sality | 1440803a96ffa06c71368fbc4c9b550bed0861aa91993cbeb0650e6a11d440ac

Analysis

max time kernel
22s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
Size

1.7MB
MD5

8578d5b49e77b239468fc1aed1eba560
SHA1

77f7c6ff2a3fe3ae5055c28d7f6c8bd2d0e4888b
SHA256

1440803a96ffa06c71368fbc4c9b550bed0861aa91993cbeb0650e6a11d440ac
SHA512

821d84d9d6908e89c2260f01061fd61f0d46367ac255e1d10d8a7ad2c5ee8f2fe1ea3f4e10f534a335f9e90cf8c428b4b4aa2394924e966a2d369a06718cec5e
SSDEEP

24576:WIXW/8yw1ez54lI7F5SXYHjrGyzatThRiVk6jXRqbLGJv6plFh9iGa2oMYMgdsHV:h9bC4lIOcT8TjkXzJspDLoVMgdkLbN

Score

10^/10

sality backdoor evasion persistence trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

rundll32.exe@AE5F27.tmp.exeWdExt.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	@AE5F27.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WdExt.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kb50145.exe@AE5F27.tmp.exeWdExt.exemodule_launcher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	kb50145.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	@AE5F27.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	WdExt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	module_launcher.exe

Executes dropped EXE 7 IoCs

Processes:

@AE5F27.tmp.exe8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exeWdExt.exemodule_launcher.exerundll32.exekb50145.exeinjector_s.exe

pid	process
1148	@AE5F27.tmp.exe
1640	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
4976	WdExt.exe
1220	module_launcher.exe
620	rundll32.exe
2064	kb50145.exe
4528	injector_s.exe

Loads dropped DLL 2 IoCs

Processes:

@AE5F27.tmp.exeWdExt.exe

pid process

1148 @AE5F27.tmp.exe
4976 WdExt.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1148-20-0x0000000002270000-0x00000000032A0000-memory.dmp	upx
behavioral2/memory/1148-28-0x0000000002270000-0x00000000032A0000-memory.dmp	upx
behavioral2/memory/1148-314-0x0000000002270000-0x00000000032A0000-memory.dmp	upx
behavioral2/memory/1148-356-0x0000000002270000-0x00000000032A0000-memory.dmp	upx
behavioral2/memory/4976-373-0x00000000021F0000-0x0000000003220000-memory.dmp	upx
behavioral2/memory/4976-376-0x00000000021F0000-0x0000000003220000-memory.dmp	upx
behavioral2/memory/4976-946-0x00000000021F0000-0x0000000003220000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exemodule_launcher.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe"	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Admin\\module_launcher.exe\""	module_launcher.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

@AE5F27.tmp.exeWdExt.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	@AE5F27.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WdExt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe

Drops file in Program Files directory 3 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	rundll32.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	rundll32.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	rundll32.exe

Drops file in Windows directory 1 IoCs

Processes:

@AE5F27.tmp.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI @AE5F27.tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	@AE5F27.tmp.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

@AE5F27.tmp.exe8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exeWdExt.exemodule_launcher.exerundll32.exe

pid	process
1148	@AE5F27.tmp.exe
1148	@AE5F27.tmp.exe
1148	@AE5F27.tmp.exe
1148	@AE5F27.tmp.exe
1640	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
1640	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
4976	WdExt.exe
4976	WdExt.exe
4976	WdExt.exe
4976	WdExt.exe
1220	module_launcher.exe
1220	module_launcher.exe
1220	module_launcher.exe
1220	module_launcher.exe
1220	module_launcher.exe
1220	module_launcher.exe
1220	module_launcher.exe
1220	module_launcher.exe
620	rundll32.exe
620	rundll32.exe
620	rundll32.exe
620	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

