Malware Analysis Report

2024-09-11 12:18

Sample ID 240617-p49pkawark
Target 91e0a3e73a08a7abdf6d07ff19b15c90_NeikiAnalytics.exe
SHA256 eb2eb503009e42a50816d7c298fb0a03149d9d366b46dbeec1955872d0f39cc2
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb2eb503009e42a50816d7c298fb0a03149d9d366b46dbeec1955872d0f39cc2

Threat Level: Known bad

The file 91e0a3e73a08a7abdf6d07ff19b15c90_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

UAC bypass

Windows security bypass

Sality

Executes dropped EXE

Loads dropped DLL

Windows security modification

UPX packed file

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 12:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 12:54

Reported

2024-06-17 12:56

Platform

win7-20240508-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76200e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f761f05 C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
File created C:\Windows\f766eca C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3012 wrote to memory of 3024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761e98.exe
PID 3024 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761e98.exe
PID 3024 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761e98.exe
PID 3024 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761e98.exe
PID 3020 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe C:\Windows\system32\Dwm.exe
PID 3020 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe C:\Windows\system32\taskhost.exe
PID 3020 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe C:\Windows\system32\DllHost.exe
PID 3020 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe C:\Windows\system32\rundll32.exe
PID 3020 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe C:\Windows\SysWOW64\rundll32.exe
PID 3024 wrote to memory of 2616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76200e.exe
PID 3024 wrote to memory of 2616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76200e.exe
PID 3024 wrote to memory of 2616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76200e.exe
PID 3024 wrote to memory of 2616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76200e.exe
PID 3024 wrote to memory of 2732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763a14.exe
PID 3024 wrote to memory of 2732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763a14.exe
PID 3024 wrote to memory of 2732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763a14.exe
PID 3024 wrote to memory of 2732 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763a14.exe
PID 3020 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe C:\Windows\system32\Dwm.exe
PID 3020 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe C:\Windows\system32\taskhost.exe
PID 3020 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe C:\Windows\Explorer.EXE
PID 3020 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe C:\Users\Admin\AppData\Local\Temp\f76200e.exe
PID 3020 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe C:\Users\Admin\AppData\Local\Temp\f76200e.exe
PID 3020 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe C:\Users\Admin\AppData\Local\Temp\f763a14.exe
PID 3020 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\f761e98.exe C:\Users\Admin\AppData\Local\Temp\f763a14.exe
PID 2732 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe C:\Windows\system32\Dwm.exe
PID 2732 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe C:\Windows\system32\taskhost.exe
PID 2732 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\f763a14.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761e98.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763a14.exe N/A

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91e0a3e73a08a7abdf6d07ff19b15c90_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91e0a3e73a08a7abdf6d07ff19b15c90_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761e98.exe

C:\Users\Admin\AppData\Local\Temp\f761e98.exe

C:\Users\Admin\AppData\Local\Temp\f76200e.exe

C:\Users\Admin\AppData\Local\Temp\f76200e.exe

C:\Users\Admin\AppData\Local\Temp\f763a14.exe

C:\Users\Admin\AppData\Local\Temp\f763a14.exe

Network

N/A

Files

memory/3024-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f761e98.exe

MD5 f082e5fcb275607f93b1d0e192ab0c4c
SHA1 05b5ed58fba2a94fed2c5ff5a7d7e3af70607c39
SHA256 84eb852278eb0ba3b21d08a5381b6e1d1008ac48157e15eb0d3d9c60527f801d
SHA512 e0b161c7f5fd69061fe9c925373a435ba94263aeff32a36ab4a753946914cdd09540cdfcc1c813fd757a2120f9545a86c803236ca81b11709ce00035cca83972

memory/3020-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3024-9-0x0000000000660000-0x0000000000672000-memory.dmp

memory/3020-13-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3020-14-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3020-18-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3020-19-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3020-41-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/3020-21-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3020-17-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3020-15-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3024-40-0x0000000000790000-0x0000000000791000-memory.dmp

memory/3020-22-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3020-56-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/3020-55-0x00000000003D0000-0x00000000003D2000-memory.dmp

