Malware Analysis Report

2024-09-11 11:59

Sample ID 240616-h5ga3svapb
Target e019b869a1ac526dc6305eacaef4e430_NeikiAnalytics.exe
SHA256 319d36b75249c5ce55b6521beef91f1ada501734b52d2bdfcc18a0bc787b8ba3
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

319d36b75249c5ce55b6521beef91f1ada501734b52d2bdfcc18a0bc787b8ba3

Threat Level: Known bad

The file e019b869a1ac526dc6305eacaef4e430_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Windows security bypass

Sality

Modifies firewall policy service

UAC bypass

Executes dropped EXE

Windows security modification

UPX packed file

Loads dropped DLL

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 07:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 07:18

Reported

2024-06-16 07:21

Platform

win10v2004-20240611-en

Max time kernel

121s

Max time network

100s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57372d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5756cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e5736b0 C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
File created C:\Windows\e5786d3 C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4572 wrote to memory of 3796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4572 wrote to memory of 3796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4572 wrote to memory of 3796 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3796 wrote to memory of 2148 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573662.exe
PID 3796 wrote to memory of 2148 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573662.exe
PID 3796 wrote to memory of 2148 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573662.exe
PID 2148 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\system32\fontdrvhost.exe
PID 2148 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\system32\fontdrvhost.exe
PID 2148 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\system32\dwm.exe
PID 2148 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\system32\sihost.exe
PID 2148 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\system32\svchost.exe
PID 2148 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\system32\taskhostw.exe
PID 2148 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\system32\svchost.exe
PID 2148 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\system32\DllHost.exe
PID 2148 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2148 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\System32\RuntimeBroker.exe
PID 2148 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2148 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\System32\RuntimeBroker.exe
PID 2148 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2148 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\System32\RuntimeBroker.exe
PID 2148 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2148 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2148 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\system32\rundll32.exe
PID 2148 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\SysWOW64\rundll32.exe
PID 2148 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\SysWOW64\rundll32.exe
PID 3796 wrote to memory of 536 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57372d.exe
PID 3796 wrote to memory of 536 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57372d.exe
PID 3796 wrote to memory of 536 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57372d.exe
PID 3796 wrote to memory of 1104 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5756cb.exe
PID 3796 wrote to memory of 1104 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5756cb.exe
PID 3796 wrote to memory of 1104 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5756cb.exe
PID 3796 wrote to memory of 5028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5756da.exe
PID 3796 wrote to memory of 5028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5756da.exe
PID 3796 wrote to memory of 5028 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5756da.exe
PID 2148 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\system32\fontdrvhost.exe
PID 2148 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\system32\fontdrvhost.exe
PID 2148 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\system32\dwm.exe
PID 2148 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\system32\sihost.exe
PID 2148 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\system32\svchost.exe
PID 2148 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\system32\taskhostw.exe
PID 2148 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\Explorer.EXE
PID 2148 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\system32\svchost.exe
PID 2148 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\system32\DllHost.exe
PID 2148 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2148 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\System32\RuntimeBroker.exe
PID 2148 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2148 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\System32\RuntimeBroker.exe
PID 2148 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2148 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\System32\RuntimeBroker.exe
PID 2148 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2148 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Users\Admin\AppData\Local\Temp\e57372d.exe
PID 2148 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Users\Admin\AppData\Local\Temp\e57372d.exe
PID 2148 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\System32\RuntimeBroker.exe
PID 2148 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Windows\System32\RuntimeBroker.exe
PID 2148 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Users\Admin\AppData\Local\Temp\e5756cb.exe
PID 2148 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Users\Admin\AppData\Local\Temp\e5756cb.exe
PID 2148 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Users\Admin\AppData\Local\Temp\e5756da.exe
PID 2148 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\e573662.exe C:\Users\Admin\AppData\Local\Temp\e5756da.exe
PID 5028 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e5756da.exe C:\Windows\system32\fontdrvhost.exe
PID 5028 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\e5756da.exe C:\Windows\system32\fontdrvhost.exe
PID 5028 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\e5756da.exe C:\Windows\system32\dwm.exe
PID 5028 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e5756da.exe C:\Windows\system32\sihost.exe
PID 5028 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\e5756da.exe C:\Windows\system32\svchost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573662.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5756da.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e019b869a1ac526dc6305eacaef4e430_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e019b869a1ac526dc6305eacaef4e430_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e573662.exe

C:\Users\Admin\AppData\Local\Temp\e573662.exe

C:\Users\Admin\AppData\Local\Temp\e57372d.exe

C:\Users\Admin\AppData\Local\Temp\e57372d.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e5756cb.exe

