Malware Analysis Report

2024-09-11 12:59

Sample ID 240612-am7fjswfrf
Target 102d3b22eefd5c3406ba043ec3915d00_NeikiAnalytics.exe
SHA256 b8a436e61152539fc293894359a5a1e283ff6dc71d203cd003c04132e8dd25bc
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8a436e61152539fc293894359a5a1e283ff6dc71d203cd003c04132e8dd25bc

Threat Level: Known bad

The file 102d3b22eefd5c3406ba043ec3915d00_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

UAC bypass

Windows security bypass

Modifies firewall policy service

UPX packed file

Windows security modification

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-12 00:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 00:20

Reported

2024-06-12 00:23

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761094.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f760f7b C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
File created C:\Windows\f766114 C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1368 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1368 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1368 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1368 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1368 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1368 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 1956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760f2d.exe
PID 2392 wrote to memory of 1956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760f2d.exe
PID 2392 wrote to memory of 1956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760f2d.exe
PID 2392 wrote to memory of 1956 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760f2d.exe
PID 1956 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe C:\Windows\system32\taskhost.exe
PID 1956 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe C:\Windows\system32\Dwm.exe
PID 1956 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe C:\Windows\Explorer.EXE
PID 1956 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe C:\Windows\system32\DllHost.exe
PID 1956 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe C:\Windows\system32\rundll32.exe
PID 1956 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe C:\Windows\SysWOW64\rundll32.exe
PID 1956 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 2724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761094.exe
PID 2392 wrote to memory of 2724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761094.exe
PID 2392 wrote to memory of 2724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761094.exe
PID 2392 wrote to memory of 2724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761094.exe
PID 2392 wrote to memory of 2488 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762ab8.exe
PID 2392 wrote to memory of 2488 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762ab8.exe
PID 2392 wrote to memory of 2488 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762ab8.exe
PID 2392 wrote to memory of 2488 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762ab8.exe
PID 1956 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe C:\Windows\system32\taskhost.exe
PID 1956 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe C:\Windows\system32\Dwm.exe
PID 1956 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe C:\Windows\Explorer.EXE
PID 1956 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe C:\Users\Admin\AppData\Local\Temp\f761094.exe
PID 1956 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe C:\Users\Admin\AppData\Local\Temp\f761094.exe
PID 1956 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe C:\Users\Admin\AppData\Local\Temp\f762ab8.exe
PID 1956 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\f760f2d.exe C:\Users\Admin\AppData\Local\Temp\f762ab8.exe
PID 2488 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe C:\Windows\system32\taskhost.exe
PID 2488 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe C:\Windows\system32\Dwm.exe
PID 2488 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\f762ab8.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760f2d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762ab8.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\102d3b22eefd5c3406ba043ec3915d00_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\102d3b22eefd5c3406ba043ec3915d00_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f760f2d.exe

C:\Users\Admin\AppData\Local\Temp\f760f2d.exe

C:\Users\Admin\AppData\Local\Temp\f761094.exe

C:\Users\Admin\AppData\Local\Temp\f761094.exe

C:\Users\Admin\AppData\Local\Temp\f762ab8.exe

C:\Users\Admin\AppData\Local\Temp\f762ab8.exe

Network

N/A

Files

memory/2392-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f760f2d.exe

MD5 d74b294d0d8779b0347fedfd0422a51e
SHA1 f59c08c359287a805d5c0cba9259505b6dca2983
SHA256 87bfa9e30c5123c33f2fa2ad7a2f7371f49a37bbb7c7fc4ce8d1e8f0bff10249
SHA512 4ea317398447c0bb3192682f73411024fe9fa82aa610d8932acb8acea78c0f1e61406e4f13e86ef5a3242ed385f6ab934a1b05abc0b5e894947a99e9ab3899e7

memory/1956-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2392-10-0x00000000001B0000-0x00000000001C2000-memory.dmp

memory/2392-9-0x00000000001B0000-0x00000000001C2000-memory.dmp

memory/1956-14-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1956-16-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2392-59-0x0000000000220000-0x0000000000222000-memory.dmp