@AE5F27.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe
Token: SeDebugPrivilege	1148	@AE5F27.tmp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exerundll32.exe

pid process

1640 8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
620 rundll32.exe

pid	process
1640	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
620	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exeexplorer.exe@AE5F27.tmp.execmd.exeWdExt.exe

description	pid	process	target process
PID 3908 wrote to memory of 4144	3908	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe	explorer.exe
PID 3908 wrote to memory of 4144	3908	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe	explorer.exe
PID 3908 wrote to memory of 4144	3908	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe	explorer.exe
PID 3908 wrote to memory of 4144	3908	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe	explorer.exe
PID 3908 wrote to memory of 4144	3908	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe	explorer.exe
PID 4144 wrote to memory of 1148	4144	explorer.exe	@AE5F27.tmp.exe
PID 4144 wrote to memory of 1148	4144	explorer.exe	@AE5F27.tmp.exe
PID 4144 wrote to memory of 1148	4144	explorer.exe	@AE5F27.tmp.exe
PID 4144 wrote to memory of 1640	4144	explorer.exe	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
PID 4144 wrote to memory of 1640	4144	explorer.exe	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
PID 4144 wrote to memory of 1640	4144	explorer.exe	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
PID 1148 wrote to memory of 792	1148	@AE5F27.tmp.exe	fontdrvhost.exe
PID 1148 wrote to memory of 800	1148	@AE5F27.tmp.exe	fontdrvhost.exe
PID 1148 wrote to memory of 64	1148	@AE5F27.tmp.exe	dwm.exe
PID 1148 wrote to memory of 2976	1148	@AE5F27.tmp.exe	sihost.exe
PID 1148 wrote to memory of 3004	1148	@AE5F27.tmp.exe	svchost.exe
PID 1148 wrote to memory of 1044	1148	@AE5F27.tmp.exe	taskhostw.exe
PID 1148 wrote to memory of 3384	1148	@AE5F27.tmp.exe	Explorer.EXE
PID 1148 wrote to memory of 3544	1148	@AE5F27.tmp.exe	svchost.exe
PID 1148 wrote to memory of 3736	1148	@AE5F27.tmp.exe	DllHost.exe
PID 1148 wrote to memory of 3828	1148	@AE5F27.tmp.exe	StartMenuExperienceHost.exe
PID 1148 wrote to memory of 3928	1148	@AE5F27.tmp.exe	RuntimeBroker.exe
PID 1148 wrote to memory of 4012	1148	@AE5F27.tmp.exe	SearchApp.exe
PID 1148 wrote to memory of 3768	1148	@AE5F27.tmp.exe	RuntimeBroker.exe
PID 1148 wrote to memory of 4328	1148	@AE5F27.tmp.exe	RuntimeBroker.exe
PID 1148 wrote to memory of 404	1148	@AE5F27.tmp.exe	TextInputHost.exe
PID 1148 wrote to memory of 832	1148	@AE5F27.tmp.exe	backgroundTaskHost.exe
PID 1148 wrote to memory of 2380	1148	@AE5F27.tmp.exe	backgroundTaskHost.exe
PID 1148 wrote to memory of 4144	1148	@AE5F27.tmp.exe	explorer.exe
PID 1148 wrote to memory of 1640	1148	@AE5F27.tmp.exe	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
PID 1148 wrote to memory of 1640	1148	@AE5F27.tmp.exe	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
PID 1148 wrote to memory of 4588	1148	@AE5F27.tmp.exe	cmd.exe
PID 1148 wrote to memory of 4588	1148	@AE5F27.tmp.exe	cmd.exe
PID 1148 wrote to memory of 4588	1148	@AE5F27.tmp.exe	cmd.exe
PID 1148 wrote to memory of 2268	1148	@AE5F27.tmp.exe	cmd.exe
PID 1148 wrote to memory of 2268	1148	@AE5F27.tmp.exe	cmd.exe
PID 1148 wrote to memory of 2268	1148	@AE5F27.tmp.exe	cmd.exe
PID 4588 wrote to memory of 4976	4588	cmd.exe	WdExt.exe
PID 4588 wrote to memory of 4976	4588	cmd.exe	WdExt.exe
PID 4588 wrote to memory of 4976	4588	cmd.exe	WdExt.exe
PID 4976 wrote to memory of 792	4976	WdExt.exe	fontdrvhost.exe
PID 4976 wrote to memory of 800	4976	WdExt.exe	fontdrvhost.exe
PID 4976 wrote to memory of 64	4976	WdExt.exe	dwm.exe
PID 4976 wrote to memory of 2976	4976	WdExt.exe	sihost.exe
PID 4976 wrote to memory of 3004	4976	WdExt.exe	svchost.exe
PID 4976 wrote to memory of 1044	4976	WdExt.exe	taskhostw.exe
PID 4976 wrote to memory of 3384	4976	WdExt.exe	Explorer.EXE
PID 4976 wrote to memory of 3544	4976	WdExt.exe	svchost.exe
PID 4976 wrote to memory of 3736	4976	WdExt.exe	DllHost.exe
PID 4976 wrote to memory of 3828	4976	WdExt.exe	StartMenuExperienceHost.exe
PID 4976 wrote to memory of 3928	4976	WdExt.exe	RuntimeBroker.exe
PID 4976 wrote to memory of 4012	4976	WdExt.exe	SearchApp.exe
PID 4976 wrote to memory of 3768	4976	WdExt.exe	RuntimeBroker.exe
PID 4976 wrote to memory of 4328	4976	WdExt.exe	RuntimeBroker.exe
PID 4976 wrote to memory of 404	4976	WdExt.exe	TextInputHost.exe
PID 4976 wrote to memory of 832	4976	WdExt.exe	backgroundTaskHost.exe
PID 4976 wrote to memory of 2380	4976	WdExt.exe	backgroundTaskHost.exe
PID 4976 wrote to memory of 4160	4976	WdExt.exe	BackgroundTaskHost.exe
PID 4976 wrote to memory of 4588	4976	WdExt.exe	cmd.exe
PID 4976 wrote to memory of 4588	4976	WdExt.exe	cmd.exe
PID 4976 wrote to memory of 1864	4976	WdExt.exe	Conhost.exe
PID 4976 wrote to memory of 4932	4976	WdExt.exe	cmd.exe
PID 4976 wrote to memory of 4932	4976	WdExt.exe	cmd.exe
PID 4976 wrote to memory of 4932	4976	WdExt.exe	cmd.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