C:\Users\Admin\AppData\Local\Temp\e5756cb.exe

C:\Users\Admin\AppData\Local\Temp\e5756da.exe

C:\Users\Admin\AppData\Local\Temp\e5756da.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\e573662.exe

MD5 5ecd5ca20806574e98b3d6a91ac94fae
SHA1 96c7fc2145a2dbad5ed2bf24477b5f562f3d23b3
SHA256 2bc4ec9a4d416f6417a27c7a9fbaac604192b6af3d741b977bc67e0ebf5920a8
SHA512 510940c02d50d0511db4b9cdb4d87125f1366be3c85e5b0adbc8fef44120434738430670f1ab8fb0040bf633563b8bc4e6a3be61de5d66bdd31f4284217ed3b7

memory/2148-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3796-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/3796-17-0x00000000010E0000-0x00000000010E2000-memory.dmp

memory/2148-11-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/3796-33-0x00000000010E0000-0x00000000010E2000-memory.dmp

memory/2148-12-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-29-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-34-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/536-32-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2148-31-0x0000000003520000-0x0000000003522000-memory.dmp

memory/2148-30-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-25-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-26-0x0000000003520000-0x0000000003522000-memory.dmp

memory/2148-10-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-16-0x0000000003E70000-0x0000000003E71000-memory.dmp

memory/3796-14-0x0000000001380000-0x0000000001381000-memory.dmp

memory/3796-13-0x00000000010E0000-0x00000000010E2000-memory.dmp

memory/2148-8-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-6-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-36-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-35-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-37-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-38-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-39-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-40-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/1104-47-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5028-54-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2148-56-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/536-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/536-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1104-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/536-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/5028-67-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1104-66-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/5028-63-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/5028-68-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2148-69-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-71-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-72-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-74-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-75-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-78-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-82-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-83-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-84-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-86-0x00000000008C0000-0x000000000197A000-memory.dmp

memory/2148-96-0x0000000003520000-0x0000000003522000-memory.dmp

memory/2148-105-0x0000000000400000-0x0000000000412000-memory.dmp

memory/536-109-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 fdda6076619c6d83b3ebebe7c7ae4c79
SHA1 3b71d031e726e465755322ebeec909640a36d4ca
SHA256 f9e3a30ead783553056a4b1790bd3983cc82fde384f80ecf5b0b696294890fc7
SHA512 0265196706ecb637120a95be4a61716631aa27228ca20eda8560296da3be61258ba82b33bd0ae2fc98caa9c39c0827ff254807bc80200019b237004c4b5cdd47

memory/5028-126-0x0000000000BD0000-0x0000000001C8A000-memory.dmp

memory/1104-140-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5028-159-0x0000000000BD0000-0x0000000001C8A000-memory.dmp

memory/5028-160-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 07:18

Reported

2024-06-16 07:21

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f764da3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f763256 C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
File created C:\Windows\f768298 C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 1684 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1224 wrote to memory of 1684 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1224 wrote to memory of 1684 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1224 wrote to memory of 1684 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1224 wrote to memory of 1684 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1224 wrote to memory of 1684 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1224 wrote to memory of 1684 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1684 wrote to memory of 3008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7631e9.exe
PID 1684 wrote to memory of 3008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7631e9.exe
PID 1684 wrote to memory of 3008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7631e9.exe
PID 1684 wrote to memory of 3008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7631e9.exe
PID 3008 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe C:\Windows\system32\taskhost.exe
PID 3008 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe C:\Windows\system32\Dwm.exe
PID 3008 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe C:\Windows\Explorer.EXE
PID 3008 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe C:\Windows\system32\DllHost.exe
PID 3008 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe C:\Windows\system32\rundll32.exe
PID 3008 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe C:\Windows\SysWOW64\rundll32.exe
PID 3008 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe C:\Windows\SysWOW64\rundll32.exe
PID 1684 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7633cd.exe
PID 1684 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7633cd.exe
PID 1684 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7633cd.exe
PID 1684 wrote to memory of 2784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7633cd.exe
PID 1684 wrote to memory of 2900 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764da3.exe
PID 1684 wrote to memory of 2900 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764da3.exe
PID 1684 wrote to memory of 2900 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764da3.exe
PID 1684 wrote to memory of 2900 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764da3.exe
PID 3008 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe C:\Windows\system32\taskhost.exe
PID 3008 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe C:\Windows\system32\Dwm.exe
PID 3008 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe C:\Windows\Explorer.EXE
PID 3008 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe C:\Users\Admin\AppData\Local\Temp\f7633cd.exe
PID 3008 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe C:\Users\Admin\AppData\Local\Temp\f7633cd.exe
PID 3008 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe C:\Users\Admin\AppData\Local\Temp\f764da3.exe
PID 3008 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\f7631e9.exe C:\Users\Admin\AppData\Local\Temp\f764da3.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7631e9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f7633cd.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e019b869a1ac526dc6305eacaef4e430_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e019b869a1ac526dc6305eacaef4e430_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f7631e9.exe

