Malware Analysis Report

2024-09-11 12:57

Sample ID 240612-b1tx2sxhmj
Target 15600df36cdb8a45bbce9c0c07136380_NeikiAnalytics.exe
SHA256 f23fdfab3c5ce582b5c7030e2c3ef0dc90bcd218bece3678b1d03dd38076c40e
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f23fdfab3c5ce582b5c7030e2c3ef0dc90bcd218bece3678b1d03dd38076c40e

Threat Level: Known bad

The file 15600df36cdb8a45bbce9c0c07136380_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

Windows security bypass

Modifies firewall policy service

UAC bypass

Loads dropped DLL

Windows security modification

UPX packed file

Executes dropped EXE

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-12 01:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 01:37

Reported

2024-06-12 01:39

Platform

win7-20240221-en

Max time kernel

121s

Max time network

121s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f764bb0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f762a0d C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
File created C:\Windows\f767a8d C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 1752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 1752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 1752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 1752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 1752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 1752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 1752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 2428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7629a0.exe
PID 1752 wrote to memory of 2428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7629a0.exe
PID 1752 wrote to memory of 2428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7629a0.exe
PID 1752 wrote to memory of 2428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7629a0.exe
PID 2428 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe C:\Windows\system32\taskhost.exe
PID 2428 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe C:\Windows\system32\Dwm.exe
PID 2428 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe C:\Windows\Explorer.EXE
PID 2428 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe C:\Windows\system32\DllHost.exe
PID 2428 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe C:\Windows\system32\rundll32.exe
PID 2428 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe C:\Windows\SysWOW64\rundll32.exe
PID 2428 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 2508 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762bb2.exe
PID 1752 wrote to memory of 2508 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762bb2.exe
PID 1752 wrote to memory of 2508 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762bb2.exe
PID 1752 wrote to memory of 2508 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762bb2.exe
PID 1752 wrote to memory of 2640 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764bb0.exe
PID 1752 wrote to memory of 2640 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764bb0.exe
PID 1752 wrote to memory of 2640 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764bb0.exe
PID 1752 wrote to memory of 2640 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764bb0.exe
PID 2428 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe C:\Windows\system32\taskhost.exe
PID 2428 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe C:\Windows\system32\Dwm.exe
PID 2428 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe C:\Windows\Explorer.EXE
PID 2428 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe C:\Users\Admin\AppData\Local\Temp\f762bb2.exe
PID 2428 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe C:\Users\Admin\AppData\Local\Temp\f762bb2.exe
PID 2428 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe C:\Users\Admin\AppData\Local\Temp\f764bb0.exe
PID 2428 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe C:\Users\Admin\AppData\Local\Temp\f764bb0.exe
PID 2508 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe C:\Windows\system32\taskhost.exe
PID 2508 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe C:\Windows\system32\Dwm.exe
PID 2508 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f762bb2.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762bb2.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\15600df36cdb8a45bbce9c0c07136380_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\15600df36cdb8a45bbce9c0c07136380_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f7629a0.exe

C:\Users\Admin\AppData\Local\Temp\f7629a0.exe

C:\Users\Admin\AppData\Local\Temp\f762bb2.exe

C:\Users\Admin\AppData\Local\Temp\f762bb2.exe

C:\Users\Admin\AppData\Local\Temp\f764bb0.exe

C:\Users\Admin\AppData\Local\Temp\f764bb0.exe

Network

N/A

Files

memory/1752-2-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1752-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1752-0-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f7629a0.exe

MD5 6f3e26173c9e28a745ff385433279e32
SHA1 22ac28d0eed59cea57f961762cb515977fdf3201
SHA256 5a356fa47f430f27501e4cfaaeb8b53739ee8c2426a64003f31f4019d9f52460
SHA512 27a92ff3bcdc9e385ca7c3ede6901ad44888197c1267eac76497fddd084e24bc81011f27ed2ada91c598f53c367fdc4ab7b97806141a4727e42d5c3ac1029b8c

memory/2428-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1752-12-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1752-11-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2428-18-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2428-21-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2428-14-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2428-19-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2428-17-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2428-16-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1752-38-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2428-49-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/1752-56-0x0000000000170000-0x0000000000172000-memory.dmp

