Malware Analysis Report

2024-09-11 11:46

Sample ID 240616-aah77athpl
Target c4860c8714a58fd698618baf3bdb4560_NeikiAnalytics.exe
SHA256 164a1f0c8079c99431b195ad03f9d9310756741e0ad01b5a9ee3b70c449e0b0b
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

164a1f0c8079c99431b195ad03f9d9310756741e0ad01b5a9ee3b70c449e0b0b

Threat Level: Known bad

The file c4860c8714a58fd698618baf3bdb4560_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Windows security bypass

Sality

Modifies firewall policy service

UAC bypass

Windows security modification

Loads dropped DLL

Executes dropped EXE

UPX packed file

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Unsigned PE

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 00:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 00:00

Reported

2024-06-16 00:03

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762877.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
File created C:\Windows\f76788a C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
File created C:\Windows\f762404 C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 1948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2132 wrote to memory of 1948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2132 wrote to memory of 1948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2132 wrote to memory of 1948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2132 wrote to memory of 1948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2132 wrote to memory of 1948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2132 wrote to memory of 1948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1948 wrote to memory of 1740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762378.exe
PID 1948 wrote to memory of 1740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762378.exe
PID 1948 wrote to memory of 1740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762378.exe
PID 1948 wrote to memory of 1740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762378.exe
PID 1740 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe C:\Windows\system32\taskhost.exe
PID 1740 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe C:\Windows\system32\Dwm.exe
PID 1740 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe C:\Windows\system32\DllHost.exe
PID 1740 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe C:\Windows\system32\rundll32.exe
PID 1740 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe C:\Windows\SysWOW64\rundll32.exe
PID 1740 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe C:\Windows\SysWOW64\rundll32.exe
PID 1948 wrote to memory of 2316 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762877.exe
PID 1948 wrote to memory of 2316 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762877.exe
PID 1948 wrote to memory of 2316 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762877.exe
PID 1948 wrote to memory of 2316 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762877.exe
PID 1948 wrote to memory of 2968 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764309.exe
PID 1948 wrote to memory of 2968 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764309.exe
PID 1948 wrote to memory of 2968 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764309.exe
PID 1948 wrote to memory of 2968 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764309.exe
PID 1740 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe C:\Windows\system32\taskhost.exe
PID 1740 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe C:\Windows\system32\Dwm.exe
PID 1740 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe C:\Users\Admin\AppData\Local\Temp\f762877.exe
PID 1740 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe C:\Users\Admin\AppData\Local\Temp\f762877.exe
PID 1740 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe C:\Users\Admin\AppData\Local\Temp\f764309.exe
PID 1740 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\f762378.exe C:\Users\Admin\AppData\Local\Temp\f764309.exe
PID 2968 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe C:\Windows\system32\taskhost.exe
PID 2968 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe C:\Windows\system32\Dwm.exe
PID 2968 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f764309.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762378.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f764309.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c4860c8714a58fd698618baf3bdb4560_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c4860c8714a58fd698618baf3bdb4560_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f762378.exe

C:\Users\Admin\AppData\Local\Temp\f762378.exe

C:\Users\Admin\AppData\Local\Temp\f762877.exe

C:\Users\Admin\AppData\Local\Temp\f762877.exe

C:\Users\Admin\AppData\Local\Temp\f764309.exe

C:\Users\Admin\AppData\Local\Temp\f764309.exe

Network

N/A

Files

memory/1948-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1948-2-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1948-4-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1948-0-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1740-14-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f762378.exe

MD5 a14e05446142f64a9de2ccb4d1f12b4f
SHA1 ff2822a114f80bfd4670a142714395d238c16b91
SHA256 0e8010a72cb1fa967ddad3c78e395acb50edf7c063004c62666a8c65c2e1ed55
SHA512 27265c0dd7862ef782e8b757e2979d85cfbf2f469c8f884b426e88a7a6311e4e38c8f88a6128373e94c9a6f1721d718ccf7e321da60421c938dcd825068b7dc9

