Malware Analysis Report

2024-09-11 12:22

Sample ID 240614-lntfvsyelp
Target b52664cc2351616d712d3b7678142410_NeikiAnalytics.exe
SHA256 cec208e0fc5ccdc4321309e4bd9e8dfc5679008d11302503221bfc01a24f858e
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cec208e0fc5ccdc4321309e4bd9e8dfc5679008d11302503221bfc01a24f858e

Threat Level: Known bad

The file b52664cc2351616d712d3b7678142410_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

UAC bypass

Windows security bypass

Modifies firewall policy service

Windows security modification

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 09:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 09:41

Reported

2024-06-14 09:43

Platform

win7-20240611-en

Max time kernel

121s

Max time network

122s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7629a0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f760cae C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
File created C:\Windows\f765d2d C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2484 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 1768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760c40.exe
PID 2232 wrote to memory of 1768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760c40.exe
PID 2232 wrote to memory of 1768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760c40.exe
PID 2232 wrote to memory of 1768 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760c40.exe
PID 1768 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe C:\Windows\system32\taskhost.exe
PID 1768 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe C:\Windows\system32\Dwm.exe
PID 1768 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe C:\Windows\Explorer.EXE
PID 1768 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe C:\Windows\system32\DllHost.exe
PID 1768 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe C:\Windows\system32\rundll32.exe
PID 1768 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe C:\Windows\SysWOW64\rundll32.exe
PID 1768 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 2808 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760dd6.exe
PID 2232 wrote to memory of 2808 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760dd6.exe
PID 2232 wrote to memory of 2808 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760dd6.exe
PID 2232 wrote to memory of 2808 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760dd6.exe
PID 2232 wrote to memory of 2576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7629a0.exe
PID 2232 wrote to memory of 2576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7629a0.exe
PID 2232 wrote to memory of 2576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7629a0.exe
PID 2232 wrote to memory of 2576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7629a0.exe
PID 1768 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe C:\Windows\system32\taskhost.exe
PID 1768 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe C:\Windows\system32\Dwm.exe
PID 1768 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe C:\Windows\Explorer.EXE
PID 1768 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe C:\Users\Admin\AppData\Local\Temp\f760dd6.exe
PID 1768 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe C:\Users\Admin\AppData\Local\Temp\f760dd6.exe
PID 1768 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe C:\Users\Admin\AppData\Local\Temp\f7629a0.exe
PID 1768 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\f760c40.exe C:\Users\Admin\AppData\Local\Temp\f7629a0.exe
PID 2808 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe C:\Windows\system32\taskhost.exe
PID 2808 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe C:\Windows\system32\Dwm.exe
PID 2808 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\f760dd6.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760c40.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760dd6.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b52664cc2351616d712d3b7678142410_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b52664cc2351616d712d3b7678142410_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f760c40.exe

C:\Users\Admin\AppData\Local\Temp\f760c40.exe

C:\Users\Admin\AppData\Local\Temp\f760dd6.exe

C:\Users\Admin\AppData\Local\Temp\f760dd6.exe

C:\Users\Admin\AppData\Local\Temp\f7629a0.exe

C:\Users\Admin\AppData\Local\Temp\f7629a0.exe

Network

N/A

Files

memory/2232-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f760c40.exe

MD5 8d5a5b989023945f07cac2e24d53841b
SHA1 cfec0fa00ca1da751b750172ba5ccffafb074988
SHA256 210ef01d6992081eb11cd20334dbcb83f41831bbdae46402626c15cd16e93bb4
SHA512 32fe5ca36334d620e9b9bcb28fdec283d10956d5e4ed5cefec928966e98bafb3f6f6f3e1a2237ebbb028da8f1743da1db235aafa0f48da95a47e4d64f6729317

memory/2232-10-0x0000000000140000-0x0000000000152000-memory.dmp

memory/1768-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2232-9-0x0000000000140000-0x0000000000152000-memory.dmp

memory/1768-12-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1768-14-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1768-15-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1768-19-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1768-17-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1768-20-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2232-56-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1768-47-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2232-59-0x00000000006E0000-0x00000000006F2000-memory.dmp

