Malware Analysis Report

2024-09-11 12:01

Sample ID 240617-cxmj8szfjg
Target 36caf71ae0233577a44af1f9d7bd2370_NeikiAnalytics.exe
SHA256 529661c8cc256ead74a598e70a73fd28a7f4f1653e6d90854e235c1cde3b2aec
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

529661c8cc256ead74a598e70a73fd28a7f4f1653e6d90854e235c1cde3b2aec

Threat Level: Known bad

The file 36caf71ae0233577a44af1f9d7bd2370_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

Windows security bypass

UAC bypass

Modifies firewall policy service

Executes dropped EXE

UPX packed file

Windows security modification

Loads dropped DLL

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 02:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 02:27

Reported

2024-06-17 02:30

Platform

win7-20240611-en

Max time kernel

28s

Max time network

129s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f767fab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f76cdab C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
File created C:\Windows\f767cce C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1052 wrote to memory of 2064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1052 wrote to memory of 2064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1052 wrote to memory of 2064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1052 wrote to memory of 2064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1052 wrote to memory of 2064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1052 wrote to memory of 2064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1052 wrote to memory of 2064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 2500 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767ba5.exe
PID 2064 wrote to memory of 2500 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767ba5.exe
PID 2064 wrote to memory of 2500 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767ba5.exe
PID 2064 wrote to memory of 2500 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767ba5.exe
PID 2500 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe C:\Windows\system32\taskhost.exe
PID 2500 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe C:\Windows\system32\Dwm.exe
PID 2500 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe C:\Windows\Explorer.EXE
PID 2500 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe C:\Windows\system32\DllHost.exe
PID 2500 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe C:\Windows\system32\rundll32.exe
PID 2500 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe C:\Windows\SysWOW64\rundll32.exe
PID 2500 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe C:\Windows\SysWOW64\rundll32.exe
PID 2064 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767fab.exe
PID 2064 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767fab.exe
PID 2064 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767fab.exe
PID 2064 wrote to memory of 2460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f767fab.exe
PID 2064 wrote to memory of 2400 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76a583.exe
PID 2064 wrote to memory of 2400 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76a583.exe
PID 2064 wrote to memory of 2400 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76a583.exe
PID 2064 wrote to memory of 2400 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76a583.exe
PID 2500 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe C:\Windows\system32\taskhost.exe
PID 2500 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe C:\Windows\system32\Dwm.exe
PID 2500 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe C:\Windows\Explorer.EXE
PID 2500 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe C:\Users\Admin\AppData\Local\Temp\f767fab.exe
PID 2500 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe C:\Users\Admin\AppData\Local\Temp\f767fab.exe
PID 2500 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe C:\Users\Admin\AppData\Local\Temp\f76a583.exe
PID 2500 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\f767ba5.exe C:\Users\Admin\AppData\Local\Temp\f76a583.exe
PID 2400 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe C:\Windows\system32\taskhost.exe
PID 2400 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe C:\Windows\system32\Dwm.exe
PID 2400 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\f76a583.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f767ba5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76a583.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\36caf71ae0233577a44af1f9d7bd2370_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\36caf71ae0233577a44af1f9d7bd2370_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f767ba5.exe

C:\Users\Admin\AppData\Local\Temp\f767ba5.exe

C:\Users\Admin\AppData\Local\Temp\f767fab.exe

C:\Users\Admin\AppData\Local\Temp\f767fab.exe

C:\Users\Admin\AppData\Local\Temp\f76a583.exe

C:\Users\Admin\AppData\Local\Temp\f76a583.exe

Network

N/A

Files

memory/2064-0-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2064-2-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2064-3-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f767ba5.exe

MD5 f63518108553bfb1b3be8706448d9994
SHA1 4ea755e63164445e305c6a26ca0c465c44ebfc57
SHA256 8b7ded898e122afaf09cbe9ec9833eefb8edb89e3862b6fc531ac154d5f1fac5
SHA512 8654dd56d32284bf15e9703ee779b30e4083af603e72f6e9d5cdd30ba02f333ab1ab4a7bab53717d92c62e995776e14322fda35fb248732185556bebb7ad25b1

memory/2064-6-0x00000000000B0000-0x00000000000C2000-memory.dmp

memory/2500-12-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2500-17-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2500-22-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2064-58-0x0000000000130000-0x0000000000132000-memory.dmp

memory/2460-60-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2064-57-0x00000000001D0000-0x00000000001E2000-memory.dmp

memory/2500-56-0x00000000017B0000-0x00000000017B2000-memory.dmp

memory/2064-55-0x0000000000130000-0x0000000000132000-memory.dmp

memory/2064-33-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2064-32-0x0000000000130000-0x0000000000132000-memory.dmp

