Malware Analysis Report

2024-09-11 12:18

Sample ID 240617-qs4vlsxbmm
Target 973f9a1722c276701690dfb5e64a9d50_NeikiAnalytics.exe
SHA256 96ff5ebeadf9a22028e99b8feef45df17e89c677a0109ca8e520c42f7d5f85e4
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96ff5ebeadf9a22028e99b8feef45df17e89c677a0109ca8e520c42f7d5f85e4

Threat Level: Known bad

The file 973f9a1722c276701690dfb5e64a9d50_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

Modifies firewall policy service

UAC bypass

Windows security bypass

Loads dropped DLL

UPX packed file

Executes dropped EXE

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 13:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 13:32

Reported

2024-06-17 13:34

Platform

win7-20240220-en

Max time kernel

117s

Max time network

118s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760b85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f760a6c C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
File created C:\Windows\f765ba7 C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 1964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1684 wrote to memory of 1964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1684 wrote to memory of 1964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1684 wrote to memory of 1964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1684 wrote to memory of 1964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1684 wrote to memory of 1964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1684 wrote to memory of 1964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 2316 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760a1e.exe
PID 1964 wrote to memory of 2316 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760a1e.exe
PID 1964 wrote to memory of 2316 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760a1e.exe
PID 1964 wrote to memory of 2316 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760a1e.exe
PID 2316 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe C:\Windows\system32\taskhost.exe
PID 2316 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe C:\Windows\system32\Dwm.exe
PID 2316 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe C:\Windows\Explorer.EXE
PID 2316 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe C:\Windows\system32\DllHost.exe
PID 2316 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe C:\Windows\system32\rundll32.exe
PID 2316 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe C:\Windows\SysWOW64\rundll32.exe
PID 2316 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe C:\Windows\SysWOW64\rundll32.exe
PID 1964 wrote to memory of 2424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760b85.exe
PID 1964 wrote to memory of 2424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760b85.exe
PID 1964 wrote to memory of 2424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760b85.exe
PID 1964 wrote to memory of 2424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f760b85.exe
PID 1964 wrote to memory of 2452 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762952.exe
PID 1964 wrote to memory of 2452 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762952.exe
PID 1964 wrote to memory of 2452 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762952.exe
PID 1964 wrote to memory of 2452 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762952.exe
PID 2316 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe C:\Windows\system32\taskhost.exe
PID 2316 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe C:\Windows\system32\Dwm.exe
PID 2316 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe C:\Windows\Explorer.EXE
PID 2316 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe C:\Users\Admin\AppData\Local\Temp\f760b85.exe
PID 2316 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe C:\Users\Admin\AppData\Local\Temp\f760b85.exe
PID 2316 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe C:\Users\Admin\AppData\Local\Temp\f762952.exe
PID 2316 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\f760a1e.exe C:\Users\Admin\AppData\Local\Temp\f762952.exe
PID 2452 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe C:\Windows\system32\taskhost.exe
PID 2452 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe C:\Windows\system32\Dwm.exe
PID 2452 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\f762952.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f760a1e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762952.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\973f9a1722c276701690dfb5e64a9d50_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\973f9a1722c276701690dfb5e64a9d50_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f760a1e.exe

C:\Users\Admin\AppData\Local\Temp\f760a1e.exe

C:\Users\Admin\AppData\Local\Temp\f760b85.exe

C:\Users\Admin\AppData\Local\Temp\f760b85.exe

C:\Users\Admin\AppData\Local\Temp\f762952.exe

C:\Users\Admin\AppData\Local\Temp\f762952.exe

Network

N/A

Files

memory/1964-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f760a1e.exe

MD5 50db462086ef134b5ec4cd159e5baac3
SHA1 48484a18d2b67fd0958a7ef6230e4c2eeaab1a58
SHA256 951c326fb0c7c0fe4386d1a7d8e9468320ec3a851e098be26cf16a156791dfa2
SHA512 46e98e863311deff2246997e4ec03499b74675bb9a562d65dcfaa569b5ea547f99b4317a4737677ca76bfb4fe004e305c5617a4393953265ad286632f5f361b5

