Malware Analysis Report

2024-09-11 12:21

Sample ID 240614-ln7ngsyenj
Target b52b174576b3def10061461c9977fe40_NeikiAnalytics.exe
SHA256 988a05a5ea052898acd95fe64261d8717325a73d99bd7f45cef2a38b0194ed7f
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

988a05a5ea052898acd95fe64261d8717325a73d99bd7f45cef2a38b0194ed7f

Threat Level: Known bad

The file b52b174576b3def10061461c9977fe40_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

Sality

UAC bypass

Windows security bypass

Loads dropped DLL

Windows security modification

UPX packed file

Executes dropped EXE

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 09:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 09:41

Reported

2024-06-14 09:44

Platform

win7-20240611-en

Max time kernel

118s

Max time network

119s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76079f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f7606b5 C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
File created C:\Windows\f76562b C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 1756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2652 wrote to memory of 1756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2652 wrote to memory of 1756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2652 wrote to memory of 1756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2652 wrote to memory of 1756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2652 wrote to memory of 1756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2652 wrote to memory of 1756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1756 wrote to memory of 2944 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760609.exe
PID 1756 wrote to memory of 2944 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760609.exe
PID 1756 wrote to memory of 2944 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760609.exe
PID 1756 wrote to memory of 2944 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760609.exe
PID 2944 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe C:\Windows\system32\taskhost.exe
PID 2944 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe C:\Windows\system32\Dwm.exe
PID 2944 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe C:\Windows\Explorer.EXE
PID 2944 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe C:\Windows\system32\DllHost.exe
PID 2944 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe C:\Windows\system32\rundll32.exe
PID 2944 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe C:\Windows\SysWOW64\rundll32.exe
PID 2944 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe C:\Windows\SysWOW64\rundll32.exe
PID 1756 wrote to memory of 2908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76079f.exe
PID 1756 wrote to memory of 2908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76079f.exe
PID 1756 wrote to memory of 2908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76079f.exe
PID 1756 wrote to memory of 2908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76079f.exe
PID 1756 wrote to memory of 2788 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762250.exe
PID 1756 wrote to memory of 2788 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762250.exe
PID 1756 wrote to memory of 2788 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762250.exe
PID 1756 wrote to memory of 2788 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762250.exe
PID 2944 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe C:\Windows\system32\taskhost.exe
PID 2944 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe C:\Windows\system32\Dwm.exe
PID 2944 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe C:\Windows\Explorer.EXE
PID 2944 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe C:\Users\Admin\AppData\Local\Temp\f76079f.exe
PID 2944 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe C:\Users\Admin\AppData\Local\Temp\f76079f.exe
PID 2944 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe C:\Users\Admin\AppData\Local\Temp\f762250.exe
PID 2944 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\f760609.exe C:\Users\Admin\AppData\Local\Temp\f762250.exe
PID 2788 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe C:\Windows\system32\taskhost.exe
PID 2788 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe C:\Windows\system32\Dwm.exe
PID 2788 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f762250.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760609.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762250.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b52b174576b3def10061461c9977fe40_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b52b174576b3def10061461c9977fe40_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f760609.exe

C:\Users\Admin\AppData\Local\Temp\f760609.exe

C:\Users\Admin\AppData\Local\Temp\f76079f.exe

C:\Users\Admin\AppData\Local\Temp\f76079f.exe

C:\Users\Admin\AppData\Local\Temp\f762250.exe

C:\Users\Admin\AppData\Local\Temp\f762250.exe

Network

N/A

Files

memory/1756-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f760609.exe

MD5 22a3ec1f55d3d46add4d7c3b430b3d6b
SHA1 5f7ba7ed9684d4dbd6c5b0f20123050dd2251a02
SHA256 e81e917130d3ac51bc9cf34aba856ce6b37102c64268844eec6bd62c7ccf497e
SHA512 3bc15f6b3938786d04bc553c9772c096205d22c96a6a52374bf28325627320740699d780b9dab6782c291c2a6528e889d248ea92a506f8e3a35080af0277d446

memory/2944-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1756-9-0x00000000001C0000-0x00000000001D2000-memory.dmp