memory/1768-49-0x00000000003B0000-0x00000000003B2000-memory.dmp

memory/1768-21-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2808-61-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2232-60-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1768-58-0x00000000003B0000-0x00000000003B2000-memory.dmp

memory/2232-46-0x0000000000980000-0x000000000098E000-memory.dmp

memory/2232-39-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2232-37-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2232-36-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1116-28-0x0000000001F90000-0x0000000001F92000-memory.dmp

memory/1768-18-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1768-16-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1768-22-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1768-62-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1768-63-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1768-64-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1768-65-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1768-66-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1768-68-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2232-79-0x0000000000140000-0x0000000000142000-memory.dmp

memory/2232-77-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1768-81-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1768-82-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1768-85-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2808-93-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2808-100-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2576-98-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2576-101-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2808-94-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1768-102-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1768-105-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1768-106-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1768-121-0x00000000003B0000-0x00000000003B2000-memory.dmp

memory/1768-145-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1768-144-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 754d6fec0ae25d9828f3adb47a609118
SHA1 df3bfc4e06a787d4ce85fd0db297ef25ec9d829f
SHA256 e5f73b0c16a87056f339b61b588a65b9af369eba905ffa6c38d4f50ff8407428
SHA512 0ce146b7b7e784d0d453fb8c92583ef898a401709775364154426ea7664bfd85267656a5358914fa007ad5ad07cd4c4d8a36cd006cbfe6c3bdff510c1e8bacc0

memory/2808-149-0x00000000009A0000-0x0000000001A5A000-memory.dmp

memory/2808-188-0x00000000009A0000-0x0000000001A5A000-memory.dmp

memory/2808-187-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2576-192-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 09:41

Reported

2024-06-14 09:43

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e5740a3 C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
File created C:\Windows\e5791b1 C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 940 wrote to memory of 1708 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 940 wrote to memory of 1708 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 940 wrote to memory of 1708 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1708 wrote to memory of 4784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574045.exe
PID 1708 wrote to memory of 4784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574045.exe
PID 1708 wrote to memory of 4784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574045.exe
PID 4784 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\system32\fontdrvhost.exe
PID 4784 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\system32\fontdrvhost.exe
PID 4784 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\system32\dwm.exe
PID 4784 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\system32\sihost.exe
PID 4784 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\system32\svchost.exe
PID 4784 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\system32\taskhostw.exe
PID 4784 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\Explorer.EXE
PID 4784 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\system32\svchost.exe
PID 4784 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\system32\DllHost.exe
PID 4784 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4784 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\System32\RuntimeBroker.exe
PID 4784 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4784 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\System32\RuntimeBroker.exe
PID 4784 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4784 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\System32\RuntimeBroker.exe
PID 4784 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4784 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4784 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\system32\rundll32.exe
PID 4784 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\SysWOW64\rundll32.exe
PID 4784 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\SysWOW64\rundll32.exe
PID 1708 wrote to memory of 3028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57418d.exe
PID 1708 wrote to memory of 3028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57418d.exe
PID 1708 wrote to memory of 3028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57418d.exe
PID 1708 wrote to memory of 3688 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575f56.exe
PID 1708 wrote to memory of 3688 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575f56.exe
PID 1708 wrote to memory of 3688 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575f56.exe
PID 4784 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\system32\fontdrvhost.exe
PID 4784 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\system32\fontdrvhost.exe
PID 4784 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\system32\dwm.exe
PID 4784 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\system32\sihost.exe
PID 4784 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\system32\svchost.exe
PID 4784 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\system32\taskhostw.exe
PID 4784 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\Explorer.EXE
PID 4784 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\system32\svchost.exe
PID 4784 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\system32\DllHost.exe
PID 4784 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4784 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\System32\RuntimeBroker.exe
PID 4784 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4784 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\System32\RuntimeBroker.exe
PID 4784 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4784 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\System32\RuntimeBroker.exe
PID 4784 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4784 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Users\Admin\AppData\Local\Temp\e57418d.exe
PID 4784 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Users\Admin\AppData\Local\Temp\e57418d.exe
PID 4784 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\System32\RuntimeBroker.exe
PID 4784 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Windows\System32\RuntimeBroker.exe
PID 4784 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Users\Admin\AppData\Local\Temp\e575f56.exe
PID 4784 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\e574045.exe C:\Users\Admin\AppData\Local\Temp\e575f56.exe
PID 3688 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e575f56.exe C:\Windows\system32\fontdrvhost.exe
PID 3688 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e575f56.exe C:\Windows\system32\fontdrvhost.exe
PID 3688 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e575f56.exe C:\Windows\system32\dwm.exe
PID 3688 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\e575f56.exe C:\Windows\system32\sihost.exe
PID 3688 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e575f56.exe C:\Windows\system32\svchost.exe
PID 3688 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\e575f56.exe C:\Windows\system32\taskhostw.exe
PID 3688 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\e575f56.exe C:\Windows\Explorer.EXE
PID 3688 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\e575f56.exe C:\Windows\system32\svchost.exe
PID 3688 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\e575f56.exe C:\Windows\system32\DllHost.exe
PID 3688 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\e575f56.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574045.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575f56.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b52664cc2351616d712d3b7678142410_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b52664cc2351616d712d3b7678142410_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e574045.exe

