sality | 0c1c157c24d9fe99e7dadd695926dd3d61dfa973a8c7a755968b730b8815d1d2

Analysis

max time kernel
24s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Size

732KB
MD5

bebb67767b53cd13f67283cdc9bd9570
SHA1

b02fe6f21cdf9a6377c2cf0b3de608f7117f6d90
SHA256

0c1c157c24d9fe99e7dadd695926dd3d61dfa973a8c7a755968b730b8815d1d2
SHA512

c2be48ff93f5645ccf5fc7305382c5ab4a803bd39d4165f6bd3a73e7daa8db6047708485b2f54c5eefb3637946b4e3eeece77c4ae9a507bcd88de1422770b7fa
SSDEEP

12288:WTyjXW+48qWywrU4kGFezOAVuJ5PIzww7F5DO3HYffIERagUj7K:MIXW/8yw1ez54lIvF5SXYHIMa/j7K

Score

10^/10

sality backdoor evasion persistence trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

rundll32.exebebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	rundll32.exe

Deletes itself 1 IoCs

Processes:

rundll32.exe

pid process

3028 rundll32.exe
Executes dropped EXE 1 IoCs

Processes:

rundll32.exe

pid process

3028 rundll32.exe

pid	process
3028	rundll32.exe

pid	process
3028	rundll32.exe

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4700-1-0x00000000032C0000-0x000000000434E000-memory.dmp	upx
behavioral2/memory/4700-3-0x00000000032C0000-0x000000000434E000-memory.dmp	upx
behavioral2/memory/4700-5-0x00000000032C0000-0x000000000434E000-memory.dmp	upx
behavioral2/memory/4700-7-0x00000000032C0000-0x000000000434E000-memory.dmp	upx
behavioral2/memory/4700-14-0x00000000032C0000-0x000000000434E000-memory.dmp	upx
behavioral2/memory/4700-16-0x00000000032C0000-0x000000000434E000-memory.dmp	upx
behavioral2/memory/4700-6-0x00000000032C0000-0x000000000434E000-memory.dmp	upx
behavioral2/memory/4700-4-0x00000000032C0000-0x000000000434E000-memory.dmp	upx
behavioral2/memory/4700-17-0x00000000032C0000-0x000000000434E000-memory.dmp	upx
behavioral2/memory/4700-19-0x00000000032C0000-0x000000000434E000-memory.dmp	upx
behavioral2/memory/4700-20-0x00000000032C0000-0x000000000434E000-memory.dmp	upx
behavioral2/memory/4700-28-0x00000000032C0000-0x000000000434E000-memory.dmp	upx
behavioral2/memory/4700-23-0x00000000032C0000-0x000000000434E000-memory.dmp	upx
behavioral2/memory/3028-54-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-55-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-51-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-59-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-50-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-49-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-57-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-48-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-46-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-56-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-64-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-63-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-65-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-66-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-67-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-69-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-70-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-71-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-73-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-74-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-77-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-78-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-81-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-82-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-84-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-85-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-97-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx
behavioral2/memory/3028-143-0x0000000004EE0000-0x0000000005F6E000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe

Drops file in Windows directory 1 IoCs

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exe

pid	process
4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
3028	rundll32.exe
3028	rundll32.exe
3028	rundll32.exe
3028	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Token: SeDebugPrivilege	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exe

pid process

4700 bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
3028 rundll32.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exe