memory/2944-11-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2944-16-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2944-18-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2944-15-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2944-39-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2908-51-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1756-29-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1756-28-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1248-22-0x0000000001F10000-0x0000000001F12000-memory.dmp

memory/2944-20-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2944-21-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2944-19-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2944-13-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2944-17-0x0000000000590000-0x000000000164A000-memory.dmp

memory/1756-50-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1756-49-0x0000000000220000-0x0000000000232000-memory.dmp

memory/1756-47-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1756-38-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2944-14-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2944-58-0x00000000002E0000-0x00000000002E2000-memory.dmp

memory/2944-57-0x00000000002E0000-0x00000000002E2000-memory.dmp

memory/2944-59-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2944-60-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2944-61-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2944-62-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2944-63-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2944-65-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2944-66-0x0000000000590000-0x000000000164A000-memory.dmp

memory/1756-75-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2788-78-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2944-80-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2944-81-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2944-83-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2908-91-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2908-92-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2788-97-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2788-99-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2788-101-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2908-100-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2944-102-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2944-103-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2944-116-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2944-148-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2944-149-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2908-153-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 f376fbab101bf45ef2e7612dc1d610d2
SHA1 462bce34a5f9d397e0250f2594ce8e49f8f13d7e
SHA256 b82aecd009448b34549b9142fa2b7e189acb2e8aaea15075b0f43e63b1fb8ee2
SHA512 75c4f827e450ad025e377f7256032faa018ec19659985ce4e8a00d52a02390d5317d3c298dc171dd8e6f749b1e141b6cca2f74749c53175e9c659684aba0d1c7

memory/2788-170-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2788-204-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2788-203-0x0000000000910000-0x00000000019CA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 09:41

Reported

2024-06-14 09:44

Platform

win10v2004-20240611-en

Max time kernel

94s

Max time network

95s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573af6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5755e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e578a6d C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A
File created C:\Windows\e57398e C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5016 wrote to memory of 3684 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5016 wrote to memory of 3684 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5016 wrote to memory of 3684 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3684 wrote to memory of 2448 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573950.exe
PID 3684 wrote to memory of 2448 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573950.exe
PID 3684 wrote to memory of 2448 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573950.exe
PID 2448 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\system32\fontdrvhost.exe
PID 2448 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\system32\fontdrvhost.exe
PID 2448 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\system32\dwm.exe
PID 2448 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\system32\sihost.exe
PID 2448 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\system32\svchost.exe
PID 2448 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\system32\taskhostw.exe
PID 2448 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\Explorer.EXE
PID 2448 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\system32\svchost.exe
PID 2448 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\system32\DllHost.exe
PID 2448 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2448 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\System32\RuntimeBroker.exe
PID 2448 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2448 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\System32\RuntimeBroker.exe
PID 2448 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2448 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\System32\RuntimeBroker.exe
PID 2448 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2448 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2448 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\system32\rundll32.exe
PID 2448 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\SysWOW64\rundll32.exe
PID 3684 wrote to memory of 4836 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573af6.exe
PID 3684 wrote to memory of 4836 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573af6.exe
PID 3684 wrote to memory of 4836 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573af6.exe
PID 3684 wrote to memory of 2088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5755e0.exe
PID 3684 wrote to memory of 2088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5755e0.exe
PID 3684 wrote to memory of 2088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5755e0.exe
PID 3684 wrote to memory of 4288 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57560f.exe
PID 3684 wrote to memory of 4288 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57560f.exe
PID 3684 wrote to memory of 4288 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57560f.exe
PID 2448 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\system32\fontdrvhost.exe
PID 2448 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\system32\fontdrvhost.exe
PID 2448 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\system32\dwm.exe
PID 2448 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\system32\sihost.exe
PID 2448 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\system32\svchost.exe
PID 2448 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\system32\taskhostw.exe
PID 2448 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\Explorer.EXE
PID 2448 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\system32\svchost.exe
PID 2448 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\system32\DllHost.exe
PID 2448 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2448 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\System32\RuntimeBroker.exe
PID 2448 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2448 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\System32\RuntimeBroker.exe
PID 2448 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2448 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\System32\RuntimeBroker.exe
PID 2448 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2448 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Users\Admin\AppData\Local\Temp\e573af6.exe
PID 2448 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Users\Admin\AppData\Local\Temp\e573af6.exe
PID 2448 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\System32\RuntimeBroker.exe
PID 2448 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Windows\System32\RuntimeBroker.exe
PID 2448 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Users\Admin\AppData\Local\Temp\e5755e0.exe
PID 2448 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Users\Admin\AppData\Local\Temp\e5755e0.exe
PID 2448 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Users\Admin\AppData\Local\Temp\e57560f.exe
PID 2448 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\e573950.exe C:\Users\Admin\AppData\Local\Temp\e57560f.exe
PID 4288 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e57560f.exe C:\Windows\system32\fontdrvhost.exe
PID 4288 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e57560f.exe C:\Windows\system32\fontdrvhost.exe
PID 4288 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e57560f.exe C:\Windows\system32\dwm.exe
PID 4288 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\e57560f.exe C:\Windows\system32\sihost.exe
PID 4288 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\e57560f.exe C:\Windows\system32\svchost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573950.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57560f.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b52b174576b3def10061461c9977fe40_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b52b174576b3def10061461c9977fe40_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e573950.exe

