Malware Analysis Report

2024-09-11 12:22

Sample ID 240614-mbtfrszemr
Target b7621ffb848877991aebe108206335e0_NeikiAnalytics.exe
SHA256 07d48078bbb1d534700e13f897f043cb2a015c24ed54392c5513dfce717c6922
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07d48078bbb1d534700e13f897f043cb2a015c24ed54392c5513dfce717c6922

Threat Level: Known bad

The file b7621ffb848877991aebe108206335e0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

UAC bypass

Modifies firewall policy service

Windows security bypass

Executes dropped EXE

Loads dropped DLL

UPX packed file

Windows security modification

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 10:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 10:17

Reported

2024-06-14 10:20

Platform

win7-20231129-en

Max time kernel

118s

Max time network

120s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761046.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f760f0e C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
File created C:\Windows\f765f4f C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2216 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2216 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2216 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2216 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2216 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2216 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760ea1.exe
PID 2392 wrote to memory of 784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760ea1.exe
PID 2392 wrote to memory of 784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760ea1.exe
PID 2392 wrote to memory of 784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760ea1.exe
PID 784 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe C:\Windows\system32\taskhost.exe
PID 784 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe C:\Windows\system32\Dwm.exe
PID 784 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe C:\Windows\Explorer.EXE
PID 784 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe C:\Windows\system32\DllHost.exe
PID 784 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe C:\Windows\system32\rundll32.exe
PID 784 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe C:\Windows\SysWOW64\rundll32.exe
PID 784 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 2720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761046.exe
PID 2392 wrote to memory of 2720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761046.exe
PID 2392 wrote to memory of 2720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761046.exe
PID 2392 wrote to memory of 2720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761046.exe
PID 2392 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7632e3.exe
PID 2392 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7632e3.exe
PID 2392 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7632e3.exe
PID 2392 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7632e3.exe
PID 784 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe C:\Windows\system32\taskhost.exe
PID 784 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe C:\Windows\system32\Dwm.exe
PID 784 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe C:\Windows\Explorer.EXE
PID 784 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe C:\Users\Admin\AppData\Local\Temp\f761046.exe
PID 784 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe C:\Users\Admin\AppData\Local\Temp\f761046.exe
PID 784 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe C:\Users\Admin\AppData\Local\Temp\f7632e3.exe
PID 784 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\f760ea1.exe C:\Users\Admin\AppData\Local\Temp\f7632e3.exe
PID 3020 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe C:\Windows\system32\taskhost.exe
PID 3020 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe C:\Windows\system32\Dwm.exe
PID 3020 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\f7632e3.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760ea1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7632e3.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b7621ffb848877991aebe108206335e0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b7621ffb848877991aebe108206335e0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f760ea1.exe

C:\Users\Admin\AppData\Local\Temp\f760ea1.exe

C:\Users\Admin\AppData\Local\Temp\f761046.exe

C:\Users\Admin\AppData\Local\Temp\f761046.exe

C:\Users\Admin\AppData\Local\Temp\f7632e3.exe

C:\Users\Admin\AppData\Local\Temp\f7632e3.exe

Network

N/A

Files

memory/2392-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f760ea1.exe

MD5 4dcd969e175d354047a0ff98f85f906e
SHA1 c37be10a218ea5fd23d7831cb129587da7b568ad
SHA256 26e2e6893f904bfe2774b89acd123dd7d572172e98faff79b637e1f0e8bd1c3c
SHA512 709a1c91717c5cc9157a1f34273d1be03a3ae86b804543fb9f3e27c86428d5afe1f79153b8da5dce4a124163f941116e797a89bec49ec2a3a67452a326456687

memory/784-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2392-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2392-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/784-12-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/784-14-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/784-19-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/784-15-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/784-16-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/784-21-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2392-36-0x0000000000250000-0x0000000000251000-memory.dmp

memory/784-47-0x0000000000330000-0x0000000000332000-memory.dmp

memory/2720-60-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2392-59-0x0000000000240000-0x0000000000242000-memory.dmp

