Malware Analysis Report

2024-09-11 12:59

Sample ID 240613-a8q1paxhkc
Target 519a437d7700fcc733afd271fa6673a0_NeikiAnalytics.exe
SHA256 fcbc08f172a8dff7e3353c2d53df1b7b5b49cf42c9fcd45b9ce5b912f0e41659
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fcbc08f172a8dff7e3353c2d53df1b7b5b49cf42c9fcd45b9ce5b912f0e41659

Threat Level: Known bad

The file 519a437d7700fcc733afd271fa6673a0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

Windows security bypass

Sality

UAC bypass

Loads dropped DLL

Executes dropped EXE

UPX packed file

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:53

Reported

2024-06-13 00:55

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7633dc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f760ed0 C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
File created C:\Windows\f765f8e C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 1704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 1704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 1704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 1704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 1704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 1704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 1704 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1704 wrote to memory of 1844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760e62.exe
PID 1704 wrote to memory of 1844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760e62.exe
PID 1704 wrote to memory of 1844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760e62.exe
PID 1704 wrote to memory of 1844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760e62.exe
PID 1844 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe C:\Windows\system32\taskhost.exe
PID 1844 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe C:\Windows\system32\Dwm.exe
PID 1844 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe C:\Windows\Explorer.EXE
PID 1844 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe C:\Windows\system32\DllHost.exe
PID 1844 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe C:\Windows\system32\rundll32.exe
PID 1844 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe C:\Windows\SysWOW64\rundll32.exe
PID 1704 wrote to memory of 2764 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761075.exe
PID 1704 wrote to memory of 2764 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761075.exe
PID 1704 wrote to memory of 2764 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761075.exe
PID 1704 wrote to memory of 2764 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761075.exe
PID 1704 wrote to memory of 2088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7633dc.exe
PID 1704 wrote to memory of 2088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7633dc.exe
PID 1704 wrote to memory of 2088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7633dc.exe
PID 1704 wrote to memory of 2088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7633dc.exe
PID 1844 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe C:\Windows\system32\taskhost.exe
PID 1844 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe C:\Windows\system32\Dwm.exe
PID 1844 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe C:\Windows\Explorer.EXE
PID 1844 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe C:\Users\Admin\AppData\Local\Temp\f761075.exe
PID 1844 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe C:\Users\Admin\AppData\Local\Temp\f761075.exe
PID 1844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe C:\Users\Admin\AppData\Local\Temp\f7633dc.exe
PID 1844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\f760e62.exe C:\Users\Admin\AppData\Local\Temp\f7633dc.exe
PID 2764 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe C:\Windows\system32\taskhost.exe
PID 2764 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe C:\Windows\system32\Dwm.exe
PID 2764 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\f761075.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761075.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760e62.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\519a437d7700fcc733afd271fa6673a0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\519a437d7700fcc733afd271fa6673a0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f760e62.exe

C:\Users\Admin\AppData\Local\Temp\f760e62.exe

C:\Users\Admin\AppData\Local\Temp\f761075.exe

C:\Users\Admin\AppData\Local\Temp\f761075.exe

C:\Users\Admin\AppData\Local\Temp\f7633dc.exe

C:\Users\Admin\AppData\Local\Temp\f7633dc.exe

Network

N/A

Files

memory/1844-24-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1844-51-0x0000000000490000-0x0000000000492000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f761075.exe

MD5 105ba88a8deb1ef75e04646f671d1e4a
SHA1 a19c679abacf1d17438c61a0fa9d602c7eed625f
SHA256 d4d85824311a23d1180583c5e83b90f5fd32a3ae736cc6e2b497bf2d8c4721b2
SHA512 c2e246898997ac7e6099a1ec0519ac52b4898a817140a3c6df7077c611d50c712955f7787a154a1cbaebc3e5d70534edaa49e495f9e33afeea6b063c5ebd101a

memory/1704-61-0x0000000000160000-0x0000000000162000-memory.dmp

memory/1704-60-0x00000000001C0000-0x00000000001D2000-memory.dmp

memory/1844-49-0x00000000016E0000-0x00000000016E1000-memory.dmp

memory/1704-48-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1844-59-0x0000000000490000-0x0000000000492000-memory.dmp