memory/1948-12-0x0000000000130000-0x0000000000142000-memory.dmp

memory/1948-11-0x0000000000130000-0x0000000000142000-memory.dmp

memory/1740-17-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1740-19-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1740-23-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1740-18-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1740-24-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1740-26-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1740-21-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1740-22-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1740-20-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1740-25-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1740-58-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2316-61-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1948-43-0x0000000000350000-0x0000000000351000-memory.dmp

memory/1740-62-0x0000000000390000-0x0000000000392000-memory.dmp

memory/1948-41-0x0000000000350000-0x0000000000351000-memory.dmp

memory/1948-40-0x0000000000220000-0x0000000000222000-memory.dmp

memory/1080-32-0x0000000001F90000-0x0000000001F92000-memory.dmp

memory/1948-60-0x0000000000220000-0x0000000000222000-memory.dmp

memory/1948-59-0x0000000000410000-0x0000000000422000-memory.dmp

memory/1948-54-0x0000000000220000-0x0000000000222000-memory.dmp

memory/1740-63-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1740-64-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1740-65-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2968-80-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1948-78-0x0000000000130000-0x0000000000132000-memory.dmp

memory/1948-76-0x0000000000220000-0x0000000000222000-memory.dmp

memory/1948-75-0x0000000000430000-0x0000000000442000-memory.dmp

memory/1948-74-0x0000000000430000-0x0000000000442000-memory.dmp

memory/1740-81-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1740-82-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1740-84-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2968-100-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2968-99-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2316-95-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2316-94-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2316-101-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2968-102-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1740-103-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1740-104-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1740-105-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1740-110-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1740-114-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1740-141-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/1740-140-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2316-145-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 426bdfcdc3f75bafd40209f2132a888b
SHA1 580448cb29f5e16fee2852319e3a4be3f225d8ef
SHA256 09e681b931024d24c3636de19a1375b2699adf3ace6358c0234f32782d944b78
SHA512 8a8512f42720a9c27b17e38e9f10c43d1f50cef78f47dba9ce39ddceea834c32cbc1e296fd3052498f41a843257ef715036159cff0e9f7f6bfcbf4a5ba2002eb

memory/2968-157-0x0000000000A10000-0x0000000001ACA000-memory.dmp

memory/2968-196-0x0000000000A10000-0x0000000001ACA000-memory.dmp

memory/2968-195-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 00:00

Reported

2024-06-16 00:03

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57518b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e574f39 C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
File created C:\Windows\e57a44e C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4576 wrote to memory of 4588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4576 wrote to memory of 4588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4576 wrote to memory of 4588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4588 wrote to memory of 1852 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574ecc.exe
PID 4588 wrote to memory of 1852 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574ecc.exe
PID 4588 wrote to memory of 1852 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574ecc.exe
PID 1852 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\fontdrvhost.exe
PID 1852 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\fontdrvhost.exe
PID 1852 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\dwm.exe
PID 1852 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\sihost.exe
PID 1852 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\svchost.exe
PID 1852 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\taskhostw.exe
PID 1852 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\Explorer.EXE
PID 1852 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\svchost.exe
PID 1852 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\DllHost.exe
PID 1852 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1852 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\System32\RuntimeBroker.exe
PID 1852 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1852 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\System32\RuntimeBroker.exe
PID 1852 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\System32\RuntimeBroker.exe
PID 1852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1852 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1852 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1852 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\rundll32.exe
PID 1852 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\SysWOW64\rundll32.exe
PID 1852 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4588 wrote to memory of 4892 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57518b.exe
PID 4588 wrote to memory of 4892 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57518b.exe
PID 4588 wrote to memory of 4892 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57518b.exe
PID 1852 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\fontdrvhost.exe
PID 1852 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\fontdrvhost.exe
PID 1852 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\dwm.exe
PID 1852 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\sihost.exe
PID 1852 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\svchost.exe
PID 1852 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\taskhostw.exe
PID 1852 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\Explorer.EXE
PID 1852 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\svchost.exe
PID 1852 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\DllHost.exe
PID 1852 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1852 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\System32\RuntimeBroker.exe
PID 1852 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1852 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\System32\RuntimeBroker.exe
PID 1852 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\System32\RuntimeBroker.exe
PID 1852 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1852 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1852 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1852 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\system32\rundll32.exe
PID 1852 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Users\Admin\AppData\Local\Temp\e57518b.exe
PID 1852 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Users\Admin\AppData\Local\Temp\e57518b.exe
PID 1852 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\System32\RuntimeBroker.exe
PID 1852 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\e574ecc.exe C:\Windows\System32\RuntimeBroker.exe
PID 4588 wrote to memory of 4908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577c54.exe
PID 4588 wrote to memory of 4908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577c54.exe
PID 4588 wrote to memory of 4908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e577c54.exe
PID 4908 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e577c54.exe C:\Windows\system32\fontdrvhost.exe
PID 4908 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\e577c54.exe C:\Windows\system32\fontdrvhost.exe
PID 4908 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e577c54.exe C:\Windows\system32\dwm.exe
PID 4908 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\e577c54.exe C:\Windows\system32\sihost.exe
PID 4908 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\e577c54.exe C:\Windows\system32\svchost.exe
PID 4908 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\e577c54.exe C:\Windows\system32\taskhostw.exe
PID 4908 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\e577c54.exe C:\Windows\Explorer.EXE
PID 4908 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\e577c54.exe C:\Windows\system32\svchost.exe
PID 4908 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\e577c54.exe C:\Windows\system32\DllHost.exe
PID 4908 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\e577c54.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574ecc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e577c54.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c4860c8714a58fd698618baf3bdb4560_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\c4860c8714a58fd698618baf3bdb4560_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e574ecc.exe