memory/1956-46-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

memory/1956-20-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1956-45-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1956-22-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1956-49-0x0000000001770000-0x0000000001772000-memory.dmp

memory/1956-21-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2392-32-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2392-31-0x0000000000220000-0x0000000000222000-memory.dmp

memory/1124-23-0x0000000001F10000-0x0000000001F12000-memory.dmp

memory/1956-19-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1956-18-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1956-17-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2724-61-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1956-15-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2392-58-0x0000000000280000-0x0000000000292000-memory.dmp

memory/1956-57-0x0000000001770000-0x0000000001772000-memory.dmp

memory/2392-56-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2392-47-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1956-62-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1956-63-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1956-64-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1956-66-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1956-65-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2392-78-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2392-76-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2392-75-0x0000000000360000-0x0000000000372000-memory.dmp

memory/2488-81-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1956-82-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1956-83-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1956-84-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1956-85-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2724-94-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2724-93-0x0000000000330000-0x0000000000331000-memory.dmp

memory/2488-100-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2488-101-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2488-103-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2724-102-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1956-106-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1956-108-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1956-114-0x0000000001770000-0x0000000001772000-memory.dmp

memory/1956-150-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/1956-151-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2724-155-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 c9293b14a877a7f174c0757fb20649b1
SHA1 9c6da119554a3c01458cd35ee73ea5dc3b5e0a4b
SHA256 5c622c15bc2353acaf9c062a64ed79197d001ca9f590494e6669699621ef6e7d
SHA512 c5559d08beca6b9aafbe62055a34a72c3f1ec26ff561c575dcf9b7a88ac5b3b2309b0e4169e86b5d3baa7e8ceb7a6985e6d4e03791f74587029c15cd9fff9a08

memory/2488-178-0x0000000000920000-0x00000000019DA000-memory.dmp

memory/2488-204-0x0000000000920000-0x00000000019DA000-memory.dmp

memory/2488-203-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 00:20

Reported

2024-06-12 00:23

Platform

win10v2004-20240611-en

Max time kernel

94s

Max time network

126s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57344e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e573335 C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
File created C:\Windows\e578472 C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4856 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4856 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4856 wrote to memory of 2076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2076 wrote to memory of 1132 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5732e7.exe
PID 2076 wrote to memory of 1132 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5732e7.exe
PID 2076 wrote to memory of 1132 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5732e7.exe
PID 1132 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\fontdrvhost.exe
PID 1132 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\fontdrvhost.exe
PID 1132 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\dwm.exe
PID 1132 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\sihost.exe
PID 1132 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\svchost.exe
PID 1132 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\taskhostw.exe
PID 1132 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\Explorer.EXE
PID 1132 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\svchost.exe
PID 1132 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\DllHost.exe
PID 1132 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1132 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1132 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1132 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1132 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1132 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1132 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1132 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1132 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\rundll32.exe
PID 1132 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\SysWOW64\rundll32.exe
PID 1132 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\SysWOW64\rundll32.exe
PID 1132 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\BackgroundTaskHost.exe
PID 2076 wrote to memory of 388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57344e.exe
PID 2076 wrote to memory of 388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57344e.exe
PID 2076 wrote to memory of 388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57344e.exe
PID 2076 wrote to memory of 2272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5753ec.exe
PID 2076 wrote to memory of 2272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5753ec.exe
PID 2076 wrote to memory of 2272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5753ec.exe
PID 1132 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\fontdrvhost.exe
PID 1132 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\fontdrvhost.exe
PID 1132 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\dwm.exe
PID 1132 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\sihost.exe
PID 1132 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\svchost.exe
PID 1132 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\taskhostw.exe
PID 1132 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\Explorer.EXE
PID 1132 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\svchost.exe
PID 1132 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\DllHost.exe
PID 1132 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1132 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1132 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1132 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1132 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1132 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1132 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1132 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Users\Admin\AppData\Local\Temp\e57344e.exe
PID 1132 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Users\Admin\AppData\Local\Temp\e57344e.exe
PID 1132 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1132 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Windows\System32\RuntimeBroker.exe
PID 1132 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Users\Admin\AppData\Local\Temp\e5753ec.exe
PID 1132 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\e5732e7.exe C:\Users\Admin\AppData\Local\Temp\e5753ec.exe
PID 2272 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\e5753ec.exe C:\Windows\system32\fontdrvhost.exe
PID 2272 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e5753ec.exe C:\Windows\system32\fontdrvhost.exe
PID 2272 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\e5753ec.exe C:\Windows\system32\dwm.exe
PID 2272 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\e5753ec.exe C:\Windows\system32\sihost.exe
PID 2272 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e5753ec.exe C:\Windows\system32\svchost.exe
PID 2272 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\e5753ec.exe C:\Windows\system32\taskhostw.exe
PID 2272 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\e5753ec.exe C:\Windows\Explorer.EXE
PID 2272 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\e5753ec.exe C:\Windows\system32\svchost.exe
PID 2272 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\e5753ec.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5732e7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5753ec.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\102d3b22eefd5c3406ba043ec3915d00_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\102d3b22eefd5c3406ba043ec3915d00_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e5732e7.exe