memory/2428-47-0x0000000000520000-0x0000000000521000-memory.dmp

memory/1752-46-0x0000000000180000-0x0000000000181000-memory.dmp

memory/1752-37-0x0000000000170000-0x0000000000172000-memory.dmp

memory/1112-30-0x0000000001ED0000-0x0000000001ED2000-memory.dmp

memory/2428-24-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2428-23-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2428-22-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2428-20-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2428-58-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2428-59-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/1752-64-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2508-63-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1752-62-0x0000000000170000-0x0000000000172000-memory.dmp

memory/1752-61-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2428-60-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2428-65-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2428-67-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2428-66-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2428-69-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2428-70-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2428-71-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2428-72-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2428-86-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2640-87-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2428-88-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2508-98-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2508-97-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2640-105-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2640-107-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2508-104-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2640-103-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2428-109-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2428-119-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2428-152-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2428-151-0x0000000000960000-0x0000000001A1A000-memory.dmp

memory/2508-164-0x0000000000910000-0x00000000019CA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 ea2abc70b8bc14aef590254239cdb55d
SHA1 dff069c9c7e1f044897b6c7bf8c8c4b3325d8d12
SHA256 47c65c0e97edd0d4fccddb675a72dcb499b923b56af1785e2e52983ea1be82b1
SHA512 1002d7fc3ee4b9ff045223d8894e593ce9f67ec9a0a231b399b76e2a91893748e86c68c263a4451a312ce7ea00ccfe7bebcfeac2aebc10f318ff1d1ae61e9836

memory/2508-187-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2508-186-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2640-191-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 01:37

Reported

2024-06-12 01:39

Platform

win10v2004-20240611-en

Max time kernel

116s

Max time network

133s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574e6e.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e573160 C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
File created C:\Windows\e57824f C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 464 wrote to memory of 1056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 464 wrote to memory of 1056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 464 wrote to memory of 1056 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1056 wrote to memory of 3476 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573122.exe
PID 1056 wrote to memory of 3476 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573122.exe
PID 1056 wrote to memory of 3476 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573122.exe
PID 3476 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\fontdrvhost.exe
PID 3476 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\fontdrvhost.exe
PID 3476 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\dwm.exe
PID 3476 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\sihost.exe
PID 3476 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\svchost.exe
PID 3476 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\taskhostw.exe
PID 3476 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\Explorer.EXE
PID 3476 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\svchost.exe
PID 3476 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\DllHost.exe
PID 3476 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3476 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\System32\RuntimeBroker.exe
PID 3476 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3476 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\System32\RuntimeBroker.exe
PID 3476 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3476 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\System32\RuntimeBroker.exe
PID 3476 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3476 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3476 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\rundll32.exe
PID 3476 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\BackgroundTaskHost.exe
PID 3476 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\SysWOW64\rundll32.exe
PID 3476 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\SysWOW64\rundll32.exe
PID 1056 wrote to memory of 4248 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573316.exe
PID 1056 wrote to memory of 4248 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573316.exe
PID 1056 wrote to memory of 4248 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573316.exe
PID 1056 wrote to memory of 4696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574e6e.exe
PID 1056 wrote to memory of 4696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574e6e.exe
PID 1056 wrote to memory of 4696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574e6e.exe
PID 3476 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\fontdrvhost.exe
PID 3476 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\fontdrvhost.exe
PID 3476 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\dwm.exe
PID 3476 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\sihost.exe
PID 3476 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\svchost.exe
PID 3476 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\taskhostw.exe
PID 3476 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\Explorer.EXE
PID 3476 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\svchost.exe
PID 3476 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\DllHost.exe
PID 3476 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3476 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\System32\RuntimeBroker.exe
PID 3476 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3476 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\System32\RuntimeBroker.exe
PID 3476 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3476 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\System32\RuntimeBroker.exe
PID 3476 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3476 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3476 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Users\Admin\AppData\Local\Temp\e573316.exe
PID 3476 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Users\Admin\AppData\Local\Temp\e573316.exe
PID 3476 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\System32\RuntimeBroker.exe
PID 3476 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Windows\System32\RuntimeBroker.exe
PID 3476 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Users\Admin\AppData\Local\Temp\e574e6e.exe
PID 3476 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\e573122.exe C:\Users\Admin\AppData\Local\Temp\e574e6e.exe
PID 4248 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e573316.exe C:\Windows\system32\fontdrvhost.exe
PID 4248 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e573316.exe C:\Windows\system32\fontdrvhost.exe
PID 4248 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e573316.exe C:\Windows\system32\dwm.exe
PID 4248 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\e573316.exe C:\Windows\system32\sihost.exe
PID 4248 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\e573316.exe C:\Windows\system32\svchost.exe
PID 4248 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\e573316.exe C:\Windows\system32\taskhostw.exe
PID 4248 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\e573316.exe C:\Windows\Explorer.EXE
PID 4248 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e573316.exe C:\Windows\system32\svchost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573122.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573316.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\15600df36cdb8a45bbce9c0c07136380_NeikiAnalytics.dll,#1