memory/2392-58-0x0000000000260000-0x0000000000272000-memory.dmp

memory/784-45-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/2392-44-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2392-56-0x0000000000240000-0x0000000000242000-memory.dmp

memory/2392-51-0x0000000000260000-0x0000000000272000-memory.dmp

memory/784-50-0x0000000000330000-0x0000000000332000-memory.dmp

memory/2392-35-0x0000000000240000-0x0000000000242000-memory.dmp

memory/1228-28-0x0000000000360000-0x0000000000362000-memory.dmp

memory/784-17-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/784-22-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/784-20-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/784-18-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/784-61-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/784-62-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/784-63-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/784-64-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/784-65-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/784-67-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/784-68-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/3020-80-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2392-77-0x0000000000240000-0x0000000000242000-memory.dmp

memory/784-81-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2720-90-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2720-91-0x0000000000360000-0x0000000000362000-memory.dmp

memory/3020-97-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/3020-98-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/3020-100-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2720-99-0x0000000000360000-0x0000000000362000-memory.dmp

memory/784-102-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/784-103-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/784-105-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/784-106-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/784-111-0x0000000000330000-0x0000000000332000-memory.dmp

memory/784-142-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/784-143-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2720-147-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 9e353d78de53ff4234d782f4e32a3af7
SHA1 1a666c5bfdd951cfb032b75df23235c4347bde92
SHA256 c685a3be39f17b999db7b351b2a1ba7942917593c5135ef2d63543c83a30b054
SHA512 36d746a1a4d6016ee435719d656aee0696515b6fea8d50ec8167e1394471a166f5f33f4043ab02ed85fbfe521b66f44d75282fe0578c4e7a2bb160520f465045

memory/3020-164-0x0000000000920000-0x00000000019DA000-memory.dmp

memory/3020-201-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3020-202-0x0000000000920000-0x00000000019DA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 10:17

Reported

2024-06-14 10:20

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

60s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574585.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e5744d9 C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
File created C:\Windows\e57b630 C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3636 wrote to memory of 2560 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3636 wrote to memory of 2560 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3636 wrote to memory of 2560 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2560 wrote to memory of 4224 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57447b.exe
PID 2560 wrote to memory of 4224 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57447b.exe
PID 2560 wrote to memory of 4224 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57447b.exe
PID 4224 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\system32\fontdrvhost.exe
PID 4224 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\system32\fontdrvhost.exe
PID 4224 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\system32\dwm.exe
PID 4224 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\system32\svchost.exe
PID 4224 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\system32\sihost.exe
PID 4224 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\system32\taskhostw.exe
PID 4224 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\Explorer.EXE
PID 4224 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\system32\svchost.exe
PID 4224 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\system32\DllHost.exe
PID 4224 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4224 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\System32\RuntimeBroker.exe
PID 4224 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4224 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\System32\RuntimeBroker.exe
PID 4224 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4224 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\System32\RuntimeBroker.exe
PID 4224 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4224 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\system32\rundll32.exe
PID 4224 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\SysWOW64\rundll32.exe
PID 4224 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\SysWOW64\rundll32.exe
PID 2560 wrote to memory of 4668 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574585.exe
PID 2560 wrote to memory of 4668 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574585.exe
PID 2560 wrote to memory of 4668 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574585.exe
PID 2560 wrote to memory of 4596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5767b3.exe
PID 2560 wrote to memory of 4596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5767b3.exe
PID 2560 wrote to memory of 4596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5767b3.exe
PID 4224 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\system32\fontdrvhost.exe
PID 4224 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\system32\fontdrvhost.exe
PID 4224 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\system32\dwm.exe
PID 4224 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\system32\svchost.exe
PID 4224 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\system32\sihost.exe
PID 4224 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\system32\taskhostw.exe
PID 4224 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\Explorer.EXE
PID 4224 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\system32\svchost.exe
PID 4224 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\system32\DllHost.exe
PID 4224 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4224 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\System32\RuntimeBroker.exe
PID 4224 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4224 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\System32\RuntimeBroker.exe
PID 4224 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4224 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\System32\RuntimeBroker.exe
PID 4224 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Users\Admin\AppData\Local\Temp\e574585.exe
PID 4224 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Users\Admin\AppData\Local\Temp\e574585.exe
PID 4224 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\System32\RuntimeBroker.exe
PID 4224 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Windows\System32\RuntimeBroker.exe
PID 4224 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Users\Admin\AppData\Local\Temp\e5767b3.exe
PID 4224 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\e57447b.exe C:\Users\Admin\AppData\Local\Temp\e5767b3.exe
PID 4596 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e5767b3.exe C:\Windows\system32\fontdrvhost.exe
PID 4596 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\e5767b3.exe C:\Windows\system32\fontdrvhost.exe
PID 4596 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e5767b3.exe C:\Windows\system32\dwm.exe
PID 4596 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e5767b3.exe C:\Windows\system32\svchost.exe
PID 4596 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\e5767b3.exe C:\Windows\system32\sihost.exe
PID 4596 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e5767b3.exe C:\Windows\system32\taskhostw.exe
PID 4596 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\e5767b3.exe C:\Windows\Explorer.EXE
PID 4596 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\e5767b3.exe C:\Windows\system32\svchost.exe
PID 4596 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\e5767b3.exe C:\Windows\system32\DllHost.exe
PID 4596 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\e5767b3.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4596 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\e5767b3.exe C:\Windows\System32\RuntimeBroker.exe
PID 4596 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\e5767b3.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57447b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5767b3.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b7621ffb848877991aebe108206335e0_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b7621ffb848877991aebe108206335e0_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57447b.exe

