Malware Analysis Report

2024-10-19 11:02

Sample ID 240523-z53yhsha53
Target 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
SHA256 aa59eb46bae7e3596d4077f90d0e761347f231483a381b12c63e81a54381eef5
Tags
upx adware persistence stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

aa59eb46bae7e3596d4077f90d0e761347f231483a381b12c63e81a54381eef5

Threat Level: Shows suspicious behavior

The file 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx adware persistence stealer

UPX packed file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Installs/modifies Browser Helper Object

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies registry key

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

Gathers network information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 21:18

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 21:18

Reported

2024-05-23 21:21

Platform

win7-20240419-en

Max time kernel

141s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorrer = "C:\\Users\\Admin\\AppData\\Roaming\\AppsData\\Explorrer.exe -notray" C:\Windows\SysWOW64\reg.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{3543619C-D563-43f7-95EA-4DA7E1CC396A} = 51667a6c4c1d3b1b003ad2d87fc9ac0780c431c2a3933e7f C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\ = "IE MANAGER" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\IE\\bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1860 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
PID 1860 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
PID 1860 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
PID 1860 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
PID 1860 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
PID 1860 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
PID 1860 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
PID 1860 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
PID 1860 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
PID 2584 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2584 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2584 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2584 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2752 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2576 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2576 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2576 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2576 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2576 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2576 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1588 wrote to memory of 1216 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 1216 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 1216 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 1216 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1216 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1216 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1216 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1700 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1700 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1700 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1700 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1700 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1700 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1700 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1700 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1700 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1700 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1700 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1700 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1700 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1700 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\system32\ipconfig.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\GUQSWUXI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Explorrer /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray" /f

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /u /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 leatrix.org udp
US 15.197.142.173:80 leatrix.org tcp
US 15.197.142.173:80 leatrix.org tcp

Files

memory/1860-0-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1860-3-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1860-4-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1860-22-0x0000000005EA0000-0x0000000005F3C000-memory.dmp

memory/1860-20-0x0000000001D80000-0x0000000001D81000-memory.dmp

memory/1860-19-0x0000000001D70000-0x0000000001D71000-memory.dmp

memory/1860-18-0x0000000001D10000-0x0000000001D11000-memory.dmp

memory/1860-25-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1860-17-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2584-15-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2584-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2584-9-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2584-7-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2584-5-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2584-27-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1860-26-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2752-37-0x0000000000400000-0x000000000049C000-memory.dmp

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

MD5 d4fc158b6bf8f9dc66e0a347f686f673
SHA1 fc86b99a7ee6c58a2afce37f586328473793ad4f
SHA256 f42452f214339c8dcaf7070d83d3139598d12dc262625b200c788c317e51b13c
SHA512 2c096ff5967b403a3f1159a050b87de5c226d81929864dff15c0f75c336f5df45c9d9fd127b96d33686a59b8bce60e717e0ba43489e132266d7fb973b5f13631

memory/2584-40-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2752-41-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1700-87-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1700-86-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1700-85-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1700-84-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1700-82-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2752-83-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1700-81-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1700-80-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1700-79-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1588-91-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2752-95-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1700-97-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2576-96-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1700-78-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1700-77-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1700-75-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1700-71-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1700-69-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1700-66-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2752-67-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1700-64-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1700-62-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1700-60-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1700-58-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GUQSWUXI.bat

MD5 02cbdd547ced25f8f7dc814d9169d567
SHA1 fc9697d828dcda615f6edd3e49a55b9307dbd311
SHA256 ec250cdf89523b18688d45fdc11bc93e46547a574ef59e03426c098f6b887c07
SHA512 cec1b6c5d843408e3cb6345a3430d8469a07c09677e1bd4c522c41ee29dbd941236a8dd9963410c69a165f3913c30aa22cfd206e51a59b9ffd160c38e70cfe3f

memory/2576-102-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Users\Admin\AppData\Roaming\IE\bho.dll