@AE5F27.tmp.exeWdExt.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	@AE5F27.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WdExt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:64

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3004

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:1044

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4144

C:\Users\Admin\AppData\Local\Temp\@AE5F27.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\@AE5F27.tmp.exe"
4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:1864

C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe
"C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe"
6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
7⤵
PID:4932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:2172

C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe
"C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe" /i 4976
8⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
9⤵
PID:744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
10⤵
PID:3956

C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe
"C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
PID:2064

C:\Users\Admin\AppData\Roaming\injector_s.exe
"C:\Users\Admin\AppData\Roaming\injector_s.exe"
11⤵
- Executes dropped EXE
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a0x.bat" "C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe" "C:\Users\Admin\AppData\Local\Temp\a0x.bat""
11⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
5⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe"
4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3544

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3736

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3828

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3928

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4012

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3768

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4328

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:404

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:832

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:2380

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:4160

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2220

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:452

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0E576169_Rar\@AE5F27.tmp.exe
Filesize
970KB

MD5
8f1046ca47595761583046048791148f

SHA1
7e748ad90fd12006ad27a73de11df9bbca6722fd

SHA256
7f5df7922d82f03c8735fdc9f9cc1d787da8f1f13b1828f66aeb517422eb1e4b

SHA512
3424b17c5959678c4c5a629c8483d1fd19b78864ecdacdc7b2ef02b9a16ce1100a03e948854b2166764783e910579c6fa0e74b11d49cf72b71d75f6b6f8e0a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\0E57632E_Rar\8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
Filesize
664KB

MD5
fe9261575638dec5742ddfba5b5fb19c

SHA1
4dc2e4f6556cfcf86d594de9bdd5f66fd9979cac

SHA256
201f53068429e57f2aefa89699e780375f39d41267173966c1c2adc3f62b0227

SHA512
b771afc81c4bdab04256a5e40097c6ff0ff06fb4f07d107a347f8397abd0504384cad1311d9591ca10ea8fd59b4afc40212a371de006d09003cef0ea82308951