C:\Users\Admin\AppData\Local\Temp\e5732e7.exe

C:\Windows\system32\BackgroundTaskHost.exe

"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

C:\Users\Admin\AppData\Local\Temp\e57344e.exe

C:\Users\Admin\AppData\Local\Temp\e57344e.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e5753ec.exe

C:\Users\Admin\AppData\Local\Temp\e5753ec.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/2076-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5732e7.exe

MD5 d74b294d0d8779b0347fedfd0422a51e
SHA1 f59c08c359287a805d5c0cba9259505b6dca2983
SHA256 87bfa9e30c5123c33f2fa2ad7a2f7371f49a37bbb7c7fc4ce8d1e8f0bff10249
SHA512 4ea317398447c0bb3192682f73411024fe9fa82aa610d8932acb8acea78c0f1e61406e4f13e86ef5a3242ed385f6ab934a1b05abc0b5e894947a99e9ab3899e7

memory/1132-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1132-13-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-9-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-6-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-11-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-15-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-32-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-16-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-34-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-30-0x00000000005F0000-0x00000000005F2000-memory.dmp

memory/1132-12-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/388-36-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1132-35-0x00000000005F0000-0x00000000005F2000-memory.dmp

memory/2076-29-0x0000000004650000-0x0000000004651000-memory.dmp

memory/2076-28-0x00000000045C0000-0x00000000045C2000-memory.dmp

memory/2076-21-0x00000000045C0000-0x00000000045C2000-memory.dmp

memory/1132-20-0x0000000000600000-0x0000000000601000-memory.dmp

memory/2076-17-0x00000000045C0000-0x00000000045C2000-memory.dmp

memory/1132-10-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-8-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-37-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-38-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-39-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-41-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-40-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-43-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/2272-48-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1132-52-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-53-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/388-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2272-59-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2272-60-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/388-56-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/388-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2272-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1132-63-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-64-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-67-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-68-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-71-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-72-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-74-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-75-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-76-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-79-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-91-0x00000000005F0000-0x00000000005F2000-memory.dmp

memory/1132-81-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1132-99-0x0000000000400000-0x0000000000412000-memory.dmp

memory/388-103-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 54275085d2caa42fffe76a1ca5654e9b
SHA1 0a30718b8ae1b25c577fefb1f945b41fac2de12a
SHA256 6dfe3f05c436f8b72a94418be7c301aacce8dea05129e1c1a425dc80fb259d68
SHA512 fdaef9778bfcd24e30d12c69dbb37a00b3984cbaac0d7ce3537e597aacbbc9691268b4d45b99b6f20f86987996505824b83a01fbb400f2f8c77778f7e37e2666

memory/2272-115-0x0000000000B70000-0x0000000001C2A000-memory.dmp

memory/2272-150-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2272-149-0x0000000000B70000-0x0000000001C2A000-memory.dmp