C:\Users\Admin\AppData\Local\Temp\f7631e9.exe

C:\Users\Admin\AppData\Local\Temp\f7633cd.exe

C:\Users\Admin\AppData\Local\Temp\f7633cd.exe

C:\Users\Admin\AppData\Local\Temp\f764da3.exe

C:\Users\Admin\AppData\Local\Temp\f764da3.exe

Network

N/A

Files

memory/1684-2-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1684-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1684-0-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f7631e9.exe

MD5 5ecd5ca20806574e98b3d6a91ac94fae
SHA1 96c7fc2145a2dbad5ed2bf24477b5f562f3d23b3
SHA256 2bc4ec9a4d416f6417a27c7a9fbaac604192b6af3d741b977bc67e0ebf5920a8
SHA512 510940c02d50d0511db4b9cdb4d87125f1366be3c85e5b0adbc8fef44120434738430670f1ab8fb0040bf633563b8bc4e6a3be61de5d66bdd31f4284217ed3b7

memory/3008-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1684-12-0x0000000000130000-0x0000000000142000-memory.dmp

memory/1684-11-0x0000000000130000-0x0000000000142000-memory.dmp

memory/3008-19-0x0000000000590000-0x000000000164A000-memory.dmp

memory/3008-16-0x0000000000590000-0x000000000164A000-memory.dmp

memory/3008-22-0x0000000000590000-0x000000000164A000-memory.dmp

memory/3008-18-0x0000000000590000-0x000000000164A000-memory.dmp

memory/3008-17-0x0000000000590000-0x000000000164A000-memory.dmp

memory/3008-25-0x0000000000590000-0x000000000164A000-memory.dmp

memory/1684-61-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1684-60-0x0000000000310000-0x0000000000322000-memory.dmp

memory/3008-59-0x00000000030C0000-0x00000000030C2000-memory.dmp

memory/1684-58-0x0000000000260000-0x0000000000262000-memory.dmp

memory/3008-51-0x00000000030C0000-0x00000000030C2000-memory.dmp

memory/3008-24-0x0000000000590000-0x000000000164A000-memory.dmp

memory/3008-49-0x00000000030D0000-0x00000000030D1000-memory.dmp

memory/1684-48-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/3008-23-0x0000000000590000-0x000000000164A000-memory.dmp

memory/1684-39-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1684-38-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1096-31-0x0000000002070000-0x0000000002072000-memory.dmp

memory/3008-21-0x0000000000590000-0x000000000164A000-memory.dmp

memory/3008-20-0x0000000000590000-0x000000000164A000-memory.dmp

memory/3008-63-0x0000000000590000-0x000000000164A000-memory.dmp

memory/3008-64-0x0000000000590000-0x000000000164A000-memory.dmp

memory/3008-65-0x0000000000590000-0x000000000164A000-memory.dmp

memory/3008-67-0x0000000000590000-0x000000000164A000-memory.dmp

memory/3008-66-0x0000000000590000-0x000000000164A000-memory.dmp

memory/3008-69-0x0000000000590000-0x000000000164A000-memory.dmp

memory/3008-70-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2900-83-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1684-82-0x0000000000130000-0x0000000000132000-memory.dmp

memory/3008-84-0x0000000000590000-0x000000000164A000-memory.dmp

memory/3008-87-0x0000000000590000-0x000000000164A000-memory.dmp

memory/3008-88-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2900-106-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2784-105-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2900-104-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2900-103-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2784-101-0x0000000000360000-0x0000000000362000-memory.dmp

memory/3008-107-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2784-97-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/3008-109-0x0000000000590000-0x000000000164A000-memory.dmp

memory/3008-127-0x00000000030C0000-0x00000000030C2000-memory.dmp

memory/3008-151-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3008-150-0x0000000000590000-0x000000000164A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 6ef11c0b42ede551cf6611b7d5e6e889
SHA1 6f38c98920a136a0d1a18aee425d34559f3dca97
SHA256 ce65c7647aa604ad7d90b51ecfc4218f49e471aed9920a110e0bf56f9dc11c32
SHA512 784bd4287f68db96964097b8c58e5b8fd8d854a6dc1d21d83d0730ec598aeafea18fd8f9c9321b01c47c9f1800efebee6ad4ff73cd447960e4d079912159a0c8

memory/2784-163-0x0000000000A60000-0x0000000001B1A000-memory.dmp

memory/2784-177-0x0000000000A60000-0x0000000001B1A000-memory.dmp

memory/2784-176-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2900-181-0x0000000000400000-0x0000000000412000-memory.dmp