Malware Analysis Report

2024-10-19 11:03

Sample ID 240524-we3naaec24
Target f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe
SHA256 ebb8f40ced7bc2272ef320188049ca5e08e33ef6d9847185d784a27b3846d70e
Tags
upx adware persistence stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ebb8f40ced7bc2272ef320188049ca5e08e33ef6d9847185d784a27b3846d70e

Threat Level: Shows suspicious behavior

The file f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx adware persistence stealer

UPX packed file

Loads dropped DLL

Executes dropped EXE

Installs/modifies Browser Helper Object

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Modifies registry key

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of WriteProcessMemory

Gathers network information

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-24 17:50

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 17:50

Reported

2024-05-24 17:53

Platform

win7-20240221-en

Max time kernel

142s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorrer = "C:\\Users\\Admin\\AppData\\Roaming\\AppsData\\Explorrer.exe -notray" C:\Windows\SysWOW64\reg.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{3543619C-D563-43f7-95EA-4DA7E1CC396A} = 51667a6c4c1d3b1b003ad2d87fc9ac0780c431c2a3933e7f C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\ = "IE MANAGER" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\IE\\bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe
PID 2664 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe
PID 2664 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe
PID 2664 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe
PID 2664 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe
PID 2664 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe
PID 2664 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe
PID 2664 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe
PID 2664 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe
PID 2532 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2532 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2532 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2532 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2368 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 1948 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1948 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1948 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1948 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1948 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1948 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1520 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1660 wrote to memory of 2836 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2836 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2836 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2836 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 1520 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1520 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2836 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2836 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2836 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2836 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\system32\ipconfig.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /u /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SKJRFFGB.bat" "

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Explorrer /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 leatrix.org udp
US 15.197.142.173:80 leatrix.org tcp
US 15.197.142.173:80 leatrix.org tcp

Files

memory/2664-0-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2664-3-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2664-5-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2532-19-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2664-20-0x0000000002630000-0x00000000026CC000-memory.dmp

memory/2532-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2664-22-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2532-13-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2532-11-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2532-9-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2664-8-0x0000000001D50000-0x0000000001D51000-memory.dmp

memory/2664-7-0x0000000001D40000-0x0000000001D41000-memory.dmp

memory/2664-6-0x00000000004D0000-0x00000000004D1000-memory.dmp

memory/2664-4-0x0000000000400000-0x000000000049C000-memory.dmp

\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

MD5 8d6b7a1973e2cb270540ee8d087d27b5
SHA1 5658043b8bc0e6b6017f810902be475e4c4c27a6
SHA256 b1f6a56ae7f96bcc2d1891b0001567ce769800135b866e432a7f0208372f763c
SHA512 fc7a7103be01a1bbf4df85571160fcfa3602af021f99798754136534e6f1bddc7673760efd404af062aa967d8bfb79e3f59a35a6c636547e7dfef4aeb6c2ed65

memory/2532-30-0x00000000024C0000-0x000000000255C000-memory.dmp

memory/2368-37-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2532-42-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2532-40-0x0000000000410000-0x00000000004EF000-memory.dmp

memory/2368-43-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2664-44-0x0000000002630000-0x00000000026CC000-memory.dmp

memory/1520-58-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1520-91-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2368-89-0x0000000000400000-0x000000000049C000-memory.dmp

memory/1520-87-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1520-86-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1520-85-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1520-83-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1520-82-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1520-81-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1520-80-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1520-79-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1520-78-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1520-76-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1520-72-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1520-69-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1520-67-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1520-65-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1520-63-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1520-61-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1520-84-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1660-95-0x00000000000C0000-0x00000000000C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SKJRFFGB.bat

MD5 02cbdd547ced25f8f7dc814d9169d567
SHA1 fc9697d828dcda615f6edd3e49a55b9307dbd311
SHA256 ec250cdf89523b18688d45fdc11bc93e46547a574ef59e03426c098f6b887c07
SHA512 cec1b6c5d843408e3cb6345a3430d8469a07c09677e1bd4c522c41ee29dbd941236a8dd9963410c69a165f3913c30aa22cfd206e51a59b9ffd160c38e70cfe3f

