Malware Analysis Report

2024-09-11 12:18

Sample ID 240617-sgzsmayenl
Target a56de2fb2d9303f10fbc3a8c7b377e80_NeikiAnalytics.exe
SHA256 3260b196ac825355fc18daf4364fc7814110a44540783aa535e89c13e1a0ebaf
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3260b196ac825355fc18daf4364fc7814110a44540783aa535e89c13e1a0ebaf

Threat Level: Known bad

The file a56de2fb2d9303f10fbc3a8c7b377e80_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

UAC bypass

Modifies firewall policy service

Windows security bypass

Executes dropped EXE

Loads dropped DLL

UPX packed file

Windows security modification

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 15:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 15:06

Reported

2024-06-17 15:09

Platform

win7-20240611-en

Max time kernel

121s

Max time network

121s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761d9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
File created C:\Windows\f766c5a C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
File created C:\Windows\f761c76 C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2480 wrote to memory of 2264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2480 wrote to memory of 2264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2480 wrote to memory of 2264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2480 wrote to memory of 2264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2480 wrote to memory of 2264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2480 wrote to memory of 2264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2480 wrote to memory of 2264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 2180 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761c28.exe
PID 2264 wrote to memory of 2180 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761c28.exe
PID 2264 wrote to memory of 2180 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761c28.exe
PID 2264 wrote to memory of 2180 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761c28.exe
PID 2180 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe C:\Windows\system32\taskhost.exe
PID 2180 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe C:\Windows\system32\Dwm.exe
PID 2180 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe C:\Windows\Explorer.EXE
PID 2180 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe C:\Windows\system32\DllHost.exe
PID 2180 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe C:\Windows\system32\rundll32.exe
PID 2180 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe C:\Windows\SysWOW64\rundll32.exe
PID 2180 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe C:\Windows\SysWOW64\rundll32.exe
PID 2264 wrote to memory of 2716 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d9e.exe
PID 2264 wrote to memory of 2716 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d9e.exe
PID 2264 wrote to memory of 2716 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d9e.exe
PID 2264 wrote to memory of 2716 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d9e.exe
PID 2264 wrote to memory of 2896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763ca3.exe
PID 2264 wrote to memory of 2896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763ca3.exe
PID 2264 wrote to memory of 2896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763ca3.exe
PID 2264 wrote to memory of 2896 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763ca3.exe
PID 2180 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe C:\Windows\system32\taskhost.exe
PID 2180 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe C:\Windows\system32\Dwm.exe
PID 2180 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe C:\Windows\Explorer.EXE
PID 2180 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe C:\Users\Admin\AppData\Local\Temp\f761d9e.exe
PID 2180 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe C:\Users\Admin\AppData\Local\Temp\f761d9e.exe
PID 2180 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe C:\Users\Admin\AppData\Local\Temp\f763ca3.exe
PID 2180 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\f761c28.exe C:\Users\Admin\AppData\Local\Temp\f763ca3.exe
PID 2896 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe C:\Windows\system32\taskhost.exe
PID 2896 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe C:\Windows\system32\Dwm.exe
PID 2896 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\f763ca3.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761c28.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763ca3.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a56de2fb2d9303f10fbc3a8c7b377e80_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a56de2fb2d9303f10fbc3a8c7b377e80_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761c28.exe

C:\Users\Admin\AppData\Local\Temp\f761c28.exe

C:\Users\Admin\AppData\Local\Temp\f761d9e.exe

C:\Users\Admin\AppData\Local\Temp\f761d9e.exe

C:\Users\Admin\AppData\Local\Temp\f763ca3.exe

C:\Users\Admin\AppData\Local\Temp\f763ca3.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\f761c28.exe

MD5 a023f93ff35f19c330b03d1607ae4ebc
SHA1 1f81c7767a772467237be96205716662381405aa
SHA256 b75a87dec85f1f65389969923c931a8ef265553e33ce240e664c0d3baa3c398f
SHA512 07255ed31bbd217575c4479a4f1308b5366007e46c154b0602cffb54bf3f7025ea1715cc1fc3e5ba99d08a8eac2a3a16183d63b43351771494d78aa80ed37db9

memory/2180-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2264-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2264-8-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2264-7-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2180-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2180-12-0x00000000006A0000-0x000000000175A000-memory.dmp

memory/2180-20-0x00000000006A0000-0x000000000175A000-memory.dmp

memory/2264-38-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2180-50-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2264-57-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2180-48-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2264-47-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2180-21-0x00000000006A0000-0x000000000175A000-memory.dmp

memory/2264-37-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1284-25-0x0000000000310000-0x0000000000312000-memory.dmp

