Malware Analysis Report

2024-09-11 12:59

Sample ID 240613-jryhwatfqn
Target 6ab5a57c356506162fdc60e211b8e670_NeikiAnalytics.exe
SHA256 8dd25472d6e5e7f20d2c6e251ec5d072d73a29b3f9610b49657fcf8e815841e3
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8dd25472d6e5e7f20d2c6e251ec5d072d73a29b3f9610b49657fcf8e815841e3

Threat Level: Known bad

The file 6ab5a57c356506162fdc60e211b8e670_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

Modifies firewall policy service

UAC bypass

Windows security bypass

Executes dropped EXE

Loads dropped DLL

UPX packed file

Windows security modification

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:54

Reported

2024-06-13 07:57

Platform

win7-20240611-en

Max time kernel

121s

Max time network

125s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f767b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f767964 C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
File created C:\Windows\f76cb5a C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 2336 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7678a9.exe
PID 3020 wrote to memory of 2336 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7678a9.exe
PID 3020 wrote to memory of 2336 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7678a9.exe
PID 3020 wrote to memory of 2336 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7678a9.exe
PID 2336 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe C:\Windows\system32\taskhost.exe
PID 2336 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe C:\Windows\system32\Dwm.exe
PID 2336 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe C:\Windows\Explorer.EXE
PID 2336 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe C:\Windows\system32\DllHost.exe
PID 2336 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe C:\Windows\system32\rundll32.exe
PID 2336 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe C:\Windows\SysWOW64\rundll32.exe
PID 2336 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 2636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767b96.exe
PID 3020 wrote to memory of 2636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767b96.exe
PID 3020 wrote to memory of 2636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767b96.exe
PID 3020 wrote to memory of 2636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767b96.exe
PID 3020 wrote to memory of 2936 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7692be.exe
PID 3020 wrote to memory of 2936 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7692be.exe
PID 3020 wrote to memory of 2936 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7692be.exe
PID 3020 wrote to memory of 2936 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7692be.exe
PID 2336 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe C:\Windows\system32\taskhost.exe
PID 2336 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe C:\Windows\system32\Dwm.exe
PID 2336 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe C:\Windows\Explorer.EXE
PID 2336 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe C:\Users\Admin\AppData\Local\Temp\f767b96.exe
PID 2336 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe C:\Users\Admin\AppData\Local\Temp\f767b96.exe
PID 2336 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe C:\Users\Admin\AppData\Local\Temp\f7692be.exe
PID 2336 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\f7678a9.exe C:\Users\Admin\AppData\Local\Temp\f7692be.exe
PID 2936 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe C:\Windows\system32\taskhost.exe
PID 2936 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe C:\Windows\system32\Dwm.exe
PID 2936 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\f7692be.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7678a9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7692be.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ab5a57c356506162fdc60e211b8e670_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ab5a57c356506162fdc60e211b8e670_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f7678a9.exe

C:\Users\Admin\AppData\Local\Temp\f7678a9.exe

C:\Users\Admin\AppData\Local\Temp\f767b96.exe

C:\Users\Admin\AppData\Local\Temp\f767b96.exe

C:\Users\Admin\AppData\Local\Temp\f7692be.exe

C:\Users\Admin\AppData\Local\Temp\f7692be.exe

Network

N/A

Files

memory/3020-0-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f7678a9.exe

MD5 f58e9ac82c023033dfe5e22372ea82b6
SHA1 87e0b8a63b6c24fe3226eaa816d60e988521f8c6
SHA256 3349e665b645ecd33433b99d1d2bb79fa5c88141bdd398975ab86c21d39183f8
SHA512 03a80a76e32ae109181d7fce2fca886f79dc031f1c9724dfc7be9d8a55bebbf931ef6544883c64291551758d86deb24402a315a38408f9daa9ae85a8fcdf70ef

memory/3020-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2336-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2336-11-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2336-15-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2336-18-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2336-44-0x00000000004A0000-0x00000000004A1000-memory.dmp

