Malware Analysis Report

2024-09-11 12:22

Sample ID 240612-p336dsygrl
Target 3bd7c5a658a65f69c77c978c71d4c570_NeikiAnalytics.exe
SHA256 45b9e9c9a68db93aba272564e91091e36dc61f7cf3c1e390229a2ff164f35e0a
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45b9e9c9a68db93aba272564e91091e36dc61f7cf3c1e390229a2ff164f35e0a

Threat Level: Known bad

The file 3bd7c5a658a65f69c77c978c71d4c570_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

Modifies firewall policy service

Windows security bypass

UAC bypass

Executes dropped EXE

UPX packed file

Loads dropped DLL

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-12 12:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 12:52

Reported

2024-06-12 12:54

Platform

win7-20240611-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762a8a.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f760f2d C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
File created C:\Windows\f765f30 C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2856 wrote to memory of 2904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2856 wrote to memory of 2904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2856 wrote to memory of 2904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2856 wrote to memory of 2904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2856 wrote to memory of 2904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2856 wrote to memory of 2904 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2904 wrote to memory of 2908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760edf.exe
PID 2904 wrote to memory of 2908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760edf.exe
PID 2904 wrote to memory of 2908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760edf.exe
PID 2904 wrote to memory of 2908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760edf.exe
PID 2908 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe C:\Windows\system32\Dwm.exe
PID 2908 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe C:\Windows\system32\taskhost.exe
PID 2908 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe C:\Windows\Explorer.EXE
PID 2908 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe C:\Windows\system32\DllHost.exe
PID 2908 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe C:\Windows\system32\rundll32.exe
PID 2908 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe C:\Windows\SysWOW64\rundll32.exe
PID 2908 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe C:\Windows\SysWOW64\rundll32.exe
PID 2904 wrote to memory of 1616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761046.exe
PID 2904 wrote to memory of 1616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761046.exe
PID 2904 wrote to memory of 1616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761046.exe
PID 2904 wrote to memory of 1616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761046.exe
PID 2904 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762a8a.exe
PID 2904 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762a8a.exe
PID 2904 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762a8a.exe
PID 2904 wrote to memory of 2544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762a8a.exe
PID 2908 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe C:\Windows\system32\Dwm.exe
PID 2908 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe C:\Windows\system32\taskhost.exe
PID 2908 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe C:\Windows\Explorer.EXE
PID 2908 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe C:\Users\Admin\AppData\Local\Temp\f761046.exe
PID 2908 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe C:\Users\Admin\AppData\Local\Temp\f761046.exe
PID 2908 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe C:\Users\Admin\AppData\Local\Temp\f762a8a.exe
PID 2908 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\f760edf.exe C:\Users\Admin\AppData\Local\Temp\f762a8a.exe
PID 1616 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe C:\Windows\system32\Dwm.exe
PID 1616 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe C:\Windows\system32\taskhost.exe
PID 1616 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760edf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bd7c5a658a65f69c77c978c71d4c570_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bd7c5a658a65f69c77c978c71d4c570_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f760edf.exe

C:\Users\Admin\AppData\Local\Temp\f760edf.exe

C:\Users\Admin\AppData\Local\Temp\f761046.exe

C:\Users\Admin\AppData\Local\Temp\f761046.exe

C:\Users\Admin\AppData\Local\Temp\f762a8a.exe

C:\Users\Admin\AppData\Local\Temp\f762a8a.exe

Network

N/A

Files

memory/2904-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f760edf.exe

MD5 d2845293b2a489981a73b167e96e2d17
SHA1 a7806af3972231a9443b906deff0ae3cf0c549c3
SHA256 094cef5abcd1655cd642298d74c5326dabafd925ccd339b9ef7f752dc537741a
SHA512 b32536b35808aafd6fdb7035d7db790c45b1dd634b35b86ff6bbe915e3e9cbaf2d83daf5566b272ad2460ba3fdc07ca4bf6d97794273c9e42000de7cc281c07c

memory/2904-10-0x0000000000220000-0x0000000000232000-memory.dmp

memory/2908-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2904-9-0x0000000000220000-0x0000000000232000-memory.dmp