description	pid	process	target process
PID 4700 wrote to memory of 772	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	fontdrvhost.exe
PID 4700 wrote to memory of 776	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	fontdrvhost.exe
PID 4700 wrote to memory of 380	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	dwm.exe
PID 4700 wrote to memory of 2688	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	sihost.exe
PID 4700 wrote to memory of 2804	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	svchost.exe
PID 4700 wrote to memory of 3036	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	taskhostw.exe
PID 4700 wrote to memory of 3552	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	Explorer.EXE
PID 4700 wrote to memory of 3672	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	svchost.exe
PID 4700 wrote to memory of 3860	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	DllHost.exe
PID 4700 wrote to memory of 4044	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	StartMenuExperienceHost.exe
PID 4700 wrote to memory of 1060	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	RuntimeBroker.exe
PID 4700 wrote to memory of 2884	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	SearchApp.exe
PID 4700 wrote to memory of 3780	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	RuntimeBroker.exe
PID 4700 wrote to memory of 468	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	TextInputHost.exe
PID 4700 wrote to memory of 4740	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	RuntimeBroker.exe
PID 4700 wrote to memory of 116	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	backgroundTaskHost.exe
PID 4700 wrote to memory of 2236	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	backgroundTaskHost.exe
PID 4700 wrote to memory of 3028	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	rundll32.exe
PID 4700 wrote to memory of 3028	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	rundll32.exe
PID 4700 wrote to memory of 3028	4700	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe	rundll32.exe
PID 3028 wrote to memory of 772	3028	rundll32.exe	fontdrvhost.exe
PID 3028 wrote to memory of 776	3028	rundll32.exe	fontdrvhost.exe
PID 3028 wrote to memory of 380	3028	rundll32.exe	dwm.exe
PID 3028 wrote to memory of 2688	3028	rundll32.exe	sihost.exe
PID 3028 wrote to memory of 2804	3028	rundll32.exe	svchost.exe
PID 3028 wrote to memory of 3036	3028	rundll32.exe	taskhostw.exe
PID 3028 wrote to memory of 3552	3028	rundll32.exe	Explorer.EXE
PID 3028 wrote to memory of 3672	3028	rundll32.exe	svchost.exe
PID 3028 wrote to memory of 3860	3028	rundll32.exe	DllHost.exe
PID 3028 wrote to memory of 4044	3028	rundll32.exe	StartMenuExperienceHost.exe
PID 3028 wrote to memory of 1060	3028	rundll32.exe	RuntimeBroker.exe
PID 3028 wrote to memory of 2884	3028	rundll32.exe	SearchApp.exe
PID 3028 wrote to memory of 3780	3028	rundll32.exe	RuntimeBroker.exe
PID 3028 wrote to memory of 468	3028	rundll32.exe	TextInputHost.exe
PID 3028 wrote to memory of 4740	3028	rundll32.exe	RuntimeBroker.exe
PID 3028 wrote to memory of 116	3028	rundll32.exe	backgroundTaskHost.exe
PID 3028 wrote to memory of 4316	3028	rundll32.exe	RuntimeBroker.exe
PID 3028 wrote to memory of 1676	3028	rundll32.exe	RuntimeBroker.exe
PID 3028 wrote to memory of 772	3028	rundll32.exe	fontdrvhost.exe
PID 3028 wrote to memory of 776	3028	rundll32.exe	fontdrvhost.exe
PID 3028 wrote to memory of 380	3028	rundll32.exe	dwm.exe
PID 3028 wrote to memory of 2688	3028	rundll32.exe	sihost.exe
PID 3028 wrote to memory of 2804	3028	rundll32.exe	svchost.exe
PID 3028 wrote to memory of 3036	3028	rundll32.exe	taskhostw.exe
PID 3028 wrote to memory of 3552	3028	rundll32.exe	Explorer.EXE
PID 3028 wrote to memory of 3672	3028	rundll32.exe	svchost.exe
PID 3028 wrote to memory of 3860	3028	rundll32.exe	DllHost.exe
PID 3028 wrote to memory of 4044	3028	rundll32.exe	StartMenuExperienceHost.exe
PID 3028 wrote to memory of 1060	3028	rundll32.exe	RuntimeBroker.exe
PID 3028 wrote to memory of 2884	3028	rundll32.exe	SearchApp.exe
PID 3028 wrote to memory of 3780	3028	rundll32.exe	RuntimeBroker.exe
PID 3028 wrote to memory of 468	3028	rundll32.exe	TextInputHost.exe
PID 3028 wrote to memory of 4740	3028	rundll32.exe	RuntimeBroker.exe
PID 3028 wrote to memory of 116	3028	rundll32.exe	backgroundTaskHost.exe
PID 3028 wrote to memory of 4316	3028	rundll32.exe	RuntimeBroker.exe
PID 3028 wrote to memory of 1676	3028	rundll32.exe	RuntimeBroker.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:772

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:380

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2804

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3036

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bebb67767b53cd13f67283cdc9bd9570_NeikiAnalytics.exe"
2⤵
- Modifies firewall policy service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4700

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
3⤵
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3672

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4044

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1060

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3780

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:468

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4740

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:116

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2236

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4316

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0E5751D9_Rar\rundll32.exe

Filesize
664KB

MD5
9f4ad2e1a21330ed5442d666e37a3b47

SHA1
af241db65197924eab63e20fd481bbdd8aafb053

SHA256
d895f7d839dedecac0558587ec722eb06ecf352399380aa6137052e1bc168783

SHA512
c9763e0c148ac7ced9263256afaae6d08de6a6b42a688df91d2faf7973ae725da9ed74cd88f1393ce6aa96e8bd227da9c0c7421af2be21427c3d102bd7018dfb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