memory/1104-26-0x0000000001BC0000-0x0000000001BC2000-memory.dmp

memory/2500-16-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2500-21-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2500-20-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2500-48-0x00000000017B0000-0x00000000017B2000-memory.dmp

memory/2500-19-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2064-43-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2500-42-0x0000000003D30000-0x0000000003D31000-memory.dmp

memory/2500-41-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2500-18-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2500-15-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2500-23-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2500-61-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2500-62-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2500-63-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2500-65-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2500-64-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2500-67-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2500-68-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2500-69-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2500-70-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2500-73-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2460-98-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2460-97-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2460-96-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2400-87-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2400-105-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2400-104-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2064-85-0x00000000000B0000-0x00000000000B6000-memory.dmp

memory/2064-82-0x0000000000130000-0x0000000000132000-memory.dmp

memory/2500-106-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2500-108-0x0000000000560000-0x000000000161A000-memory.dmp

memory/2500-120-0x00000000017B0000-0x00000000017B2000-memory.dmp

memory/2500-153-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2500-152-0x0000000000560000-0x000000000161A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 a7eda251877bb0562b3bae7ec000f2cd
SHA1 0dfd0f0c60c76018361b9b838e96e50ef5741a55
SHA256 d79ced375ed02c28741393cc9df6bdaa29bb596316a0013c457d34c773f51722
SHA512 0045625aa4bde434fd119d612e3b557852bd0d1ef4ca5c39e4b35f10ad5df8de8be1754ff6fa86a6000e7cb1ae321c8e06d48ce4c1cc5b0816985efb37efab88

memory/2400-168-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2460-177-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2400-209-0x0000000000980000-0x0000000001A3A000-memory.dmp

memory/2400-208-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 02:27

Reported

2024-06-17 02:30

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5755e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e5754c7 C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
File created C:\Windows\e57b026 C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 1848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2160 wrote to memory of 1848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2160 wrote to memory of 1848 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1848 wrote to memory of 228 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575479.exe
PID 1848 wrote to memory of 228 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575479.exe
PID 1848 wrote to memory of 228 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575479.exe
PID 228 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\fontdrvhost.exe
PID 228 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\fontdrvhost.exe
PID 228 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\dwm.exe
PID 228 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\sihost.exe
PID 228 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\svchost.exe
PID 228 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\taskhostw.exe
PID 228 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\svchost.exe
PID 228 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\DllHost.exe
PID 228 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 228 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\System32\RuntimeBroker.exe
PID 228 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 228 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\System32\RuntimeBroker.exe
PID 228 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\System32\RuntimeBroker.exe
PID 228 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 228 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\backgroundTaskHost.exe
PID 228 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\backgroundTaskHost.exe
PID 228 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\rundll32.exe
PID 228 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\SysWOW64\rundll32.exe
PID 228 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\SysWOW64\rundll32.exe
PID 1848 wrote to memory of 608 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5755e0.exe
PID 1848 wrote to memory of 608 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5755e0.exe
PID 1848 wrote to memory of 608 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5755e0.exe
PID 228 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\fontdrvhost.exe
PID 228 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\fontdrvhost.exe
PID 228 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\dwm.exe
PID 228 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\sihost.exe
PID 228 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\svchost.exe
PID 228 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\taskhostw.exe
PID 228 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\Explorer.EXE
PID 228 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\svchost.exe
PID 228 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\DllHost.exe
PID 228 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 228 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\System32\RuntimeBroker.exe
PID 228 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 228 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\System32\RuntimeBroker.exe
PID 228 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\System32\RuntimeBroker.exe
PID 228 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 228 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\backgroundTaskHost.exe
PID 228 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\system32\rundll32.exe
PID 228 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Users\Admin\AppData\Local\Temp\e5755e0.exe
PID 228 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Users\Admin\AppData\Local\Temp\e5755e0.exe
PID 228 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\System32\RuntimeBroker.exe
PID 228 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\e575479.exe C:\Windows\System32\RuntimeBroker.exe
PID 1848 wrote to memory of 1460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5788b8.exe
PID 1848 wrote to memory of 1460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5788b8.exe
PID 1848 wrote to memory of 1460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5788b8.exe
PID 1460 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e5788b8.exe C:\Windows\system32\fontdrvhost.exe
PID 1460 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e5788b8.exe C:\Windows\system32\fontdrvhost.exe
PID 1460 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\e5788b8.exe C:\Windows\system32\dwm.exe
PID 1460 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\e5788b8.exe C:\Windows\system32\sihost.exe
PID 1460 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\e5788b8.exe C:\Windows\system32\svchost.exe
PID 1460 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\e5788b8.exe C:\Windows\system32\taskhostw.exe
PID 1460 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\e5788b8.exe C:\Windows\Explorer.EXE
PID 1460 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\e5788b8.exe C:\Windows\system32\svchost.exe
PID 1460 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\e5788b8.exe C:\Windows\system32\DllHost.exe
PID 1460 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\e5788b8.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1460 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\e5788b8.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5788b8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575479.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\36caf71ae0233577a44af1f9d7bd2370_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\36caf71ae0233577a44af1f9d7bd2370_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e575479.exe

