Malware Analysis Report

2024-09-11 12:18

Sample ID 240617-ns7kdstalp
Target 862c887e24b533c22fa126f1e9c3b400_NeikiAnalytics.exe
SHA256 21f43010db740c67226fd3200e0ab0f42dc7c00a3bc841fe799076acf443ad89
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21f43010db740c67226fd3200e0ab0f42dc7c00a3bc841fe799076acf443ad89

Threat Level: Known bad

The file 862c887e24b533c22fa126f1e9c3b400_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

Sality

Windows security bypass

UAC bypass

Executes dropped EXE

UPX packed file

Windows security modification

Loads dropped DLL

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 11:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 11:40

Reported

2024-06-17 11:43

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7625d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
File created C:\Windows\f76755f C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
File created C:\Windows\f762481 C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 2336 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 2336 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 2336 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 2336 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 2336 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 2336 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 2336 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2336 wrote to memory of 2404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7623f5.exe
PID 2336 wrote to memory of 2404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7623f5.exe
PID 2336 wrote to memory of 2404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7623f5.exe
PID 2336 wrote to memory of 2404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7623f5.exe
PID 2404 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe C:\Windows\system32\taskhost.exe
PID 2404 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe C:\Windows\system32\Dwm.exe
PID 2404 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe C:\Windows\Explorer.EXE
PID 2404 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe C:\Windows\system32\DllHost.exe
PID 2404 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe C:\Windows\system32\rundll32.exe
PID 2404 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe C:\Windows\SysWOW64\rundll32.exe
PID 2404 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe C:\Windows\SysWOW64\rundll32.exe
PID 2336 wrote to memory of 2584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7625d8.exe
PID 2336 wrote to memory of 2584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7625d8.exe
PID 2336 wrote to memory of 2584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7625d8.exe
PID 2336 wrote to memory of 2584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7625d8.exe
PID 2336 wrote to memory of 2776 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764846.exe
PID 2336 wrote to memory of 2776 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764846.exe
PID 2336 wrote to memory of 2776 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764846.exe
PID 2336 wrote to memory of 2776 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764846.exe
PID 2404 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe C:\Windows\system32\taskhost.exe
PID 2404 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe C:\Windows\system32\Dwm.exe
PID 2404 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe C:\Windows\Explorer.EXE
PID 2404 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe C:\Users\Admin\AppData\Local\Temp\f7625d8.exe
PID 2404 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe C:\Users\Admin\AppData\Local\Temp\f7625d8.exe
PID 2404 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe C:\Users\Admin\AppData\Local\Temp\f764846.exe
PID 2404 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\f7623f5.exe C:\Users\Admin\AppData\Local\Temp\f764846.exe
PID 2776 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe C:\Windows\system32\taskhost.exe
PID 2776 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe C:\Windows\system32\Dwm.exe
PID 2776 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\f764846.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7623f5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764846.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\862c887e24b533c22fa126f1e9c3b400_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\862c887e24b533c22fa126f1e9c3b400_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f7623f5.exe

C:\Users\Admin\AppData\Local\Temp\f7623f5.exe

C:\Users\Admin\AppData\Local\Temp\f7625d8.exe

C:\Users\Admin\AppData\Local\Temp\f7625d8.exe

C:\Users\Admin\AppData\Local\Temp\f764846.exe

C:\Users\Admin\AppData\Local\Temp\f764846.exe

Network

N/A

Files

memory/2336-3-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2336-2-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2336-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2336-0-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f7623f5.exe