Download Submit
C:\Users\Admin\AppData\Local\Temp\0E576F54_Rar\WdExt.exe
Filesize
970KB

MD5
15bf5b7ffd9ae1689f2872567d28f308

SHA1
84a75545eef1243a1c1886cbcd07795dada259d1

SHA256
9b0ad9eed0460d7d5d9a2405f5c43afd0288f35b30a205c76a5d7d855a8997a1

SHA512
eefafc4c48ddc42e9ff45ddb80b54be85c6eec129f69f119d821be0b28a176ea98cab83f3030dd5d9f61346994aa8491d2435ed6deabc501c111a80fdd84fcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
Filesize
740KB

MD5
9887f7db7dc40ada587df7c33c42ff15

SHA1
d029cba559891ee96f15e410bc3b48b03afb92a5

SHA256
c0eac92d2eae3b0e4b24c214b9ea35e3bb267cb2a3abc0cf7cad3abe1b0b4611

SHA512
f4af32b4edce3635dac85b2867bd04e67cb3d287049e1e79c88a90f31dabaac8046a18f9ab517384de8ba7025fd24a066ccebbf68220a65039fecb32e65a779f

Download Submit
C:\Users\Admin\AppData\Local\Temp\@AE5F27.tmp.exe
Filesize
1.0MB

MD5
46329f893d9543e37c0603b01751fa81

SHA1
4acdc019085b51f8c7860ab47a09b293c385c1d9

SHA256
d594e1da162a7cd67be562c115b3f669c84040798353db154eb9f3ee305b5dab

SHA512
3493b422291f0db77f27bf5498d966ac6ebc304d292c3fbd8f108caca501c3ba4f64ad599e89e3ac15133e3843e0a6b0be043be5a992a76c09cf4cda110e89f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0x.bat
Filesize
44B

MD5
804bb96081db73d249b1d21573d8ea59

SHA1
abf76e8d0702ce245bb7afbb513cdcc8bac6ab35

SHA256
b1e4990bf84c402594a53a2a98011b8880239e790872de1f6c7b8b9cd1005cf5

SHA512
d037dea300ffe466ab83c2a1c2c9a55693c36b546dbbcfa0a7a1ef477a3ea5c33f9831d71389466cf4c74192b417bf9ed0b7e0ad88d927f1ca997fcba254414c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7001.tmp
Filesize
121KB

MD5
864484e1394eaaa2e9a8a63f01c97be0

SHA1
d02a92d866232f22a8477ab99e6d27354fa310f2

SHA256
e1a25be30164e6aca9bf97454be217f2b49e6f65fa4d3ac710637f6ef8a213a0

SHA512
16919202ee3626ab829070dbe2f43bb5caa9bbaebf63f5de3fb9930825f71edd074855cac6349241705d6bf979203e0eb7f9df2c25d2bfab95ee210ac350568c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7011.tmp
Filesize
131KB

MD5
ebc999a1ded4f76d648431350fe423bb

SHA1
b1a4abcb00364ede9185209d41e7e2532cd559a0

SHA256
ba6a7655e3860d01201ffbce06398dff71fd97acff99e95ac8cd2a3e3161d1c0

SHA512
aba5a33667e01857650f74ea5dd461c11a0ff121c22e08ab058b950b11b315119b00acaf0aaf7401a668a4131daf73d07717002c6dd55570a79ad5ba526e5ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7012.tmp
Filesize
99KB

MD5
88c497ace0db30cc47fc259b7806ad8f

SHA1
a486cedff64cb60e62ffbefd25ee5df79e6a9714

SHA256
4a8ea33966592b337d31802f55ea7f901caec037b5b1bf18a9e2b6b044915781

SHA512
1748700a158b8f999658eb532e5d4ed80c844b21c47d3bf0d8682de22be4b47a424350196ee3d0538d71a67aca906b781282eb3192031e93e834f417b8134346

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7023.tmp
Filesize
172KB

MD5
b00a14a9f3b2c8ac19ada6992517ff77

SHA1
8469aa684cf86fcf627c828d40a9dc9688187173

SHA256
015caba690febdd5403ad86a04bb9763db7408a3b3f0be85f9c364580dac4649

SHA512
fea53117dc2efc23af186fae9ea8abc6ed15a516a820d62a5d312525447b0495fc0d81acf540017422427ea45754298fb7e334c9db8c47d49c4ce741f85bbf2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7034.tmp
Filesize
76KB