memory/2908-14-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2908-16-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2908-18-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2908-20-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2908-17-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2908-22-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2908-49-0x0000000000330000-0x0000000000332000-memory.dmp

memory/2904-53-0x0000000000380000-0x0000000000392000-memory.dmp

memory/2908-52-0x0000000000330000-0x0000000000332000-memory.dmp

memory/2908-47-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/2904-46-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2904-38-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2904-37-0x0000000000230000-0x0000000000232000-memory.dmp

memory/1036-25-0x0000000002190000-0x0000000002192000-memory.dmp

memory/2908-19-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2908-15-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2908-23-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2908-21-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2904-58-0x0000000000230000-0x0000000000232000-memory.dmp

memory/1616-62-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2904-61-0x0000000000230000-0x0000000000232000-memory.dmp

memory/2904-60-0x0000000000380000-0x0000000000392000-memory.dmp

memory/2908-63-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2908-64-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2908-65-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2908-67-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2908-66-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2908-69-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2544-81-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2904-78-0x0000000000230000-0x0000000000232000-memory.dmp

memory/2908-82-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2908-83-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2908-85-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/1616-95-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/1616-94-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2544-101-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2544-100-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2544-103-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1616-102-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2908-104-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2908-106-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2908-107-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2908-146-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2908-145-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2908-144-0x0000000000330000-0x0000000000332000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 48e987c5edd69a23787ffdaf428f0f65
SHA1 92c8b6b8b9e749e64e7d39d4b5fd3839b55eb36f
SHA256 ec8258c0dedc884d9bf52fc31e3299f5aa1c9498308307b38f0081e231b24e8f
SHA512 4450b64e26631a90375d274e98cd5d81bb63fcdda731bfd2013f7bb0d85e8a2faebf2fc7574679306bfecb3f51b7b18bbd72c13380ff56269721acd9dc4cc88a

memory/1616-158-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/1616-179-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/1616-180-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2544-184-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 12:52

Reported

2024-06-12 12:54

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573885.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5753bd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e5737e8 C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
File created C:\Windows\e57a21c C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3584 wrote to memory of 3732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3584 wrote to memory of 3732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3584 wrote to memory of 3732 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3732 wrote to memory of 4428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57379a.exe
PID 3732 wrote to memory of 4428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57379a.exe
PID 3732 wrote to memory of 4428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57379a.exe
PID 4428 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\system32\fontdrvhost.exe
PID 4428 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\system32\fontdrvhost.exe
PID 4428 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\system32\dwm.exe
PID 4428 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\system32\sihost.exe
PID 4428 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\system32\svchost.exe
PID 4428 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\system32\taskhostw.exe
PID 4428 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\Explorer.EXE
PID 4428 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\system32\svchost.exe
PID 4428 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\system32\DllHost.exe
PID 4428 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4428 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4428 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4428 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4428 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4428 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4428 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4428 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\system32\rundll32.exe
PID 4428 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\SysWOW64\rundll32.exe
PID 4428 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\SysWOW64\rundll32.exe
PID 3732 wrote to memory of 3616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573885.exe
PID 3732 wrote to memory of 3616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573885.exe
PID 3732 wrote to memory of 3616 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573885.exe
PID 3732 wrote to memory of 5012 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57539e.exe
PID 3732 wrote to memory of 5012 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57539e.exe
PID 3732 wrote to memory of 5012 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57539e.exe
PID 3732 wrote to memory of 744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5753bd.exe
PID 3732 wrote to memory of 744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5753bd.exe
PID 3732 wrote to memory of 744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5753bd.exe
PID 4428 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\system32\fontdrvhost.exe
PID 4428 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\system32\fontdrvhost.exe
PID 4428 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\system32\dwm.exe
PID 4428 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\system32\sihost.exe
PID 4428 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\system32\svchost.exe
PID 4428 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\system32\taskhostw.exe
PID 4428 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\Explorer.EXE
PID 4428 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\system32\svchost.exe
PID 4428 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\system32\DllHost.exe
PID 4428 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4428 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4428 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4428 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4428 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4428 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4428 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Users\Admin\AppData\Local\Temp\e573885.exe
PID 4428 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Users\Admin\AppData\Local\Temp\e573885.exe
PID 4428 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4428 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Windows\System32\RuntimeBroker.exe
PID 4428 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Users\Admin\AppData\Local\Temp\e57539e.exe
PID 4428 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Users\Admin\AppData\Local\Temp\e57539e.exe
PID 4428 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Users\Admin\AppData\Local\Temp\e5753bd.exe
PID 4428 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\e57379a.exe C:\Users\Admin\AppData\Local\Temp\e5753bd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57379a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57539e.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bd7c5a658a65f69c77c978c71d4c570_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3bd7c5a658a65f69c77c978c71d4c570_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57379a.exe