memory/3020-53-0x0000000000270000-0x0000000000272000-memory.dmp

memory/2336-19-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2636-58-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2336-17-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/3020-35-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2336-46-0x0000000000480000-0x0000000000482000-memory.dmp

memory/2336-16-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2336-21-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2336-20-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/3020-34-0x0000000000270000-0x0000000000272000-memory.dmp

memory/1188-27-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/2336-14-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2336-13-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/3020-56-0x0000000000270000-0x0000000000272000-memory.dmp

memory/3020-55-0x00000000003A0000-0x00000000003B2000-memory.dmp

memory/2336-54-0x0000000000480000-0x0000000000482000-memory.dmp

memory/3020-43-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2336-59-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2336-60-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2336-61-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2336-62-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2336-63-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2336-65-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2936-77-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3020-73-0x0000000000270000-0x0000000000272000-memory.dmp

memory/2336-78-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2336-79-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2336-81-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2336-83-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2936-100-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2936-99-0x0000000000330000-0x0000000000331000-memory.dmp

memory/2636-101-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2636-95-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2636-94-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2936-103-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2336-102-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2336-105-0x00000000005B0000-0x000000000166A000-memory.dmp

memory/2336-118-0x0000000000480000-0x0000000000482000-memory.dmp

memory/2336-145-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2336-146-0x00000000005B0000-0x000000000166A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 cffff4564203cf981fced65c713d93ba
SHA1 fa15f283d73126a287fc44a86e53d0b32d365000
SHA256 889c392baa0b7d0f23c8d83f950292d7c0a3a235595dadc4a66dafefcc24a396
SHA512 c277a29731edbbc9525dee375ef96c43555749fe51ce602513da66afbc156401a6116ef0c51d947cce77433ef2da24c09632c14d268bb1205529e7e381245356

memory/2936-154-0x0000000000920000-0x00000000019DA000-memory.dmp

memory/2636-153-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2936-199-0x0000000000920000-0x00000000019DA000-memory.dmp

memory/2936-198-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 07:54

Reported

2024-06-13 07:57

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57e743.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57e668 C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
File created C:\Windows\e583a45 C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3152 wrote to memory of 928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3152 wrote to memory of 928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3152 wrote to memory of 928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 928 wrote to memory of 2700 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e60a.exe
PID 928 wrote to memory of 2700 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e60a.exe
PID 928 wrote to memory of 2700 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e60a.exe
PID 2700 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\system32\fontdrvhost.exe
PID 2700 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\system32\fontdrvhost.exe
PID 2700 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\system32\dwm.exe
PID 2700 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\system32\sihost.exe
PID 2700 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\system32\svchost.exe
PID 2700 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\system32\taskhostw.exe
PID 2700 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\Explorer.EXE
PID 2700 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\system32\svchost.exe
PID 2700 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\system32\DllHost.exe
PID 2700 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2700 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\System32\RuntimeBroker.exe
PID 2700 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2700 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\System32\RuntimeBroker.exe
PID 2700 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\System32\RuntimeBroker.exe
PID 2700 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2700 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2700 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\system32\rundll32.exe
PID 2700 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\SysWOW64\rundll32.exe
PID 2700 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\SysWOW64\rundll32.exe
PID 928 wrote to memory of 4920 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e743.exe
PID 928 wrote to memory of 4920 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e743.exe
PID 928 wrote to memory of 4920 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e743.exe
PID 2700 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\system32\fontdrvhost.exe
PID 2700 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\system32\fontdrvhost.exe
PID 2700 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\system32\dwm.exe
PID 2700 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\system32\sihost.exe
PID 2700 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\system32\svchost.exe
PID 2700 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\system32\taskhostw.exe
PID 2700 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\Explorer.EXE
PID 2700 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\system32\svchost.exe
PID 2700 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\system32\DllHost.exe
PID 2700 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2700 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\System32\RuntimeBroker.exe
PID 2700 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2700 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\System32\RuntimeBroker.exe
PID 2700 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\System32\RuntimeBroker.exe
PID 2700 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2700 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2700 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\system32\rundll32.exe
PID 2700 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Users\Admin\AppData\Local\Temp\e57e743.exe
PID 2700 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Users\Admin\AppData\Local\Temp\e57e743.exe
PID 2700 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\System32\RuntimeBroker.exe
PID 2700 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Windows\System32\RuntimeBroker.exe
PID 2700 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\e57e60a.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 928 wrote to memory of 2272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e581306.exe
PID 928 wrote to memory of 2272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e581306.exe
PID 928 wrote to memory of 2272 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e581306.exe
PID 2272 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\e581306.exe C:\Windows\system32\fontdrvhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57e60a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e581306.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x23c,0x240,0x244,0x238,0x2b4,0x7ffa27edceb8,0x7ffa27edcec4,0x7ffa27edced0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2052,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=2044 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=2376 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2488,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3424 /prefetch:8