MD5
ccf05ce9abe252cc7d68b2ff8ab6cfb7

SHA1
8739e9e007b62d9434bd5d06d5d312d255496a00

SHA256
a1d30db63fcb26cfcc1e128f4b840ac1c822267a8f17de45cc2e2fc19147e41f

SHA512
e2e56fa332b895fc54fd9a6ccd71952f11237f18d66b2342a47c7b707a65743d3f8b84efa5988257e657623cb748cb196e36a8839fb1cd5f600cb30623b2a29b

Download Submit
C:\Users\Admin\AppData\Roaming\Admin\WdExt.exe
Filesize
1.0MB

MD5
13df89033a11d6d1f9d4d2efe2ecac7b

SHA1
b3933036f1b4b82197dae195a32677de322d863a

SHA256
6943dccff33a9c1d4836c1bd4a75a9f472470d55e9e26c803ecb632fe5dfd3a7

SHA512
52dabf195959aaa3a6ad03fcf2892f6cfece245151402b81fe4e1ab2c178b6360be15e6710b472c71205c7349eb7f04ac8b33789bbfd5d2d72fe630db3714e49

Download Submit
C:\Users\Admin\AppData\Roaming\Admin\kb50145.exe
Filesize
76KB

MD5
8bf335774fbb62bbe1de03921dfe047a

SHA1
24fc750a20aebb52f23e84264d201f458106d95d

SHA256
048655d212b269073107e4636125ceeea262acce1d364fc512a0cc8f4783dcf7

SHA512
aed95f1c37cc99cee23d250e395a80c9c45c7c1c017ec7baef2af860711dbd5b540bf077d372e94582c9758961063f4c166a03fffce3b17e7fb468ce174b7aea

Download Submit
C:\Users\Admin\AppData\Roaming\Admin\module_launcher.exe
Filesize
172KB

MD5
6ff3155e619e2c601db536c88741e094

SHA1
c71bfc0a9b11db33c801035e06d31a03e2901dd0

SHA256
b4febd6c6fc42b7d86b575f6c44f0d49fbe9ec02e98d3be00cb26b3e32a3a6d1

SHA512
8a3047ff46833003464f0979702a4b4f0cf3998c3e4aa865b2f61cfd377689eae706fb9017c2ca97a2fee7f65d6c17c73ae37e86940a6aefdd06d8f0281bcebc

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat
Filesize
105B

MD5
902a1098f800859502aec4eac3026495

SHA1
a6b209e9aa15087670e830af5de8179b31abc897

SHA256
ff5e923c453d3d61a7989b2b0f978b0bba924a7052667311c9eed54852a20cfd

SHA512
cf7f0197c78f9c7db81068fbc702596a00c5d7c8280751641965917056c0e71265a3a89f3daf6a3600faa13034b54fbedea50ea583723abbfc286f2e7e79fe77

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat
Filesize
122B

MD5
20fcc080c32671b5e72b5c5e4e9aeeac

SHA1
b2792164f6be9b5f3f3727e19a29c1b114f50f06

SHA256
d8641d8e9e3558842f5a5eecb4985b96f46066de29f2f259bce6bce7913b77f6

SHA512
fb070849c810289f0b906079154d945121e6148e654f2cdfe3aeed7f4bfb83b6406cee89e4116fd8255716652ea6a1d2b196e172b8bd0572c8152e06cabbd88a

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat
Filesize
196B

MD5
5778a86de524ee58a3831777464b40c5

SHA1
1d6bb825305df247f3f5210961ebe58063cfabab

SHA256
04e264de9c783c4f8413fda8ba870a911731dce8fd088852959b7a9d216e0e34

SHA512
fac3ffebf2f75c1e4201b28a891cd5f6174f5aab6540170cac2dddad145d98a71fcd9bebb5ba703e7e3b7426244665fd6c1dcb89bb9f80c6a22ba2b8a12dcfa9

