32\svchost.exe
PID 4936 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\system32\DllHost.exe
PID 4936 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4936 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\System32\RuntimeBroker.exe
PID 4936 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4936 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\System32\RuntimeBroker.exe
PID 4936 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\System32\RuntimeBroker.exe
PID 4936 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4936 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Users\Admin\AppData\Local\Temp\e5752c3.exe
PID 4936 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Users\Admin\AppData\Local\Temp\e5752c3.exe
PID 4936 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\System32\RuntimeBroker.exe
PID 4936 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Windows\System32\RuntimeBroker.exe
PID 4936 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Users\Admin\AppData\Local\Temp\e576d02.exe
PID 4936 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Users\Admin\AppData\Local\Temp\e576d02.exe
PID 4936 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Users\Admin\AppData\Local\Temp\e576d21.exe
PID 4936 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\e57513d.exe C:\Users\Admin\AppData\Local\Temp\e576d21.exe
PID 3280 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e576d21.exe C:\Windows\system32\fontdrvhost.exe
PID 3280 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e576d21.exe C:\Windows\system32\fontdrvhost.exe
PID 3280 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\e576d21.exe C:\Windows\system32\dwm.exe
PID 3280 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e576d21.exe C:\Windows\system32\sihost.exe
PID 3280 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\e576d21.exe C:\Windows\system32\svchost.exe
PID 3280 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e576d21.exe C:\Windows\system32\taskhostw.exe
PID 3280 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\e576d21.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57513d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576d21.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4705fbd0f91a34ad833a8ea5bfdc85d0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4705fbd0f91a34ad833a8ea5bfdc85d0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57513d.exe

C:\Users\Admin\AppData\Local\Temp\e57513d.exe

C:\Users\Admin\AppData\Local\Temp\e5752c3.exe

C:\Users\Admin\AppData\Local\Temp\e5752c3.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e576d02.exe

C:\Users\Admin\AppData\Local\Temp\e576d02.exe

C:\Users\Admin\AppData\Local\Temp\e576d21.exe

C:\Users\Admin\AppData\Local\Temp\e576d21.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2984-2-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57513d.exe

MD5 4c40d6a8d2436eb0b03a3daa5b96372f
SHA1 9174fcefbd00058097661f51a0225b511a490a8f
SHA256 b4147d83b67a3d0e618cb37dc489bfc0a194ac4af32f5be509c31f8752087334
SHA512 4ea629f10d6152846059052251ef05a813f754a36b3651f938bd6ddd0c49a78a5ccd5e18c34ca125c2524e657a966a5136007a6408ea627f99941a8e3679ec6c

memory/4936-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4936-10-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-11-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-17-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2984-27-0x0000000003960000-0x0000000003961000-memory.dmp

memory/2984-26-0x0000000003950000-0x0000000003952000-memory.dmp

memory/4936-28-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-18-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-34-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/3264-32-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4936-31-0x0000000001BB0000-0x0000000001BB2000-memory.dmp

memory/4936-23-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

memory/4936-29-0x0000000001BB0000-0x0000000001BB2000-memory.dmp

memory/2984-19-0x0000000003950000-0x0000000003952000-memory.dmp

memory/2984-20-0x0000000003950000-0x0000000003952000-memory.dmp

memory/4936-9-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-8-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-6-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-35-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-36-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-37-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-38-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-39-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-40-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-42-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-43-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/3280-56-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1876-53-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4936-57-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-59-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-60-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/3280-68-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3280-73-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1876-72-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3264-71-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3280-70-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1876-69-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1876-66-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3264-65-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4936-74-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/3264-63-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4936-76-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-79-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-81-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-82-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-83-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-85-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-88-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-89-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-90-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-92-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4936-105-0x0000000001BB0000-0x0000000001BB2000-memory.dmp

memory/4936-99-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/3264-119-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4936-120-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 e244ece1244764ef5c2f22bfc91cfadf
SHA1 2d13e86b80505ada09b145904527bf0143b351fc
SHA256 e6865dc49f58a08f580a06390e4da419952442965122fddb1c823c21265d5999
SHA512 1c087d4466421744b3008ed9f41422c5fc064913996dd9a3ea7b6b0d6f6388fef465c42c30e301edf6380340a8c146aa7c5b8235076f8fb2a7a2edeac3ea74ed

memory/3280-137-0x0000000000B60000-0x0000000001C1A000-memory.dmp

memory/1876-149-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3280-169-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3280-168-0x0000000000B60000-0x0000000001C1A000-memory.dmp