memory/2180-16-0x00000000006A0000-0x000000000175A000-memory.dmp

memory/2180-15-0x00000000006A0000-0x000000000175A000-memory.dmp

memory/2180-22-0x00000000006A0000-0x000000000175A000-memory.dmp

memory/2180-23-0x00000000006A0000-0x000000000175A000-memory.dmp

memory/2180-19-0x00000000006A0000-0x000000000175A000-memory.dmp

memory/2180-18-0x00000000006A0000-0x000000000175A000-memory.dmp

memory/2180-17-0x00000000006A0000-0x000000000175A000-memory.dmp

memory/2180-59-0x00000000006A0000-0x000000000175A000-memory.dmp

memory/2180-60-0x00000000006A0000-0x000000000175A000-memory.dmp

memory/2716-64-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2264-63-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2264-62-0x0000000000300000-0x0000000000312000-memory.dmp

memory/2180-61-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2180-65-0x00000000006A0000-0x000000000175A000-memory.dmp

memory/2180-66-0x00000000006A0000-0x000000000175A000-memory.dmp

memory/2180-69-0x00000000006A0000-0x000000000175A000-memory.dmp

memory/2180-70-0x00000000006A0000-0x000000000175A000-memory.dmp

memory/2180-71-0x00000000006A0000-0x000000000175A000-memory.dmp

memory/2180-72-0x00000000006A0000-0x000000000175A000-memory.dmp

memory/2896-85-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2264-79-0x0000000000340000-0x0000000000352000-memory.dmp

memory/2180-88-0x00000000006A0000-0x000000000175A000-memory.dmp

memory/2180-89-0x00000000006A0000-0x000000000175A000-memory.dmp

memory/2716-97-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2716-96-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2896-104-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2896-103-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2716-105-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2896-106-0x0000000000260000-0x0000000000262000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 1591e1e6ee4dcf817c1d589491b8be41
SHA1 106611eadc09677de1f24bf745c698b468d42621
SHA256 ee4df479d775fa565940ec3f94503b3ff56913728160a9e17b8b5602107ddb0e
SHA512 dafeb4e8f6a6a2abebfb47a4e348315709ecb9fd14cff8c3c99327c0f68dce8ae4063b49292091d4a3155d982ad4613ba0bf8f5f715424a95258e79f622d4bad

memory/2896-160-0x0000000000950000-0x0000000001A0A000-memory.dmp

memory/2716-175-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2896-205-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2896-204-0x0000000000950000-0x0000000001A0A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 15:06

Reported

2024-06-17 15:09

Platform

win10v2004-20240508-en

Max time kernel

52s

Max time network

61s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576ee6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e5742d5 C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
File created C:\Windows\e5793b4 C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A
File created C:\Windows\e57bc7a C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1816 wrote to memory of 3640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1816 wrote to memory of 3640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1816 wrote to memory of 3640 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3640 wrote to memory of 60 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574297.exe
PID 3640 wrote to memory of 60 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574297.exe
PID 3640 wrote to memory of 60 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574297.exe
PID 60 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\system32\fontdrvhost.exe
PID 60 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\system32\fontdrvhost.exe
PID 60 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\system32\dwm.exe
PID 60 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\system32\sihost.exe
PID 60 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\system32\svchost.exe
PID 60 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\system32\taskhostw.exe
PID 60 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\Explorer.EXE
PID 60 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\system32\svchost.exe
PID 60 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\system32\DllHost.exe
PID 60 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 60 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 60 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 60 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\system32\backgroundTaskHost.exe
PID 60 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\system32\rundll32.exe
PID 60 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\SysWOW64\rundll32.exe
PID 60 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\SysWOW64\rundll32.exe
PID 3640 wrote to memory of 2916 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57440e.exe
PID 3640 wrote to memory of 2916 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57440e.exe
PID 3640 wrote to memory of 2916 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57440e.exe
PID 60 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\system32\fontdrvhost.exe
PID 60 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\system32\fontdrvhost.exe
PID 60 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\system32\dwm.exe
PID 60 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\system32\sihost.exe
PID 60 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\system32\svchost.exe
PID 60 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\system32\taskhostw.exe
PID 60 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\Explorer.EXE
PID 60 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\system32\svchost.exe
PID 60 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\system32\DllHost.exe
PID 60 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 60 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 60 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 60 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\system32\backgroundTaskHost.exe
PID 60 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\system32\rundll32.exe
PID 60 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Users\Admin\AppData\Local\Temp\e57440e.exe
PID 60 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Users\Admin\AppData\Local\Temp\e57440e.exe
PID 60 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\System32\RuntimeBroker.exe
PID 60 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\e574297.exe C:\Windows\System32\RuntimeBroker.exe
PID 3640 wrote to memory of 1792 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576ee6.exe
PID 3640 wrote to memory of 1792 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576ee6.exe
PID 3640 wrote to memory of 1792 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576ee6.exe
PID 3640 wrote to memory of 3404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576ef6.exe
PID 3640 wrote to memory of 3404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576ef6.exe
PID 3640 wrote to memory of 3404 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576ef6.exe
PID 2916 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e57440e.exe C:\Windows\system32\fontdrvhost.exe
PID 2916 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e57440e.exe C:\Windows\system32\fontdrvhost.exe
PID 2916 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\e57440e.exe C:\Windows\system32\dwm.exe
PID 2916 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\e57440e.exe C:\Windows\system32\sihost.exe
PID 2916 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\e57440e.exe C:\Windows\system32\svchost.exe
PID 2916 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\e57440e.exe C:\Windows\system32\taskhostw.exe
PID 2916 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\e57440e.exe C:\Windows\Explorer.EXE
PID 2916 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\e57440e.exe C:\Windows\system32\svchost.exe
PID 2916 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\e57440e.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576ef6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574297.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57440e.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a56de2fb2d9303f10fbc3a8c7b377e80_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a56de2fb2d9303f10fbc3a8c7b377e80_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e574297.exe