C:\Users\Admin\AppData\Local\Temp\e57379a.exe

C:\Users\Admin\AppData\Local\Temp\e573885.exe

C:\Users\Admin\AppData\Local\Temp\e573885.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e57539e.exe

C:\Users\Admin\AppData\Local\Temp\e57539e.exe

C:\Users\Admin\AppData\Local\Temp\e5753bd.exe

C:\Users\Admin\AppData\Local\Temp\e5753bd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3732-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57379a.exe

MD5 d2845293b2a489981a73b167e96e2d17
SHA1 a7806af3972231a9443b906deff0ae3cf0c549c3
SHA256 094cef5abcd1655cd642298d74c5326dabafd925ccd339b9ef7f752dc537741a
SHA512 b32536b35808aafd6fdb7035d7db790c45b1dd634b35b86ff6bbe915e3e9cbaf2d83daf5566b272ad2460ba3fdc07ca4bf6d97794273c9e42000de7cc281c07c

memory/4428-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4428-8-0x0000000000760000-0x000000000181A000-memory.dmp

memory/3732-15-0x0000000004970000-0x0000000004971000-memory.dmp

memory/4428-6-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-12-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-13-0x0000000000760000-0x000000000181A000-memory.dmp

memory/3732-32-0x0000000001500000-0x0000000001502000-memory.dmp

memory/3616-31-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4428-30-0x00000000019F0000-0x00000000019F2000-memory.dmp

memory/4428-29-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-27-0x00000000019F0000-0x00000000019F2000-memory.dmp

memory/4428-10-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-11-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-9-0x0000000000760000-0x000000000181A000-memory.dmp

memory/3732-18-0x0000000001500000-0x0000000001502000-memory.dmp

memory/4428-17-0x0000000001A00000-0x0000000001A01000-memory.dmp

memory/3732-14-0x0000000001500000-0x0000000001502000-memory.dmp

memory/4428-26-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-33-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-34-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-37-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-36-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-38-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-39-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-40-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-42-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-43-0x0000000000760000-0x000000000181A000-memory.dmp

memory/744-56-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5012-50-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4428-57-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-59-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-60-0x0000000000760000-0x000000000181A000-memory.dmp

memory/744-73-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/5012-72-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3616-71-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/744-70-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/744-69-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/5012-67-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/5012-66-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3616-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3616-63-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4428-74-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-75-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-79-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-81-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-83-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-84-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-86-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-88-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-89-0x00000000019F0000-0x00000000019F2000-memory.dmp

memory/4428-96-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-97-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-100-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4428-119-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4428-102-0x0000000000760000-0x000000000181A000-memory.dmp

memory/3616-123-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5012-147-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 955159775855afb524644c1c7b7286f0
SHA1 788981edbc8be277b8396607dc382b9004492fec
SHA256 dfd5b203f8b99563c9089a9f1c1c6eb3aa77ca30e2f094bb5c7f480b6a1e3a40
SHA512 17217db6d1f6517d79f12a3fdefc2225b57eeb14546912b7db8eae684c1b25fb08fbc9ed341c28e742a17507c0ce05065eea36c7b4b0418f48fe80e98eacb4bc

memory/5012-148-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/744-152-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5012-153-0x0000000000B30000-0x0000000001BEA000-memory.dmp