MD5 901b9c139880852fa647ba07ca29e913
SHA1 0af1cf802875f64944964533fca60fc4ce452953
SHA256 a63487925ac935443e113a4d42d3bee9a62ff22afa7ed66cd8867398e05648f5
SHA512 83ffdc3cff2373a10212990cfd215900fa46d5965a7808343d13c27f845fa87961a3a64123a7be44619f486b3809256ad29bc32526743fdef16f748deb402bbe

memory/2404-14-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2336-13-0x0000000000180000-0x0000000000192000-memory.dmp

memory/2336-12-0x0000000000180000-0x0000000000192000-memory.dmp

memory/2404-19-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-15-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-22-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-49-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/2404-51-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2336-55-0x0000000000230000-0x0000000000242000-memory.dmp

memory/2404-52-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2336-43-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2336-41-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2336-40-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1116-32-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2404-26-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-24-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-23-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-21-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-20-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-18-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-17-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-25-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-57-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2336-64-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2336-63-0x0000000000230000-0x0000000000242000-memory.dmp

memory/2336-62-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2404-56-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-66-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-67-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-68-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-70-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-71-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-72-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-73-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-75-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2776-88-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2336-87-0x0000000000180000-0x0000000000182000-memory.dmp

memory/2404-90-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2584-103-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2776-114-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2584-113-0x0000000000270000-0x0000000000272000-memory.dmp

memory/2776-112-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2404-100-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-127-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-139-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2404-163-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2404-162-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2776-175-0x0000000000930000-0x00000000019EA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 d6b56c0d08e9a565e76f36f49fe950dd
SHA1 6faafa557cde4d041ec2338ddef2aa4c361b705f
SHA256 bded5927579a7128634f8961b9ae1adb0d833af2e3aa960da54ab9aba90a6c9f
SHA512 96309941b4fd893c8fe58319b228ad133c806f11990b22bc202e5f7d0559783cbdff0642bd589bb90522993d76e901ee3dfd46511bbfb0860b579a643ea33c8a

memory/2584-192-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2776-222-0x0000000000930000-0x00000000019EA000-memory.dmp

memory/2776-221-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 11:40

Reported

2024-06-17 11:43

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

106s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574c4b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e574a96 C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
File created C:\Windows\e579c6f C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1704 wrote to memory of 748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1704 wrote to memory of 748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 748 wrote to memory of 5016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574a38.exe
PID 748 wrote to memory of 5016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574a38.exe
PID 748 wrote to memory of 5016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574a38.exe
PID 5016 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\system32\fontdrvhost.exe
PID 5016 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\system32\fontdrvhost.exe
PID 5016 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\system32\dwm.exe
PID 5016 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\system32\sihost.exe
PID 5016 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\system32\svchost.exe
PID 5016 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\system32\taskhostw.exe
PID 5016 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\Explorer.EXE
PID 5016 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\system32\svchost.exe
PID 5016 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\system32\DllHost.exe
PID 5016 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 5016 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\System32\RuntimeBroker.exe
PID 5016 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 5016 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\System32\RuntimeBroker.exe
PID 5016 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\System32\RuntimeBroker.exe
PID 5016 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 5016 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\system32\backgroundTaskHost.exe
PID 5016 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\system32\backgroundTaskHost.exe
PID 5016 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\system32\rundll32.exe
PID 5016 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\SysWOW64\rundll32.exe
PID 5016 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\SysWOW64\rundll32.exe
PID 748 wrote to memory of 2824 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574c4b.exe
PID 748 wrote to memory of 2824 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574c4b.exe
PID 748 wrote to memory of 2824 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574c4b.exe
PID 748 wrote to memory of 744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576830.exe
PID 748 wrote to memory of 744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576830.exe
PID 748 wrote to memory of 744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576830.exe
PID 5016 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\system32\fontdrvhost.exe
PID 5016 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\system32\fontdrvhost.exe
PID 5016 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\system32\dwm.exe
PID 5016 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\system32\sihost.exe
PID 5016 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\system32\svchost.exe
PID 5016 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\system32\taskhostw.exe
PID 5016 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\Explorer.EXE
PID 5016 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\system32\svchost.exe
PID 5016 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\system32\DllHost.exe
PID 5016 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 5016 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\System32\RuntimeBroker.exe
PID 5016 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 5016 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\System32\RuntimeBroker.exe
PID 5016 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\System32\RuntimeBroker.exe
PID 5016 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 5016 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\system32\backgroundTaskHost.exe
PID 5016 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Users\Admin\AppData\Local\Temp\e574c4b.exe
PID 5016 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Users\Admin\AppData\Local\Temp\e574c4b.exe
PID 5016 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\System32\RuntimeBroker.exe
PID 5016 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Windows\System32\RuntimeBroker.exe
PID 5016 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Users\Admin\AppData\Local\Temp\e576830.exe
PID 5016 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\e574a38.exe C:\Users\Admin\AppData\Local\Temp\e576830.exe
PID 744 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\e576830.exe C:\Windows\system32\fontdrvhost.exe
PID 744 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\e576830.exe C:\Windows\system32\fontdrvhost.exe
PID 744 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e576830.exe C:\Windows\system32\dwm.exe
PID 744 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\e576830.exe C:\Windows\system32\sihost.exe
PID 744 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\e576830.exe C:\Windows\system32\svchost.exe
PID 744 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\e576830.exe C:\Windows\system32\taskhostw.exe
PID 744 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\e576830.exe C:\Windows\Explorer.EXE
PID 744 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\e576830.exe C:\Windows\system32\svchost.exe
PID 744 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\e576830.exe C:\Windows\system32\DllHost.exe
PID 744 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\e576830.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574a38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576830.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\862c887e24b533c22fa126f1e9c3b400_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\862c887e24b533c22fa126f1e9c3b400_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e574a38.exe