C:\Users\Admin\AppData\Local\Temp\e57447b.exe

C:\Users\Admin\AppData\Local\Temp\e574585.exe

C:\Users\Admin\AppData\Local\Temp\e574585.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e5767b3.exe

C:\Users\Admin\AppData\Local\Temp\e5767b3.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2560-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57447b.exe

MD5 4dcd969e175d354047a0ff98f85f906e
SHA1 c37be10a218ea5fd23d7831cb129587da7b568ad
SHA256 26e2e6893f904bfe2774b89acd123dd7d572172e98faff79b637e1f0e8bd1c3c
SHA512 709a1c91717c5cc9157a1f34273d1be03a3ae86b804543fb9f3e27c86428d5afe1f79153b8da5dce4a124163f941116e797a89bec49ec2a3a67452a326456687

memory/4224-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4224-6-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-8-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-9-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/2560-21-0x0000000003E40000-0x0000000003E42000-memory.dmp

memory/2560-20-0x0000000004370000-0x0000000004371000-memory.dmp

memory/2560-15-0x0000000003E40000-0x0000000003E42000-memory.dmp

memory/2560-13-0x0000000003E40000-0x0000000003E42000-memory.dmp

memory/4224-11-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-12-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-27-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-28-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-35-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-34-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-33-0x00000000005B0000-0x00000000005B2000-memory.dmp

memory/4224-10-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4668-31-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4224-18-0x0000000001AC0000-0x0000000001AC1000-memory.dmp

memory/4224-29-0x00000000005B0000-0x00000000005B2000-memory.dmp

memory/4224-36-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-37-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-38-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-39-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-40-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-42-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4596-47-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4224-51-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4596-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4596-56-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4668-54-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4668-53-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4668-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4596-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4224-60-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-62-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-63-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-64-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-66-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-69-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-73-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-74-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-75-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-77-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4224-101-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4224-90-0x00000000005B0000-0x00000000005B2000-memory.dmp

memory/4224-83-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4668-105-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 e00c5f5296dd875df11175c0644dab7c
SHA1 114dd8113a024f440c37337810c12fdc6589de9c
SHA256 9072e306d8910c27848c4396f3f3ff4e3f8756112764ab58e44350486ba32834
SHA512 e92baa11bb82bb296a5bfeb722f0c2c045624549e9b6263097a6e70f2a629c520e32f11cfb976f77e3d2dfeef20cb2f651488387cdf51bc26bd2f531b6a6aeb6

memory/4596-117-0x0000000000B50000-0x0000000001C0A000-memory.dmp

memory/4596-132-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4596-133-0x0000000000B50000-0x0000000001C0A000-memory.dmp