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat
Filesize
107B

MD5
85eb3280f9675f88d00040cbea92277f

SHA1
2fece0a30b2153b4a9fee72fe5a637dee1967a2f

SHA256
bf1b95975082845d3d9d8948999d69d666dfe50d741a36cdf81fa180fa4c777b

SHA512
2641b1dfa67216ed86d0394dbc6dd78f6124978c23673c73e4e1da66a93f98364acafc13c3df017fab682ed3d9a2c993f3d9bb562e07b7a1b0a01576e1381298

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll
Filesize
388KB

MD5
8d7db101a7211fe3309dc4dc8cf2dd0a

SHA1
6c2781eadf53b3742d16dab2f164baf813f7ac85

SHA256
93db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a

SHA512
8b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83

Download Submit
C:\Users\Admin\AppData\Roaming\injector_s.exe
Filesize
188KB

MD5
1d1491e1759c1e39bf99a5df90311db3

SHA1
8bd6faed091bb00f879ef379715461130493e97f

SHA256
22c5c5bcb256c1dcaead463c92a70107ba1bac40564fe1e7d46594c6a3936778

SHA512
ac6ca48acbd288011849e55b0c66faf9ead479e39dc2deaecc7ad998e764f02a1807bb9227e03f12ce1a0b1f5c5b3072c3b86b5bae336e84d95d7a3e42cf5a1e

Download Submit
C:\Windows\SYSTEM.INI
Filesize
258B

MD5
cae431b8a5b29273f85734bda934652e

SHA1
c5ecaa92ab1ce07353fcacbd0780c36fedd26574

SHA256
c7b2d8bde037dca5cc3dcb63539caf8896fdfd5b082ccb482ebb982d78b11383

SHA512
ce20add07cd9476b9a2f24670b3436a8e8a084b8c07b61d99b2e6c5eb8b90f808bec3bd92ea489f9dc9106d6ab66d7ad9d8e0161fcf83e0f0228db747f082a6e

Download Submit
memory/620-1120-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/620-963-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1148-314-0x0000000002270000-0x00000000032A0000-memory.dmp

Filesize
16.2MB

Download
memory/1148-316-0x0000000000790000-0x0000000000792000-memory.dmp

Filesize
8KB

Download
memory/1148-21-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1148-20-0x0000000002270000-0x00000000032A0000-memory.dmp

Filesize
16.2MB

Download
memory/1148-23-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1148-367-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1148-356-0x0000000002270000-0x00000000032A0000-memory.dmp

Filesize
16.2MB

Download
memory/1148-330-0x0000000000790000-0x0000000000792000-memory.dmp

Filesize
8KB

Download
memory/1148-328-0x0000000000790000-0x0000000000792000-memory.dmp

Filesize
8KB

Download
memory/1148-28-0x0000000002270000-0x00000000032A0000-memory.dmp

Filesize
16.2MB

Download
memory/1148-317-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/1640-968-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1640-325-0x0000000000980000-0x0000000000982000-memory.dmp

Filesize
8KB

Download
memory/1640-286-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1640-324-0x0000000000980000-0x0000000000982000-memory.dmp

Filesize
8KB

Download
memory/1640-319-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/3908-0-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4588-396-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/4588-960-0x0000000000E00000-0x0000000000E02000-memory.dmp

Filesize
8KB

Download
memory/4588-400-0x0000000000E00000-0x0000000000E02000-memory.dmp

Filesize
8KB

Download
memory/4976-373-0x00000000021F0000-0x0000000003220000-memory.dmp

Filesize
16.2MB

Download
memory/4976-954-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4976-946-0x00000000021F0000-0x0000000003220000-memory.dmp

Filesize
16.2MB

Download
memory/4976-398-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/4976-399-0x0000000000630000-0x0000000000632000-memory.dmp

Filesize
8KB

Download
memory/4976-943-0x0000000000630000-0x0000000000632000-memory.dmp

Filesize
8KB

Download
memory/4976-376-0x00000000021F0000-0x0000000003220000-memory.dmp

Filesize
16.2MB

Download
memory/4976-374-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download