memory/1704-58-0x0000000000160000-0x0000000000162000-memory.dmp

memory/1704-39-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1704-38-0x0000000000160000-0x0000000000162000-memory.dmp

memory/1184-30-0x0000000002170000-0x0000000002172000-memory.dmp

memory/1844-21-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1844-20-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1844-18-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1844-23-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1844-22-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1844-19-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1844-17-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1844-15-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1844-16-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1704-12-0x0000000000130000-0x0000000000142000-memory.dmp

memory/1704-6-0x0000000000130000-0x0000000000142000-memory.dmp

memory/1704-3-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1704-0-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1704-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1844-63-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1844-64-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1844-65-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1844-66-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1844-67-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1704-80-0x0000000000130000-0x0000000000132000-memory.dmp

memory/1704-77-0x0000000000160000-0x0000000000162000-memory.dmp

memory/2088-81-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1844-82-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/2764-91-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2764-90-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2088-98-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2088-97-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2764-100-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2088-101-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/1844-99-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1844-102-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1844-105-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1844-106-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1844-108-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1844-143-0x00000000005A0000-0x000000000165A000-memory.dmp

memory/1844-142-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 521e7b77ae8d4a549b2b8417014c892f
SHA1 622a4ea0d75060eb600d5f1117c70d4d23e5f9b1
SHA256 62ae0aab8be9db384d974cca7d746e01afd87593b2a035cde976a689ff43f98a
SHA512 4c1cfdebe4b5d0e26512a9dca785b48806061bd7d8ae1f4175ac2c8ea4cb9abc170895da01e577cdbbad87a21a9ae94ba8a539b927fcb240dcdf0ce3f5d27662

memory/2764-155-0x0000000000930000-0x00000000019EA000-memory.dmp

memory/2764-185-0x0000000000930000-0x00000000019EA000-memory.dmp

memory/2764-186-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2088-190-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:53

Reported

2024-06-13 00:55

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574882.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e5747e6 C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
File created C:\Windows\e579c11 C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3152 wrote to memory of 1200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3152 wrote to memory of 1200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3152 wrote to memory of 1200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1200 wrote to memory of 1792 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5747a8.exe
PID 1200 wrote to memory of 1792 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5747a8.exe
PID 1200 wrote to memory of 1792 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5747a8.exe
PID 1792 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\fontdrvhost.exe
PID 1792 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\fontdrvhost.exe
PID 1792 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\dwm.exe
PID 1792 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\sihost.exe
PID 1792 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\svchost.exe
PID 1792 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\taskhostw.exe
PID 1792 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\svchost.exe
PID 1792 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\DllHost.exe
PID 1792 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1792 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\System32\RuntimeBroker.exe
PID 1792 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1792 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\System32\RuntimeBroker.exe
PID 1792 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\System32\RuntimeBroker.exe
PID 1792 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1792 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1792 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\rundll32.exe
PID 1792 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\SysWOW64\rundll32.exe
PID 1792 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\SysWOW64\rundll32.exe
PID 1200 wrote to memory of 4444 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574882.exe
PID 1200 wrote to memory of 4444 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574882.exe
PID 1200 wrote to memory of 4444 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574882.exe
PID 1792 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\fontdrvhost.exe
PID 1792 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\fontdrvhost.exe
PID 1792 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\dwm.exe
PID 1792 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\sihost.exe
PID 1792 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\svchost.exe
PID 1792 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\taskhostw.exe
PID 1792 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\svchost.exe
PID 1792 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\DllHost.exe
PID 1792 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1792 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\System32\RuntimeBroker.exe
PID 1792 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1792 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\System32\RuntimeBroker.exe
PID 1792 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\System32\RuntimeBroker.exe
PID 1792 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1792 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1792 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\rundll32.exe
PID 1792 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Users\Admin\AppData\Local\Temp\e574882.exe
PID 1792 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Users\Admin\AppData\Local\Temp\e574882.exe
PID 1792 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\System32\RuntimeBroker.exe
PID 1792 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\System32\RuntimeBroker.exe
PID 1792 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\e5747a8.exe C:\Windows\system32\DllHost.exe
PID 1200 wrote to memory of 4624 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577251.exe
PID 1200 wrote to memory of 4624 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577251.exe
PID 1200 wrote to memory of 4624 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577251.exe
PID 4624 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e577251.exe C:\Windows\system32\fontdrvhost.exe
PID 4624 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e577251.exe C:\Windows\system32\fontdrvhost.exe
PID 4624 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e577251.exe C:\Windows\system32\dwm.exe
PID 4624 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\e577251.exe C:\Windows\system32\sihost.exe
PID 4624 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\e577251.exe C:\Windows\system32\svchost.exe
PID 4624 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e577251.exe C:\Windows\system32\taskhostw.exe
PID 4624 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\e577251.exe C:\Windows\Explorer.EXE
PID 4624 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\e577251.exe C:\Windows\system32\svchost.exe
PID 4624 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\e577251.exe C:\Windows\system32\DllHost.exe
PID 4624 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\e577251.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4624 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\e577251.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5747a8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577251.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\519a437d7700fcc733afd271fa6673a0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\519a437d7700fcc733afd271fa6673a0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e5747a8.exe