memory/3024-31-0x0000000000790000-0x0000000000791000-memory.dmp

memory/3024-30-0x0000000000780000-0x0000000000782000-memory.dmp

memory/1056-23-0x0000000000130000-0x0000000000132000-memory.dmp

memory/3020-20-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/2616-53-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3024-52-0x0000000000780000-0x0000000000782000-memory.dmp

memory/3024-51-0x0000000000890000-0x00000000008A2000-memory.dmp

memory/3020-16-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3024-49-0x0000000000780000-0x0000000000782000-memory.dmp

memory/3020-61-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3020-62-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3020-63-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3020-64-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3020-65-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3020-67-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3020-68-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3024-80-0x0000000000660000-0x0000000000672000-memory.dmp

memory/2732-81-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3024-77-0x0000000000780000-0x0000000000782000-memory.dmp

memory/3020-83-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3020-84-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3020-86-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/2732-101-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2732-100-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2616-95-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2616-94-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2616-102-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2732-103-0x0000000000260000-0x0000000000262000-memory.dmp

memory/3020-104-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3020-105-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3020-107-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3020-118-0x0000000000640000-0x00000000016FA000-memory.dmp

memory/3020-152-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2616-157-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3020-153-0x0000000000640000-0x00000000016FA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 ab606dfd8aa9d999da14235250df4a5b
SHA1 00cdb14ac077fddc34d169f4e45012e4b5654d6b
SHA256 de1eeb1c264f7fa357dd407151996850dc1f9d1ea9b2cc1cca633cf54650e3c1
SHA512 1b7d6b821d33060676506f662811490f3aeb4b5f848ed9becde3d76b01355d689f6ca068c937629d03dc3dd37fcea99bb1b35bbd4ec66e2adffbd79366c3af2e

memory/2732-172-0x00000000009A0000-0x0000000001A5A000-memory.dmp

memory/2732-208-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2732-207-0x00000000009A0000-0x0000000001A5A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 12:54

Reported

2024-06-17 12:56

Platform

win10v2004-20240611-en

Max time kernel

96s

Max time network

98s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5743ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e574239 C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
File created C:\Windows\e579328 C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2952 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2952 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2952 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1748 wrote to memory of 3152 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5741eb.exe
PID 1748 wrote to memory of 3152 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5741eb.exe
PID 1748 wrote to memory of 3152 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5741eb.exe
PID 3152 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\system32\fontdrvhost.exe
PID 3152 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\system32\fontdrvhost.exe
PID 3152 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\system32\dwm.exe
PID 3152 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\system32\sihost.exe
PID 3152 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\system32\svchost.exe
PID 3152 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\system32\taskhostw.exe
PID 3152 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\Explorer.EXE
PID 3152 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\system32\svchost.exe
PID 3152 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\system32\DllHost.exe
PID 3152 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3152 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\System32\RuntimeBroker.exe
PID 3152 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3152 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\System32\RuntimeBroker.exe
PID 3152 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\System32\RuntimeBroker.exe
PID 3152 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3152 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3152 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3152 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\system32\rundll32.exe
PID 3152 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\SysWOW64\rundll32.exe
PID 3152 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\SysWOW64\rundll32.exe
PID 1748 wrote to memory of 4624 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5743ee.exe
PID 1748 wrote to memory of 4624 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5743ee.exe
PID 1748 wrote to memory of 4624 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5743ee.exe
PID 1748 wrote to memory of 5020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5760fc.exe
PID 1748 wrote to memory of 5020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5760fc.exe
PID 1748 wrote to memory of 5020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5760fc.exe
PID 3152 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\system32\fontdrvhost.exe
PID 3152 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\system32\fontdrvhost.exe
PID 3152 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\system32\dwm.exe
PID 3152 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\system32\sihost.exe
PID 3152 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\system32\svchost.exe
PID 3152 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\system32\taskhostw.exe
PID 3152 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\Explorer.EXE
PID 3152 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\system32\svchost.exe
PID 3152 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\system32\DllHost.exe
PID 3152 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3152 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\System32\RuntimeBroker.exe
PID 3152 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3152 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\System32\RuntimeBroker.exe
PID 3152 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\System32\RuntimeBroker.exe
PID 3152 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3152 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3152 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Users\Admin\AppData\Local\Temp\e5743ee.exe
PID 3152 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Users\Admin\AppData\Local\Temp\e5743ee.exe
PID 3152 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\System32\RuntimeBroker.exe
PID 3152 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Windows\System32\RuntimeBroker.exe
PID 3152 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Users\Admin\AppData\Local\Temp\e5760fc.exe
PID 3152 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\e5741eb.exe C:\Users\Admin\AppData\Local\Temp\e5760fc.exe
PID 5020 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\e5760fc.exe C:\Windows\system32\fontdrvhost.exe
PID 5020 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e5760fc.exe C:\Windows\system32\fontdrvhost.exe
PID 5020 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e5760fc.exe C:\Windows\system32\dwm.exe
PID 5020 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\e5760fc.exe C:\Windows\system32\sihost.exe
PID 5020 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\e5760fc.exe C:\Windows\system32\svchost.exe
PID 5020 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e5760fc.exe C:\Windows\system32\taskhostw.exe
PID 5020 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\e5760fc.exe C:\Windows\Explorer.EXE
PID 5020 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\e5760fc.exe C:\Windows\system32\svchost.exe
PID 5020 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\e5760fc.exe C:\Windows\system32\DllHost.exe
PID 5020 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\e5760fc.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5741eb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5760fc.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91e0a3e73a08a7abdf6d07ff19b15c90_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\91e0a3e73a08a7abdf6d07ff19b15c90_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e5741eb.exe