C:\Users\Admin\AppData\Local\Temp\e574045.exe

C:\Users\Admin\AppData\Local\Temp\e57418d.exe

C:\Users\Admin\AppData\Local\Temp\e57418d.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e575f56.exe

C:\Users\Admin\AppData\Local\Temp\e575f56.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1708-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e574045.exe

MD5 8d5a5b989023945f07cac2e24d53841b
SHA1 cfec0fa00ca1da751b750172ba5ccffafb074988
SHA256 210ef01d6992081eb11cd20334dbcb83f41831bbdae46402626c15cd16e93bb4
SHA512 32fe5ca36334d620e9b9bcb28fdec283d10956d5e4ed5cefec928966e98bafb3f6f6f3e1a2237ebbb028da8f1743da1db235aafa0f48da95a47e4d64f6729317

memory/4784-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4784-6-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-7-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-9-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-19-0x0000000001AF0000-0x0000000001AF2000-memory.dmp

memory/4784-11-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-28-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-18-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-31-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-33-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-34-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3028-32-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4784-22-0x0000000001AF0000-0x0000000001AF2000-memory.dmp

memory/1708-21-0x0000000000BC0000-0x0000000000BC2000-memory.dmp

memory/4784-10-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/1708-16-0x0000000000BC0000-0x0000000000BC2000-memory.dmp

memory/4784-15-0x0000000001B00000-0x0000000001B01000-memory.dmp

memory/1708-13-0x0000000003700000-0x0000000003701000-memory.dmp

memory/1708-12-0x0000000000BC0000-0x0000000000BC2000-memory.dmp

memory/4784-35-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-37-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-36-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-38-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-40-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-39-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/1708-45-0x0000000000BC0000-0x0000000000BC2000-memory.dmp

memory/3688-49-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4784-50-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-51-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/3028-53-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3028-56-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3688-57-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/3688-55-0x0000000000570000-0x0000000000571000-memory.dmp

memory/3688-59-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/3028-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4784-61-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-62-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-63-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-65-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-67-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-70-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-71-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-72-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-73-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-75-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-79-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-91-0x0000000001AF0000-0x0000000001AF2000-memory.dmp

memory/4784-81-0x0000000000830000-0x00000000018EA000-memory.dmp

memory/4784-98-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3028-102-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 8c86cbc4e4d6e0f15922d118727db49f
SHA1 77cacbea5fb0f436c448fccfe527c37aa10e0818
SHA256 1495ddf536172771e985e80227189e005ac01454582612be24fb648585db6734
SHA512 dc68daf08a0b23f7d36aa2317ce38f62d12f787ab6d447ec9ed42cc500a24e7dcf286e56c6688f46d77709df856a754466430c1b1635a5694c191bd740ba4159

memory/3688-114-0x0000000000B20000-0x0000000001BDA000-memory.dmp

memory/3688-147-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3688-146-0x0000000000B20000-0x0000000001BDA000-memory.dmp