memory/1964-8-0x0000000000170000-0x0000000000182000-memory.dmp

memory/2316-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2316-16-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2316-18-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2316-21-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2316-22-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2316-20-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2316-15-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2424-58-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1964-57-0x00000000001D0000-0x00000000001E2000-memory.dmp

memory/1964-55-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2316-48-0x0000000000330000-0x0000000000332000-memory.dmp

memory/2316-46-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/1964-45-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1964-36-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1964-35-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/1108-28-0x0000000000490000-0x0000000000492000-memory.dmp

memory/2316-13-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2316-19-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2316-17-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2316-14-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2316-59-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2316-60-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2316-61-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2316-63-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2316-62-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2316-65-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2452-78-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1964-76-0x0000000000170000-0x0000000000172000-memory.dmp

memory/1964-74-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2316-79-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2316-80-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2316-82-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2316-83-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2424-91-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2424-93-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2452-100-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2452-99-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2424-101-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2452-102-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2316-105-0x00000000006B0000-0x000000000176A000-memory.dmp

memory/2316-115-0x0000000000330000-0x0000000000332000-memory.dmp

memory/2424-149-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2316-145-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2316-144-0x00000000006B0000-0x000000000176A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 be73f515a3cbbd3661bf8bffdc7ad77e
SHA1 546f932687185d06ae0ae3e501160deb53287f57
SHA256 9b1f53a52fe01c8b976fe179cb4dd49b8d702bfe091a6e1a51e227be1a4d2095
SHA512 ad113f519edc538f6339a1b96a25cf6f4adeb687d81d8e1e294826adc79aa08c8d4f366e82e16bdc8f3892527f6cef984e6ba006aff91c089ecf8915dc2160fc

memory/2452-155-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2452-200-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2452-199-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 13:32

Reported

2024-06-17 13:34

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e574df1 C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
File created C:\Windows\e57b7f6 C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1660 wrote to memory of 900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1660 wrote to memory of 900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 900 wrote to memory of 4636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574d93.exe
PID 900 wrote to memory of 4636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574d93.exe
PID 900 wrote to memory of 4636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574d93.exe
PID 4636 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\system32\fontdrvhost.exe
PID 4636 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\system32\fontdrvhost.exe
PID 4636 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\system32\dwm.exe
PID 4636 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\system32\sihost.exe
PID 4636 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\system32\svchost.exe
PID 4636 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\system32\taskhostw.exe
PID 4636 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\system32\svchost.exe
PID 4636 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\system32\DllHost.exe
PID 4636 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4636 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\System32\RuntimeBroker.exe
PID 4636 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4636 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\System32\RuntimeBroker.exe
PID 4636 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\System32\RuntimeBroker.exe
PID 4636 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4636 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4636 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\system32\rundll32.exe
PID 4636 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\SysWOW64\rundll32.exe
PID 4636 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\SysWOW64\rundll32.exe
PID 900 wrote to memory of 4820 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574ebc.exe
PID 900 wrote to memory of 4820 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574ebc.exe
PID 900 wrote to memory of 4820 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574ebc.exe
PID 900 wrote to memory of 3932 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576978.exe
PID 900 wrote to memory of 3932 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576978.exe
PID 900 wrote to memory of 3932 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576978.exe
PID 4636 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\system32\fontdrvhost.exe
PID 4636 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\system32\fontdrvhost.exe
PID 4636 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\system32\dwm.exe
PID 4636 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\system32\sihost.exe
PID 4636 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\system32\svchost.exe
PID 4636 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\system32\taskhostw.exe
PID 4636 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\Explorer.EXE
PID 4636 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\system32\svchost.exe
PID 4636 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\system32\DllHost.exe
PID 4636 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4636 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\System32\RuntimeBroker.exe
PID 4636 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4636 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\System32\RuntimeBroker.exe
PID 4636 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\System32\RuntimeBroker.exe
PID 4636 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4636 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Users\Admin\AppData\Local\Temp\e574ebc.exe
PID 4636 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Users\Admin\AppData\Local\Temp\e574ebc.exe
PID 4636 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\System32\RuntimeBroker.exe
PID 4636 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Windows\System32\RuntimeBroker.exe
PID 4636 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Users\Admin\AppData\Local\Temp\e576978.exe
PID 4636 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\e574d93.exe C:\Users\Admin\AppData\Local\Temp\e576978.exe
PID 3932 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e576978.exe C:\Windows\system32\fontdrvhost.exe
PID 3932 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\e576978.exe C:\Windows\system32\fontdrvhost.exe
PID 3932 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e576978.exe C:\Windows\system32\dwm.exe
PID 3932 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e576978.exe C:\Windows\system32\sihost.exe
PID 3932 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\e576978.exe C:\Windows\system32\svchost.exe
PID 3932 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\e576978.exe C:\Windows\system32\taskhostw.exe
PID 3932 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\e576978.exe C:\Windows\Explorer.EXE
PID 3932 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\e576978.exe C:\Windows\system32\svchost.exe
PID 3932 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\e576978.exe C:\Windows\system32\DllHost.exe
PID 3932 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e576978.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3932 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\e576978.exe C:\Windows\System32\RuntimeBroker.exe
PID 3932 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\e576978.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e574d93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576978.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\973f9a1722c276701690dfb5e64a9d50_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\973f9a1722c276701690dfb5e64a9d50_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e574d93.exe