Filesize
732KB

MD5
bebb67767b53cd13f67283cdc9bd9570

SHA1
b02fe6f21cdf9a6377c2cf0b3de608f7117f6d90

SHA256
0c1c157c24d9fe99e7dadd695926dd3d61dfa973a8c7a755968b730b8815d1d2

SHA512
c2be48ff93f5645ccf5fc7305382c5ab4a803bd39d4165f6bd3a73e7daa8db6047708485b2f54c5eefb3637946b4e3eeece77c4ae9a507bcd88de1422770b7fa

Download Submit
C:\Windows\SYSTEM.INI

Filesize
256B

MD5
9851a59f14d2cb5ea31e172071710918

SHA1
caca4e5b0810a524b0c183ad8ecc2ab239fd81af

SHA256
a1d3e99d3a4f1cd254e68df44205a5070a731407781034a44ae4851fd6728d0f

SHA512
0146a468ffe8274c6ab17f381963c4a93688d7b4499885041323eaa6a876a19cd537dba8be6af5ce6e1ad1a2fdbf7771040e83d21bd6156779e33f202aa3b6f4

Download Submit
C:\sbgw.exe

Filesize
100KB

MD5
22c26b74cc515118355bec62eb82b700

SHA1
b4245ebf1c0829428ed174f293cfc0ef0f9c5f0a

SHA256
bdfae6414ca9a23b94dc82c42e1f6ddc41acd1f18c3a2e9d1d3b2b3e1266438b

SHA512
740fcc9c3df783b34e0d843c93a7d499bcefb6aff5ff88925ab9727c0cb25f63993c5718914ba1d349cd0a2964d8ff2b0835fb887027dc786d694671d381885d

Download Submit
memory/3028-69-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-71-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-50-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-143-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-142-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3028-113-0x0000000000A10000-0x0000000000A12000-memory.dmp

Filesize
8KB

Download
memory/3028-53-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/3028-85-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-84-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-82-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-81-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-49-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-27-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3028-77-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-74-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-73-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-70-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-67-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-66-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-65-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-54-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-55-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-51-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-60-0x0000000000A10000-0x0000000000A12000-memory.dmp

Filesize
8KB

Download
memory/3028-59-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-58-0x0000000000A10000-0x0000000000A12000-memory.dmp

Filesize
8KB

Download
memory/3028-63-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-97-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-78-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-57-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-48-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-46-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-56-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/3028-64-0x0000000004EE0000-0x0000000005F6E000-memory.dmp

Filesize
16.6MB

Download
memory/4700-42-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4700-1-0x00000000032C0000-0x000000000434E000-memory.dmp

Filesize
16.6MB

Download
memory/4700-19-0x00000000032C0000-0x000000000434E000-memory.dmp

Filesize
16.6MB

Download
memory/4700-20-0x00000000032C0000-0x000000000434E000-memory.dmp

Filesize
16.6MB

Download
memory/4700-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4700-23-0x00000000032C0000-0x000000000434E000-memory.dmp

Filesize
16.6MB

Download
memory/4700-7-0x00000000032C0000-0x000000000434E000-memory.dmp

Filesize
16.6MB

Download
memory/4700-14-0x00000000032C0000-0x000000000434E000-memory.dmp

Filesize
16.6MB

Download
memory/4700-16-0x00000000032C0000-0x000000000434E000-memory.dmp

Filesize
16.6MB

Download
memory/4700-13-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/4700-28-0x00000000032C0000-0x000000000434E000-memory.dmp

Filesize
16.6MB

Download
memory/4700-5-0x00000000032C0000-0x000000000434E000-memory.dmp

Filesize
16.6MB

Download
memory/4700-17-0x00000000032C0000-0x000000000434E000-memory.dmp

Filesize
16.6MB

Download
memory/4700-4-0x00000000032C0000-0x000000000434E000-memory.dmp

Filesize
16.6MB

Download
memory/4700-10-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/4700-11-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/4700-6-0x00000000032C0000-0x000000000434E000-memory.dmp

Filesize
16.6MB

Download
memory/4700-3-0x00000000032C0000-0x000000000434E000-memory.dmp

Filesize
16.6MB

Download
memory/4700-15-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/4700-34-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download