C:\Users\Admin\AppData\Local\Temp\e574297.exe

C:\Users\Admin\AppData\Local\Temp\e57440e.exe

C:\Users\Admin\AppData\Local\Temp\e57440e.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e576ee6.exe

C:\Users\Admin\AppData\Local\Temp\e576ee6.exe

C:\Users\Admin\AppData\Local\Temp\e576ef6.exe

C:\Users\Admin\AppData\Local\Temp\e576ef6.exe

Network

Files

memory/3640-0-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e574297.exe

MD5 a023f93ff35f19c330b03d1607ae4ebc
SHA1 1f81c7767a772467237be96205716662381405aa
SHA256 b75a87dec85f1f65389969923c931a8ef265553e33ce240e664c0d3baa3c398f
SHA512 07255ed31bbd217575c4479a4f1308b5366007e46c154b0602cffb54bf3f7025ea1715cc1fc3e5ba99d08a8eac2a3a16183d63b43351771494d78aa80ed37db9

memory/60-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/60-6-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-17-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-10-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-24-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/3640-21-0x00000000036C0000-0x00000000036C2000-memory.dmp

memory/60-9-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-8-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-18-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-32-0x00000000005B0000-0x00000000005B2000-memory.dmp

memory/60-20-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2916-35-0x0000000000400000-0x0000000000412000-memory.dmp

memory/60-30-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-31-0x00000000005B0000-0x00000000005B2000-memory.dmp

memory/60-19-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/3640-29-0x00000000036C0000-0x00000000036C2000-memory.dmp

memory/3640-28-0x0000000003750000-0x0000000003751000-memory.dmp

memory/3640-27-0x00000000036C0000-0x00000000036C2000-memory.dmp

memory/60-11-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-33-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-37-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-38-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-39-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-40-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-41-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/2916-44-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2916-43-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2916-45-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1792-52-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3404-59-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3640-55-0x00000000036C0000-0x00000000036C2000-memory.dmp

memory/60-60-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-61-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-63-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-64-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-66-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-68-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-69-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-71-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-73-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/60-83-0x00000000005B0000-0x00000000005B2000-memory.dmp

memory/60-94-0x0000000000400000-0x0000000000412000-memory.dmp

memory/60-77-0x00000000007D0000-0x000000000188A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 0743286062abaf41ada5c0fdb12a20c3
SHA1 d98454eed7f125acd5f146d61a3c2bb356348cb1
SHA256 c10898cdaad07b99bcac8c5dddc5fb6ee57df0ab6351d4e6850d64f9bee8deab
SHA512 04d0b425f3ac736f792feb61fd85db79f1839cdc4ee0a4ea045075dfe197ae148504dc5b29aa9abdde7171f55c69684e9cfddf1b8f2531e75567affe5030c4aa

memory/2916-97-0x0000000000B90000-0x0000000001C4A000-memory.dmp

memory/2916-95-0x0000000000B90000-0x0000000001C4A000-memory.dmp

memory/2916-115-0x0000000000B90000-0x0000000001C4A000-memory.dmp

memory/2916-142-0x0000000000B90000-0x0000000001C4A000-memory.dmp

memory/2916-143-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1792-162-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3404-175-0x0000000000400000-0x0000000000412000-memory.dmp