C:\Users\Admin\AppData\Local\Temp\e574a38.exe

C:\Users\Admin\AppData\Local\Temp\e574c4b.exe

C:\Users\Admin\AppData\Local\Temp\e574c4b.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e576830.exe

C:\Users\Admin\AppData\Local\Temp\e576830.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
BE 88.221.83.209:443 www.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/748-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e574a38.exe

MD5 901b9c139880852fa647ba07ca29e913
SHA1 0af1cf802875f64944964533fca60fc4ce452953
SHA256 a63487925ac935443e113a4d42d3bee9a62ff22afa7ed66cd8867398e05648f5
SHA512 83ffdc3cff2373a10212990cfd215900fa46d5965a7808343d13c27f845fa87961a3a64123a7be44619f486b3809256ad29bc32526743fdef16f748deb402bbe

memory/5016-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5016-6-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-8-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-14-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-12-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-13-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-29-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-20-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-34-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2824-36-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5016-35-0x0000000001BF0000-0x0000000001BF2000-memory.dmp

memory/748-28-0x0000000000C30000-0x0000000000C32000-memory.dmp

memory/5016-26-0x00000000040F0000-0x00000000040F1000-memory.dmp

memory/748-22-0x0000000000C30000-0x0000000000C32000-memory.dmp

memory/748-21-0x0000000000C30000-0x0000000000C32000-memory.dmp

memory/5016-31-0x0000000001BF0000-0x0000000001BF2000-memory.dmp

memory/748-30-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/5016-10-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-11-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-9-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-37-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-38-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-39-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-41-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-40-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-43-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-44-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/744-52-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5016-53-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-54-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-56-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/744-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/744-62-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2824-60-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2824-59-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/744-65-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2824-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/5016-66-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-68-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-71-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-72-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-75-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-76-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-79-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-80-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-81-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-82-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-88-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/5016-97-0x0000000001BF0000-0x0000000001BF2000-memory.dmp

memory/5016-108-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5016-90-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2824-112-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 734229ed517bfedcf2f1bdafaa65293a
SHA1 79c11f83ccd2459b881b4002ea35d781c20b7319
SHA256 f80371b4845660728d8f11c2c81471ee43e2ff1f10f6cc54d5b42ca613c5505e
SHA512 3db76ddaae0984ec5fdc1de5eb35777d68866a0ae00eb2cda0b83bd4f94f95efbda50888554669f493e9ef360bb9f70e741f943c7c084ba7f5ae1e7256ff5176

memory/744-124-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/744-154-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/744-155-0x0000000000400000-0x0000000000412000-memory.dmp