C:\Users\Admin\AppData\Local\Temp\e5741eb.exe

C:\Users\Admin\AppData\Local\Temp\e5743ee.exe

C:\Users\Admin\AppData\Local\Temp\e5743ee.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e5760fc.exe

C:\Users\Admin\AppData\Local\Temp\e5760fc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1748-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5741eb.exe

MD5 f082e5fcb275607f93b1d0e192ab0c4c
SHA1 05b5ed58fba2a94fed2c5ff5a7d7e3af70607c39
SHA256 84eb852278eb0ba3b21d08a5381b6e1d1008ac48157e15eb0d3d9c60527f801d
SHA512 e0b161c7f5fd69061fe9c925373a435ba94263aeff32a36ab4a753946914cdd09540cdfcc1c813fd757a2120f9545a86c803236ca81b11709ce00035cca83972

memory/3152-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3152-8-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-9-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-15-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/1748-27-0x0000000000D80000-0x0000000000D82000-memory.dmp

memory/3152-21-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4624-36-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3152-35-0x00000000006B0000-0x00000000006B2000-memory.dmp

memory/3152-32-0x00000000006B0000-0x00000000006B2000-memory.dmp

memory/1748-31-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

memory/1748-30-0x0000000000D80000-0x0000000000D82000-memory.dmp

memory/3152-26-0x0000000004370000-0x0000000004371000-memory.dmp

memory/1748-23-0x0000000000D80000-0x0000000000D82000-memory.dmp

memory/3152-14-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-12-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-11-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-10-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-16-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-6-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-22-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-37-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-38-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-39-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-40-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-41-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/5020-50-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3152-51-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-52-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/5020-56-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/5020-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4624-54-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4624-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/5020-60-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4624-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3152-61-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-63-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-65-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-66-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-67-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-70-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-72-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-75-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-76-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-85-0x00000000006B0000-0x00000000006B2000-memory.dmp

memory/3152-80-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/3152-97-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4624-101-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 0440bb8781f3cfae32d9aed91c1c1efb
SHA1 b37ebd48c047e35394aafce6071d0ccfa135c517
SHA256 9ff4b1c87a4400fc94b5a76202299e2c80a4dc1f7d29006566406910af1e0a3f
SHA512 61229de7014952c05e5db33737ce0b49355255a0c596dc42f7e409c7046d27f8d2ed6f8b6168e84c09229ba8a4893e9f9ba2aa8c4c4fb0dfb7fe2792553edc78

memory/5020-113-0x0000000000B90000-0x0000000001C4A000-memory.dmp

memory/5020-146-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5020-145-0x0000000000B90000-0x0000000001C4A000-memory.dmp