MD5 49a92a33d1775b45b3bd45f8bec24585
SHA1 ea404af50bbdad5cbc9f95f4068bdc30c9fceff6
SHA256 976540cf1b4d04d80be1f1af8ea0f050c3f03a0a8c4e339589b7bb9180fc07f5
SHA512 7d5c4ea5c6f950a41bff386289df88b3f6d78444d7eeaa8a426569ce7698c2dfa916ae02d321af2be839c20e53b2ba9b3bb6a1573cad3b578733b082f0dc292f

memory/1700-218-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 21:18

Reported

2024-05-23 21:21

Platform

win10v2004-20240426-en

Max time kernel

144s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\ipconfig.exe

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{3543619C-D563-43f7-95EA-4DA7E1CC396A} = 51667a6c4c1d3b1b003ad2d87fc9ac0780c431c2a3933e7f C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\IE\\bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\ = "IE MANAGER" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 460 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
PID 460 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
PID 460 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
PID 460 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
PID 460 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
PID 460 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
PID 460 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
PID 460 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
PID 2796 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2796 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2796 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4600 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4088 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4088 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4088 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4088 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4088 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4544 wrote to memory of 220 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4544 wrote to memory of 220 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4544 wrote to memory of 220 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4544 wrote to memory of 112 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4544 wrote to memory of 112 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4544 wrote to memory of 112 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\system32\ipconfig.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /u /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1996 -ip 1996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 272

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 leatrix.org udp
US 15.197.142.173:80 leatrix.org tcp
US 15.197.142.173:80 leatrix.org tcp
US 8.8.8.8:53 173.142.197.15.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/460-0-0x0000000000400000-0x000000000049C000-memory.dmp

memory/460-3-0x0000000000400000-0x000000000049C000-memory.dmp

memory/460-5-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/460-8-0x0000000002290000-0x0000000002291000-memory.dmp

memory/460-7-0x0000000002280000-0x0000000002281000-memory.dmp

memory/460-6-0x0000000002220000-0x0000000002221000-memory.dmp

memory/2796-9-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2796-11-0x0000000000400000-0x0000000000407000-memory.dmp

memory/460-13-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4600-21-0x0000000000400000-0x000000000049C000-memory.dmp

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

MD5 52655b32ac350f61e86e26ded74dafcf
SHA1 cd0473d1b6241cf6e87369edfc7c46f34878f7d2
SHA256 c3a6e70a31781036b668c693f124e8b134edb7de5c3819764375b501440b1cbc
SHA512 c2271ef44b46924492cff6482915cb63bf0d71d770f99ff23beb7bcc86343ba73746d3a0c5438ee721541d2e48dfc17ecf21ffc6dbe19d5369e9c028806e93e6

memory/2796-24-0x0000000000410000-0x00000000004D9000-memory.dmp

memory/2796-26-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4600-27-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4600-33-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4544-52-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4088-51-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4600-49-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4544-47-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-46-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-45-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-44-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-43-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-42-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-41-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-40-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-89-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-98-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-97-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-96-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-95-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\IE\bho.dll

MD5 49a92a33d1775b45b3bd45f8bec24585
SHA1 ea404af50bbdad5cbc9f95f4068bdc30c9fceff6
SHA256 976540cf1b4d04d80be1f1af8ea0f050c3f03a0a8c4e339589b7bb9180fc07f5
SHA512 7d5c4ea5c6f950a41bff386289df88b3f6d78444d7eeaa8a426569ce7698c2dfa916ae02d321af2be839c20e53b2ba9b3bb6a1573cad3b578733b082f0dc292f

memory/4544-94-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-93-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-92-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-91-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-90-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-88-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-87-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-86-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-85-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-84-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-83-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-82-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-81-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-80-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-79-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-78-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-77-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-76-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-75-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-74-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-73-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-72-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-71-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-70-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-69-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-67-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-66-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-65-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-64-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-63-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-62-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-61-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-68-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-54-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4600-38-0x0000000000400000-0x000000000049C000-memory.dmp

memory/4544-37-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-36-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4544-34-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4088-169-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4544-172-0x0000000000400000-0x0000000000471000-memory.dmp