C:\Users\Admin\AppData\Local\Temp\e574ecc.exe

C:\Users\Admin\AppData\Local\Temp\e57518b.exe

C:\Users\Admin\AppData\Local\Temp\e57518b.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e577c54.exe

C:\Users\Admin\AppData\Local\Temp\e577c54.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

memory/4588-2-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e574ecc.exe

MD5 a14e05446142f64a9de2ccb4d1f12b4f
SHA1 ff2822a114f80bfd4670a142714395d238c16b91
SHA256 0e8010a72cb1fa967ddad3c78e395acb50edf7c063004c62666a8c65c2e1ed55
SHA512 27265c0dd7862ef782e8b757e2979d85cfbf2f469c8f884b426e88a7a6311e4e38c8f88a6128373e94c9a6f1721d718ccf7e321da60421c938dcd825068b7dc9

memory/1852-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1852-6-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-7-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-10-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-11-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4588-25-0x0000000002D30000-0x0000000002D32000-memory.dmp

memory/1852-28-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-20-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-32-0x00000000005D0000-0x00000000005D2000-memory.dmp

memory/4588-31-0x0000000002D30000-0x0000000002D32000-memory.dmp

memory/1852-13-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-19-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-24-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/4588-22-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

memory/4588-21-0x0000000002D30000-0x0000000002D32000-memory.dmp

memory/1852-30-0x00000000005D0000-0x00000000005D2000-memory.dmp

memory/1852-12-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-9-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-29-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-35-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-36-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-37-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/4892-40-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4892-39-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4892-41-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4908-46-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1852-51-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-50-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-53-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-54-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-56-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-57-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-58-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-60-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-61-0x00000000007D0000-0x000000000188A000-memory.dmp

memory/1852-69-0x00000000005D0000-0x00000000005D2000-memory.dmp

memory/1852-81-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4892-85-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4892-82-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4908-86-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/4908-87-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/4908-89-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/4908-92-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/4908-91-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/4908-90-0x0000000000820000-0x00000000018DA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 00535e24a794da2d959a34013b2662fb
SHA1 35b384df49fb9890ad9c62fa2fb15af50b3a4b14
SHA256 073f68ad50c65efc83734d443e218fe84813e9ff4a4a0bd85ad7b3235eda837a
SHA512 f21f0f66758b810ecb5d186bf8f4f104e2297a359af0d327a8a95e3c51442c5b1aed77a2518b53af3a9fedc40250ecf013755815a0866d6de982639ab2a05623

memory/4908-107-0x0000000000610000-0x0000000000611000-memory.dmp

memory/4908-106-0x0000000000600000-0x0000000000602000-memory.dmp

memory/4908-136-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/4908-137-0x0000000000400000-0x0000000000412000-memory.dmp