\Users\Admin\AppData\Roaming\IE\bho.dll

MD5 49a92a33d1775b45b3bd45f8bec24585
SHA1 ea404af50bbdad5cbc9f95f4068bdc30c9fceff6
SHA256 976540cf1b4d04d80be1f1af8ea0f050c3f03a0a8c4e339589b7bb9180fc07f5
SHA512 7d5c4ea5c6f950a41bff386289df88b3f6d78444d7eeaa8a426569ce7698c2dfa916ae02d321af2be839c20e53b2ba9b3bb6a1573cad3b578733b082f0dc292f

memory/1948-213-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1520-218-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 17:50

Reported

2024-05-24 17:53

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\ipconfig.exe

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{3543619C-D563-43f7-95EA-4DA7E1CC396A} = 51667a6c4c1d3b1b003ad2d87fc9ac0780c431c2a3933e7f C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\ = "IE MANAGER" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\IE\\bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5040 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe
PID 5040 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe
PID 5040 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe
PID 5040 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe
PID 5040 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe
PID 5040 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe
PID 5040 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe
PID 5040 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe
PID 2796 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2796 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 2796 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 3552 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe
PID 4380 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4380 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4380 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4380 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4380 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2220 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2220 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2220 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2220 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2220 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2220 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\system32\ipconfig.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3620 -ip 3620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 272

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /u /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 leatrix.org udp
US 15.197.142.173:80 leatrix.org tcp
US 15.197.142.173:80 leatrix.org tcp
US 8.8.8.8:53 173.142.197.15.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

memory/5040-0-0x0000000000400000-0x000000000049C000-memory.dmp

memory/5040-3-0x0000000000400000-0x000000000049C000-memory.dmp

memory/5040-5-0x0000000002310000-0x0000000002311000-memory.dmp

memory/5040-6-0x0000000004480000-0x0000000004481000-memory.dmp

memory/5040-7-0x00000000057F0000-0x00000000057F1000-memory.dmp

memory/5040-8-0x0000000005800000-0x0000000005801000-memory.dmp

memory/2796-9-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2796-11-0x0000000000400000-0x0000000000407000-memory.dmp

memory/5040-14-0x0000000000400000-0x000000000049C000-memory.dmp

C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe

MD5 196d813dcd973d8c67226f6bc536269b
SHA1 dcf076ee2b0222754d52b3457f856d365cb8ca02
SHA256 a94fd1ea0cbf62f791ca06d5f76b7bf87bafcc03ae66aed3fff4a6c3e1428a6e
SHA512 682e283c267bb80a43e7816aef568927a811f890b677cbb56bf86139303abf5bb98b27aa997e561aa9287e982340e457194ca4b6bededfa52b0dd314e195290f

memory/3552-20-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2796-23-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2796-25-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2796-24-0x0000000000410000-0x00000000004D9000-memory.dmp

memory/3552-26-0x0000000000400000-0x000000000049C000-memory.dmp

memory/3552-28-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2220-33-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-36-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-49-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-50-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-48-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-47-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-46-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-45-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-44-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-43-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-41-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3552-42-0x0000000000400000-0x000000000049C000-memory.dmp

memory/2220-35-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-51-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-89-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-80-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-77-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-74-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-94-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-93-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-92-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-91-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\IE\bho.dll

MD5 49a92a33d1775b45b3bd45f8bec24585
SHA1 ea404af50bbdad5cbc9f95f4068bdc30c9fceff6
SHA256 976540cf1b4d04d80be1f1af8ea0f050c3f03a0a8c4e339589b7bb9180fc07f5
SHA512 7d5c4ea5c6f950a41bff386289df88b3f6d78444d7eeaa8a426569ce7698c2dfa916ae02d321af2be839c20e53b2ba9b3bb6a1573cad3b578733b082f0dc292f

memory/4380-164-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2220-90-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-88-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-87-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-86-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-85-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-84-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-83-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-82-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-81-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-78-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-79-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-76-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-75-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-73-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-72-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-71-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-70-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-69-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-68-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-67-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-66-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-65-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-64-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-63-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-62-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-61-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-60-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-59-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-58-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2220-169-0x0000000000400000-0x0000000000471000-memory.dmp