C:\Users\Admin\AppData\Local\Temp\e574d93.exe

C:\Users\Admin\AppData\Local\Temp\e574ebc.exe

C:\Users\Admin\AppData\Local\Temp\e574ebc.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e576978.exe

C:\Users\Admin\AppData\Local\Temp\e576978.exe

Network

Files

memory/900-0-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e574d93.exe

MD5 50db462086ef134b5ec4cd159e5baac3
SHA1 48484a18d2b67fd0958a7ef6230e4c2eeaab1a58
SHA256 951c326fb0c7c0fe4386d1a7d8e9468320ec3a851e098be26cf16a156791dfa2
SHA512 46e98e863311deff2246997e4ec03499b74675bb9a562d65dcfaa569b5ea547f99b4317a4737677ca76bfb4fe004e305c5617a4393953265ad286632f5f361b5

memory/4636-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4636-6-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-12-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-11-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-10-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-13-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-29-0x00000000005F0000-0x00000000005F2000-memory.dmp

memory/900-28-0x00000000038B0000-0x00000000038B2000-memory.dmp

memory/4636-27-0x00000000005F0000-0x00000000005F2000-memory.dmp

memory/4636-19-0x0000000001A00000-0x0000000001A01000-memory.dmp

memory/900-16-0x0000000003F10000-0x0000000003F11000-memory.dmp

memory/900-15-0x00000000038B0000-0x00000000038B2000-memory.dmp

memory/900-14-0x00000000038B0000-0x00000000038B2000-memory.dmp

memory/4636-8-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-9-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-34-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4820-33-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4636-32-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-35-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-26-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-36-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-37-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-38-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-39-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-40-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-42-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-43-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/3932-51-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4636-52-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-54-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-55-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/3932-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4820-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3932-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3932-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4820-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4820-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4636-65-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-67-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-70-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-72-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-74-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-76-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-78-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-80-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-82-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-83-0x0000000000800000-0x00000000018BA000-memory.dmp

memory/4636-102-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4636-93-0x00000000005F0000-0x00000000005F2000-memory.dmp

memory/4820-106-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 f00515c6b84b59d10cf8ad1f19c09b35
SHA1 7bd3c95900d64533e29063c303133b6bc8868761
SHA256 73142df8a1ac1dc36928a4e01d32794a07a3d13abfc6f2d706d34fa60760e8f9
SHA512 a08c308ad3e9eae7dd805c6f970bb15e2f4da029e20e0172dcc2b4318bf68bb6c5e7ce3897476cde5e9f4e776d67c0607e8aaa1a66c3fc8254595eab762c7828

memory/3932-118-0x0000000000B50000-0x0000000001C0A000-memory.dmp

memory/3932-131-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3932-132-0x0000000000B50000-0x0000000001C0A000-memory.dmp