Malware Analysis Report

2024-09-11 12:09

Sample ID 240617-cw9ndazere
Target 36b4e870e4c76051d0090bd8836a4340_NeikiAnalytics.exe
SHA256 e5435ea2ad2749b19e900b3511a29068e24e015628e294539782596770d18512
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e5435ea2ad2749b19e900b3511a29068e24e015628e294539782596770d18512

Threat Level: Known bad

The file 36b4e870e4c76051d0090bd8836a4340_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

Sality

Windows security bypass

UAC bypass

UPX packed file

Executes dropped EXE

Windows security modification

Loads dropped DLL

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 02:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 02:26

Reported

2024-06-17 02:29

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7638eb.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f766da1 C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
File created C:\Windows\f761d7f C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2208 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1740 wrote to memory of 1752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d31.exe
PID 1740 wrote to memory of 1752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d31.exe
PID 1740 wrote to memory of 1752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d31.exe
PID 1740 wrote to memory of 1752 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d31.exe
PID 1752 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe C:\Windows\system32\Dwm.exe
PID 1752 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe C:\Windows\Explorer.EXE
PID 1752 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe C:\Windows\system32\taskhost.exe
PID 1752 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe C:\Windows\system32\DllHost.exe
PID 1752 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe C:\Windows\system32\rundll32.exe
PID 1752 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe C:\Windows\SysWOW64\rundll32.exe
PID 1752 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe C:\Windows\SysWOW64\rundll32.exe
PID 1740 wrote to memory of 2504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761ea8.exe
PID 1740 wrote to memory of 2504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761ea8.exe
PID 1740 wrote to memory of 2504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761ea8.exe
PID 1740 wrote to memory of 2504 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761ea8.exe
PID 1740 wrote to memory of 1648 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7638eb.exe
PID 1740 wrote to memory of 1648 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7638eb.exe
PID 1740 wrote to memory of 1648 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7638eb.exe
PID 1740 wrote to memory of 1648 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7638eb.exe
PID 1752 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe C:\Windows\system32\Dwm.exe
PID 1752 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe C:\Windows\Explorer.EXE
PID 1752 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe C:\Windows\system32\taskhost.exe
PID 1752 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe C:\Users\Admin\AppData\Local\Temp\f761ea8.exe
PID 1752 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe C:\Users\Admin\AppData\Local\Temp\f761ea8.exe
PID 1752 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe C:\Users\Admin\AppData\Local\Temp\f7638eb.exe
PID 1752 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\f761d31.exe C:\Users\Admin\AppData\Local\Temp\f7638eb.exe
PID 2504 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe C:\Windows\system32\Dwm.exe
PID 2504 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe C:\Windows\Explorer.EXE
PID 2504 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f761ea8.exe C:\Windows\system32\taskhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761d31.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761ea8.exe N/A

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\36b4e870e4c76051d0090bd8836a4340_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\36b4e870e4c76051d0090bd8836a4340_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761d31.exe

C:\Users\Admin\AppData\Local\Temp\f761d31.exe

C:\Users\Admin\AppData\Local\Temp\f761ea8.exe

C:\Users\Admin\AppData\Local\Temp\f761ea8.exe

C:\Users\Admin\AppData\Local\Temp\f7638eb.exe

C:\Users\Admin\AppData\Local\Temp\f7638eb.exe

Network

N/A

Files

memory/1740-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f761d31.exe

MD5 7caecc5f150abd82149d38264ffc7843
SHA1 2d6bc1226a46a52b7ab10ae4e1140ecb75b53d02
SHA256 3780eb6909c7d63be9bde55741f9ed6b63d6d2c95f483ef60a4aa44286a4dba7
SHA512 4d34bd2cf1d54e123d7db746e0bcd1ad35f98af391316c5821e1f344189b7753947f44becf45bf18595be192bec82b23ef656b99d8665bfd03e4c234dbed892e

memory/1740-9-0x0000000000140000-0x0000000000152000-memory.dmp

memory/1752-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1740-10-0x0000000000140000-0x0000000000152000-memory.dmp

memory/1752-12-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1752-17-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1752-19-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1752-14-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1752-20-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1752-18-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1036-28-0x0000000000130000-0x0000000000132000-memory.dmp

memory/1752-47-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/1752-45-0x0000000000520000-0x0000000000521000-memory.dmp

memory/1752-48-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/1740-44-0x0000000000180000-0x0000000000181000-memory.dmp

memory/1752-21-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1740-36-0x0000000000180000-0x0000000000181000-memory.dmp

memory/1740-35-0x0000000000170000-0x0000000000172000-memory.dmp

memory/1752-15-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1752-22-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1752-16-0x0000000000650000-0x000000000170A000-memory.dmp

memory/2504-59-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1740-58-0x0000000000170000-0x0000000000172000-memory.dmp

memory/1740-57-0x00000000001F0000-0x0000000000202000-memory.dmp

memory/1740-55-0x0000000000170000-0x0000000000172000-memory.dmp

memory/1752-60-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1752-61-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1752-63-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1752-64-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1752-62-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1752-66-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1740-77-0x0000000000140000-0x0000000000142000-memory.dmp

memory/1740-75-0x0000000000170000-0x0000000000172000-memory.dmp

memory/1752-79-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1752-80-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1752-82-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1648-98-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1648-99-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2504-92-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2504-91-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1648-101-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2504-100-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1752-102-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1752-103-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1752-106-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1752-116-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1752-151-0x0000000000650000-0x000000000170A000-memory.dmp

memory/1752-150-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 9ced708e19cfd3fde329cf8e98fe8c62
SHA1 9aee5e7e721966940d5735898b0ea932e1ba54b6
SHA256 ba0fccc0af6fac72bee6d10aec1b3163abb1dd7eb4477f8c52e18d558d5ad210
SHA512 d925a250520ebf7ce91b4128f3877bef2678fc75fe03c88b8fe5ddcf6a9bd36e907ba9bcebeb455a41eff29cec8eb0ef6d98cb2b037e2d718ff5e1e580f1f0fd

memory/2504-163-0x00000000009C0000-0x0000000001A7A000-memory.dmp

memory/2504-185-0x00000000009C0000-0x0000000001A7A000-memory.dmp

memory/2504-184-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1648-189-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 02:26