C:\Users\Admin\AppData\Local\Temp\e575479.exe

C:\Users\Admin\AppData\Local\Temp\e5755e0.exe

C:\Users\Admin\AppData\Local\Temp\e5755e0.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e5788b8.exe

C:\Users\Admin\AppData\Local\Temp\e5788b8.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/1848-2-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e575479.exe

MD5 f63518108553bfb1b3be8706448d9994
SHA1 4ea755e63164445e305c6a26ca0c465c44ebfc57
SHA256 8b7ded898e122afaf09cbe9ec9833eefb8edb89e3862b6fc531ac154d5f1fac5
SHA512 8654dd56d32284bf15e9703ee779b30e4083af603e72f6e9d5cdd30ba02f333ab1ab4a7bab53717d92c62e995776e14322fda35fb248732185556bebb7ad25b1

memory/228-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/228-6-0x0000000000860000-0x000000000191A000-memory.dmp

memory/228-8-0x0000000000860000-0x000000000191A000-memory.dmp

memory/228-10-0x0000000000860000-0x000000000191A000-memory.dmp

memory/1848-23-0x00000000049A0000-0x00000000049A2000-memory.dmp

memory/228-30-0x0000000000630000-0x0000000000632000-memory.dmp

memory/608-36-0x0000000000400000-0x0000000000412000-memory.dmp

memory/228-32-0x0000000000860000-0x000000000191A000-memory.dmp

memory/228-27-0x0000000000860000-0x000000000191A000-memory.dmp

memory/228-17-0x0000000000860000-0x000000000191A000-memory.dmp

memory/228-33-0x0000000000630000-0x0000000000632000-memory.dmp

memory/1848-29-0x0000000004A30000-0x0000000004A31000-memory.dmp

memory/1848-28-0x00000000049A0000-0x00000000049A2000-memory.dmp

memory/228-26-0x0000000000860000-0x000000000191A000-memory.dmp

memory/228-22-0x0000000000640000-0x0000000000641000-memory.dmp

memory/1848-19-0x00000000049A0000-0x00000000049A2000-memory.dmp

memory/228-11-0x0000000000860000-0x000000000191A000-memory.dmp

memory/228-9-0x0000000000860000-0x000000000191A000-memory.dmp

memory/228-18-0x0000000000860000-0x000000000191A000-memory.dmp

memory/228-31-0x0000000000860000-0x000000000191A000-memory.dmp

memory/228-37-0x0000000000860000-0x000000000191A000-memory.dmp

memory/228-38-0x0000000000860000-0x000000000191A000-memory.dmp

memory/228-39-0x0000000000860000-0x000000000191A000-memory.dmp

memory/608-45-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/608-44-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/228-41-0x0000000000860000-0x000000000191A000-memory.dmp

memory/228-40-0x0000000000860000-0x000000000191A000-memory.dmp

memory/608-43-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1848-49-0x00000000049A0000-0x00000000049A2000-memory.dmp

memory/1460-54-0x0000000000400000-0x0000000000412000-memory.dmp

memory/228-55-0x0000000000860000-0x000000000191A000-memory.dmp

memory/228-56-0x0000000000860000-0x000000000191A000-memory.dmp

memory/228-57-0x0000000000860000-0x000000000191A000-memory.dmp

memory/228-59-0x0000000000860000-0x000000000191A000-memory.dmp

memory/228-61-0x0000000000860000-0x000000000191A000-memory.dmp

memory/228-62-0x0000000000860000-0x000000000191A000-memory.dmp

memory/228-63-0x0000000000860000-0x000000000191A000-memory.dmp

memory/228-74-0x0000000000630000-0x0000000000632000-memory.dmp

memory/608-87-0x0000000000400000-0x0000000000412000-memory.dmp

memory/608-85-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/228-83-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1460-97-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1460-94-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1460-90-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1460-88-0x0000000000890000-0x000000000194A000-memory.dmp

memory/1460-95-0x0000000000890000-0x000000000194A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 6253e63e758adc93066a51fd756a8990
SHA1 acf11588f1d15add33ab6065409e95650f1521af
SHA256 9773b7b464d1b575a9d5243deceee267231137a00bbb6b9b6a6fa09f82dbf11b
SHA512 52e3f8457546b3aaf8c1a76d49f0b7cd02b21a7e5f969ee0155be6c1c2e865c8994853cca1600e51c5d003916223316c45ce78ae6974ad83bccc55c835936a8c

memory/1460-135-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1460-136-0x0000000000890000-0x000000000194A000-memory.dmp