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ab5a57c356506162fdc60e211b8e670_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ab5a57c356506162fdc60e211b8e670_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57e60a.exe

C:\Users\Admin\AppData\Local\Temp\e57e60a.exe

C:\Users\Admin\AppData\Local\Temp\e57e743.exe

C:\Users\Admin\AppData\Local\Temp\e57e743.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1516,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\e581306.exe

C:\Users\Admin\AppData\Local\Temp\e581306.exe

Network

Files

memory/928-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57e60a.exe

MD5 f58e9ac82c023033dfe5e22372ea82b6
SHA1 87e0b8a63b6c24fe3226eaa816d60e988521f8c6
SHA256 3349e665b645ecd33433b99d1d2bb79fa5c88141bdd398975ab86c21d39183f8
SHA512 03a80a76e32ae109181d7fce2fca886f79dc031f1c9724dfc7be9d8a55bebbf931ef6544883c64291551758d86deb24402a315a38408f9daa9ae85a8fcdf70ef

memory/2700-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2700-8-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-9-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-24-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-11-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-25-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-33-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-27-0x0000000000670000-0x0000000000672000-memory.dmp

memory/2700-34-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-35-0x0000000000790000-0x000000000184A000-memory.dmp

memory/928-32-0x0000000003730000-0x0000000003732000-memory.dmp

memory/4920-30-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2700-29-0x0000000000670000-0x0000000000672000-memory.dmp

memory/2700-26-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-10-0x0000000000790000-0x000000000184A000-memory.dmp

memory/928-16-0x0000000003730000-0x0000000003732000-memory.dmp

memory/2700-15-0x0000000000680000-0x0000000000681000-memory.dmp

memory/928-13-0x0000000003C00000-0x0000000003C01000-memory.dmp

memory/928-12-0x0000000003730000-0x0000000003732000-memory.dmp

memory/2700-36-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-37-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-38-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-39-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-40-0x0000000000790000-0x000000000184A000-memory.dmp

memory/4920-44-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/4920-43-0x00000000004F0000-0x00000000004F1000-memory.dmp

memory/4920-45-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2700-46-0x0000000000790000-0x000000000184A000-memory.dmp

memory/928-51-0x0000000003730000-0x0000000003732000-memory.dmp

memory/2272-54-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2700-55-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-56-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-58-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-60-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-61-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-62-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-65-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-67-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-78-0x0000000000670000-0x0000000000672000-memory.dmp

memory/2700-70-0x0000000000790000-0x000000000184A000-memory.dmp

memory/2700-88-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4920-92-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 34b1091d8cb894444527a7079b028f4c
SHA1 45ac7df4d32b84d1d104a480ed431af3a6e24752
SHA256 b691c20563cccbf046bd6f714cca38b9dedbedc84f00cc1489b675efaee1ae56
SHA512 460290125f6b3122995d7e4a08e16975bdf51cb9aaa7664f0598c5cbf3f466d095fbfd7708f6b5838782d02ae2743747fd89465e519c3dc6fc438f4f0143c31a

memory/2272-109-0x0000000000750000-0x000000000180A000-memory.dmp

memory/2272-145-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2272-146-0x0000000000750000-0x000000000180A000-memory.dmp