Reported

2024-06-17 02:29

Platform

win10v2004-20240611-en

Max time kernel

125s

Max time network

126s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5806b2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5806b2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5806b2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5806b2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5806b2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5806b2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57e32c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5806b2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5806b2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5806b2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5806b2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5806b2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5806b2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5806b2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5806b2.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57e290 C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4036 wrote to memory of 4828 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4036 wrote to memory of 4828 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4036 wrote to memory of 4828 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4828 wrote to memory of 2040 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e242.exe
PID 4828 wrote to memory of 2040 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e242.exe
PID 4828 wrote to memory of 2040 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e242.exe
PID 2040 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\fontdrvhost.exe
PID 2040 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\fontdrvhost.exe
PID 2040 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\dwm.exe
PID 2040 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\sihost.exe
PID 2040 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\svchost.exe
PID 2040 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\taskhostw.exe
PID 2040 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\Explorer.EXE
PID 2040 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\svchost.exe
PID 2040 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\DllHost.exe
PID 2040 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2040 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\System32\RuntimeBroker.exe
PID 2040 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2040 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\System32\RuntimeBroker.exe
PID 2040 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\System32\RuntimeBroker.exe
PID 2040 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2040 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2040 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2040 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2040 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2040 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2040 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2040 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2040 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\rundll32.exe
PID 2040 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\SysWOW64\rundll32.exe
PID 2040 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\SysWOW64\rundll32.exe
PID 4828 wrote to memory of 1236 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e32c.exe
PID 4828 wrote to memory of 1236 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e32c.exe
PID 4828 wrote to memory of 1236 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57e32c.exe
PID 4828 wrote to memory of 2920 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5806b2.exe
PID 4828 wrote to memory of 2920 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5806b2.exe
PID 4828 wrote to memory of 2920 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5806b2.exe
PID 2040 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\fontdrvhost.exe
PID 2040 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\fontdrvhost.exe
PID 2040 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\dwm.exe
PID 2040 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\sihost.exe
PID 2040 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\svchost.exe
PID 2040 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\taskhostw.exe
PID 2040 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\Explorer.EXE
PID 2040 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\svchost.exe
PID 2040 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\DllHost.exe
PID 2040 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2040 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\System32\RuntimeBroker.exe
PID 2040 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2040 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\System32\RuntimeBroker.exe
PID 2040 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\System32\RuntimeBroker.exe
PID 2040 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2040 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2040 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2040 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2040 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2040 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2040 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2040 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2040 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Users\Admin\AppData\Local\Temp\e57e32c.exe
PID 2040 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Users\Admin\AppData\Local\Temp\e57e32c.exe
PID 2040 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2040 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\System32\RuntimeBroker.exe
PID 2040 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\e57e242.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57e242.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7ffca7cc4ef8,0x7ffca7cc4f04,0x7ffca7cc4f10

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2300,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=2296 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1944,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=3416 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2416,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=3604 /prefetch:8

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\36b4e870e4c76051d0090bd8836a4340_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\36b4e870e4c76051d0090bd8836a4340_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57e242.exe

C:\Users\Admin\AppData\Local\Temp\e57e242.exe

C:\Users\Admin\AppData\Local\Temp\e57e32c.exe

C:\Users\Admin\AppData\Local\Temp\e57e32c.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4292,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=1292 /prefetch:8

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e5806b2.exe

C:\Users\Admin\AppData\Local\Temp\e5806b2.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4828-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57e242.exe

MD5 7caecc5f150abd82149d38264ffc7843
SHA1 2d6bc1226a46a52b7ab10ae4e1140ecb75b53d02
SHA256 3780eb6909c7d63be9bde55741f9ed6b63d6d2c95f483ef60a4aa44286a4dba7
SHA512 4d34bd2cf1d54e123d7db746e0bcd1ad35f98af391316c5821e1f344189b7753947f44becf45bf18595be192bec82b23ef656b99d8665bfd03e4c234dbed892e

memory/2040-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2040-6-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-8-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4828-32-0x00000000006F0000-0x00000000006F2000-memory.dmp

memory/2040-21-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-11-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-26-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1236-30-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2040-29-0x0000000001B30000-0x0000000001B32000-memory.dmp

memory/2040-27-0x0000000001B30000-0x0000000001B32000-memory.dmp

memory/2040-10-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/4828-16-0x00000000006F0000-0x00000000006F2000-memory.dmp

memory/2040-15-0x0000000003D30000-0x0000000003D31000-memory.dmp

memory/4828-13-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/4828-12-0x00000000006F0000-0x00000000006F2000-memory.dmp

memory/2040-34-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-35-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-33-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-25-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-37-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-36-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-38-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-39-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-40-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2920-49-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2040-50-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/1236-55-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2920-56-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2920-54-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1236-52-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2920-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1236-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2040-59-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-60-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-62-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-63-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-66-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-67-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-69-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-71-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-74-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-75-0x00000000007F0000-0x00000000018AA000-memory.dmp

memory/2040-98-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1236-97-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2040-76-0x0000000001B30000-0x0000000001B32000-memory.dmp

memory/2920-104-0x0000000000B50000-0x0000000001C0A000-memory.dmp

memory/2920-103-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2920-105-0x0000000000B50000-0x0000000001C0A000-memory.dmp