C:\Users\Admin\AppData\Local\Temp\e573950.exe

C:\Users\Admin\AppData\Local\Temp\e573af6.exe

C:\Users\Admin\AppData\Local\Temp\e573af6.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e5755e0.exe

C:\Users\Admin\AppData\Local\Temp\e5755e0.exe

C:\Users\Admin\AppData\Local\Temp\e57560f.exe

C:\Users\Admin\AppData\Local\Temp\e57560f.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/3684-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e573950.exe

MD5 22a3ec1f55d3d46add4d7c3b430b3d6b
SHA1 5f7ba7ed9684d4dbd6c5b0f20123050dd2251a02
SHA256 e81e917130d3ac51bc9cf34aba856ce6b37102c64268844eec6bd62c7ccf497e
SHA512 3bc15f6b3938786d04bc553c9772c096205d22c96a6a52374bf28325627320740699d780b9dab6782c291c2a6528e889d248ea92a506f8e3a35080af0277d446

memory/2448-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2448-6-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-11-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-12-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-32-0x00000000005E0000-0x00000000005E2000-memory.dmp

memory/4836-36-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2448-35-0x00000000005E0000-0x00000000005E2000-memory.dmp

memory/2448-28-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-19-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/3684-31-0x00000000030D0000-0x00000000030D1000-memory.dmp

memory/3684-30-0x0000000003040000-0x0000000003042000-memory.dmp

memory/2448-18-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-20-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/3684-25-0x0000000003040000-0x0000000003042000-memory.dmp

memory/2448-24-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/3684-21-0x0000000003040000-0x0000000003042000-memory.dmp

memory/2448-9-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-8-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-29-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-37-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-38-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-39-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-40-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-41-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-43-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-44-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2088-54-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4288-57-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2448-58-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-60-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-61-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/4836-65-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4836-64-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2088-68-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2088-67-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4288-70-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4288-71-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4288-74-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2088-73-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4836-72-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2448-76-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-77-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-79-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-81-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-83-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-85-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-87-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-88-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-91-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-92-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-100-0x00000000005E0000-0x00000000005E2000-memory.dmp

memory/2448-96-0x00000000008B0000-0x000000000196A000-memory.dmp

memory/2448-112-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4836-116-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 b092c8f1ef5070ed539c36c7c07db8a6
SHA1 3801d0fcfccdc025f55e977e39493131774b4c08
SHA256 6d205687c82d6ba72166e09b024fd864e2bd37602e9d79e5a4a6c0c08df29c7a
SHA512 4330455897868820b99761ee1d3c6617feb80a0c49ed5a364f5c43a082a4df89663d4c3240a97d2fab2f851b25be53b2be766f97de624554544a3dfcbe32f8bf

memory/4288-133-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/2088-145-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4288-165-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/4288-164-0x0000000000400000-0x0000000000412000-memory.dmp