C:\Windows\system32\BackgroundTaskHost.exe

"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\15600df36cdb8a45bbce9c0c07136380_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e573122.exe

C:\Users\Admin\AppData\Local\Temp\e573122.exe

C:\Users\Admin\AppData\Local\Temp\e573316.exe

C:\Users\Admin\AppData\Local\Temp\e573316.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e574e6e.exe

C:\Users\Admin\AppData\Local\Temp\e574e6e.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/1056-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e573122.exe

MD5 6f3e26173c9e28a745ff385433279e32
SHA1 22ac28d0eed59cea57f961762cb515977fdf3201
SHA256 5a356fa47f430f27501e4cfaaeb8b53739ee8c2426a64003f31f4019d9f52460
SHA512 27a92ff3bcdc9e385ca7c3ede6901ad44888197c1267eac76497fddd084e24bc81011f27ed2ada91c598f53c367fdc4ab7b97806141a4727e42d5c3ac1029b8c

memory/3476-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3476-6-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-8-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-11-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-17-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-14-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-16-0x0000000000860000-0x000000000191A000-memory.dmp

memory/1056-23-0x0000000001350000-0x0000000001352000-memory.dmp

memory/4248-35-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3476-34-0x00000000005E0000-0x00000000005E2000-memory.dmp

memory/1056-33-0x0000000001350000-0x0000000001352000-memory.dmp

memory/3476-29-0x00000000005E0000-0x00000000005E2000-memory.dmp

memory/3476-28-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/1056-26-0x0000000004870000-0x0000000004871000-memory.dmp

memory/1056-24-0x0000000001350000-0x0000000001352000-memory.dmp

memory/3476-15-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-13-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-12-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-9-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-37-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-36-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-38-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4696-46-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3476-47-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-48-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-50-0x0000000000860000-0x000000000191A000-memory.dmp

memory/4696-54-0x0000000000530000-0x0000000000531000-memory.dmp

memory/4696-56-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/4248-55-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4248-52-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4696-58-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/4248-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3476-59-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-60-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-62-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-63-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-65-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-66-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-69-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-72-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-74-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-75-0x0000000000860000-0x000000000191A000-memory.dmp

memory/3476-81-0x00000000005E0000-0x00000000005E2000-memory.dmp

memory/3476-94-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 1e33b4661cbb0ac5a506a5700aa8d7e8
SHA1 6fd0cf94b47e324ec1d52ef746a67e4e29ab57c7
SHA256 00e2100d43005fe72b0dbb131bb76875e1e6dcf31633f3e0cae159791dc4018e
SHA512 a77ba8ec9cfceceb7e258cca164d4cb030de4c7cbaf5b20f9b8fa36a126aa1f3a3bcea92a69737e28129d41af1cd8c536a26891d5bd086eebcbf9e92cb29e912

memory/4248-111-0x0000000000B80000-0x0000000001C3A000-memory.dmp

memory/4248-135-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4248-134-0x0000000000B80000-0x0000000001C3A000-memory.dmp

memory/4696-139-0x0000000000400000-0x0000000000412000-memory.dmp