C:\Users\Admin\AppData\Local\Temp\e5747a8.exe

C:\Users\Admin\AppData\Local\Temp\e574882.exe

C:\Users\Admin\AppData\Local\Temp\e574882.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Local\Temp\e577251.exe

C:\Users\Admin\AppData\Local\Temp\e577251.exe

Network

Files

memory/1200-0-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5747a8.exe

MD5 105ba88a8deb1ef75e04646f671d1e4a
SHA1 a19c679abacf1d17438c61a0fa9d602c7eed625f
SHA256 d4d85824311a23d1180583c5e83b90f5fd32a3ae736cc6e2b497bf2d8c4721b2
SHA512 c2e246898997ac7e6099a1ec0519ac52b4898a817140a3c6df7077c611d50c712955f7787a154a1cbaebc3e5d70534edaa49e495f9e33afeea6b063c5ebd101a

memory/1792-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1792-6-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-9-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-8-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1200-15-0x0000000000BD0000-0x0000000000BD2000-memory.dmp

memory/1792-14-0x0000000000780000-0x0000000000781000-memory.dmp

memory/1200-12-0x0000000003BF0000-0x0000000003BF1000-memory.dmp

memory/1200-11-0x0000000000BD0000-0x0000000000BD2000-memory.dmp

memory/1792-19-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-18-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-10-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1200-32-0x0000000000BD0000-0x0000000000BD2000-memory.dmp

memory/1792-33-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-20-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-34-0x0000000000890000-0x000000000194A000-memory.dmp

memory/4444-31-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1792-30-0x0000000000770000-0x0000000000772000-memory.dmp

memory/1792-29-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-21-0x0000000000770000-0x0000000000772000-memory.dmp

memory/1792-35-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-36-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-37-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-38-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-39-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-40-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-42-0x0000000000890000-0x000000000194A000-memory.dmp

memory/4444-44-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4444-45-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4444-46-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1792-47-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1200-52-0x0000000000BD0000-0x0000000000BD2000-memory.dmp

memory/4624-55-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1792-56-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-58-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-60-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-62-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-64-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-65-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-67-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-69-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-70-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-71-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1792-83-0x0000000000770000-0x0000000000772000-memory.dmp

memory/1792-92-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1792-76-0x0000000000890000-0x000000000194A000-memory.dmp

memory/4444-97-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4444-98-0x0000000000B20000-0x0000000001BDA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 5e551cd77994a545b9cc70ef8d16e998
SHA1 5c0590a506352bfec9d0745e931c8892497b805f
SHA256 ea6799d9d1641cee97751cd050f3c5dd2dfc84006e90e3b88e32fab327cbc91a
SHA512 521e4fb13e64829b36f091190cdfe240a7aea240d17baee40a538c583aa6a12a265a8f5ba66a0093ed1b7d495c99e3afefd6da30b89b0edfbebb83c33cb849c3

memory/4624-101-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4624-149-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4624-150-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4444-151-0x0000000000B20000-0x0000000001BDA000-memory.dmp