Malware Analysis Report

2024-09-11 12:57

Sample ID 240612-m6fs6ascmf
Target 3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe
SHA256 9d84abefcbed56b89ef1586675f0be8c3b5f96466a93e0f106d62e1f4f0fc403
Tags
sality backdoor evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d84abefcbed56b89ef1586675f0be8c3b5f96466a93e0f106d62e1f4f0fc403

Threat Level: Known bad

The file 3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion persistence trojan upx

Windows security bypass

Sality

UAC bypass

Modifies firewall policy service

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Executes dropped EXE

UPX packed file

Deletes itself

Loads dropped DLL

Windows security modification

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-12 11:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 11:04

Reported

2024-06-12 11:06

Platform

win7-20240419-en

Max time kernel

21s

Max time network

16s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\ProgramData\rwsacd.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\ProgramData\rwsacd.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\ProgramData\rwsacd.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ProgramData\rwsacd.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\ProgramData\rwsacd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\ProgramData\rwsacd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\ProgramData\rwsacd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\ProgramData\rwsacd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\ProgramData\rwsacd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\ProgramData\rwsacd.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\ProgramData\rwsacd.exe N/A

Disables Task Manager via registry modification

evasion

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\rwsacd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\rwsacd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\ProgramData\rwsacd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\ProgramData\rwsacd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\ProgramData\rwsacd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\ProgramData\rwsacd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\ProgramData\rwsacd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\ProgramData\rwsacd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\ProgramData\rwsacd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\rwsacd.exe" C:\ProgramData\rwsacd.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ProgramData\rwsacd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
N/A N/A C:\ProgramData\rwsacd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\rwsacd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\rwsacd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\rwsacd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\rwsacd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\rwsacd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\rwsacd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\rwsacd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\rwsacd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\rwsacd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\rwsacd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\rwsacd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\rwsacd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\rwsacd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\rwsacd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\rwsacd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\rwsacd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\rwsacd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\rwsacd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\rwsacd.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\rwsacd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2468 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2468 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2468 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 2468 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\ProgramData\rwsacd.exe
PID 2468 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\ProgramData\rwsacd.exe
PID 2468 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\ProgramData\rwsacd.exe
PID 2468 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\ProgramData\rwsacd.exe
PID 2700 wrote to memory of 1048 N/A C:\ProgramData\rwsacd.exe C:\Windows\system32\taskhost.exe
PID 2700 wrote to memory of 1092 N/A C:\ProgramData\rwsacd.exe C:\Windows\system32\Dwm.exe
PID 2700 wrote to memory of 1168 N/A C:\ProgramData\rwsacd.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ProgramData\rwsacd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe"

C:\ProgramData\rwsacd.exe

"C:\ProgramData\rwsacd.exe"

Network

N/A

Files

memory/2468-0-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2468-1-0x0000000001FD0000-0x000000000305E000-memory.dmp

memory/2468-2-0x0000000001FD0000-0x000000000305E000-memory.dmp

memory/2468-4-0x0000000001FD0000-0x000000000305E000-memory.dmp

memory/2468-7-0x0000000001FD0000-0x000000000305E000-memory.dmp

memory/2468-25-0x0000000003750000-0x0000000003751000-memory.dmp

memory/2468-26-0x00000000008C0000-0x00000000008C2000-memory.dmp

memory/2468-27-0x00000000008C0000-0x00000000008C2000-memory.dmp

\ProgramData\rwsacd.exe

MD5 dc82d9db2ec2c19d75aaa69b0801502d
SHA1 33b168672d5053894b8412ff793b13b005c5a83f
SHA256 019eed9260359958457cd26037dda53d3cca4e7dc9aec2e8f6de84273f9b4101
SHA512 19525d128e635f792d454b3f538e50608d182466694c88119198bbb03b00fc3eb9c7f60a6914877940a1ade5a76d3891736a06a0c43ec2b5e46850e5a9913ecc

memory/2700-48-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2468-47-0x0000000005900000-0x0000000005959000-memory.dmp

memory/2468-38-0x0000000001FD0000-0x000000000305E000-memory.dmp

memory/2468-51-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2468-12-0x0000000001FD0000-0x000000000305E000-memory.dmp

memory/2468-23-0x0000000003750000-0x0000000003751000-memory.dmp

memory/2468-22-0x00000000008C0000-0x00000000008C2000-memory.dmp

memory/1048-13-0x0000000002010000-0x0000000002012000-memory.dmp

memory/2468-11-0x0000000001FD0000-0x000000000305E000-memory.dmp

memory/2468-8-0x0000000001FD0000-0x000000000305E000-memory.dmp

memory/2468-10-0x0000000001FD0000-0x000000000305E000-memory.dmp

memory/2468-5-0x0000000001FD0000-0x000000000305E000-memory.dmp

memory/2468-6-0x0000000001FD0000-0x000000000305E000-memory.dmp

C:\MSOCache .exe

MD5 d6601def24ba08503189d589a9a6b425
SHA1 3a46279ba9b7e7dc91f8d08b0c7cee037971d6e3
SHA256 d6fe73b326d7dfa84d5a55c1852e45effabf9c30bd8f68cee011eda075d35775
SHA512 e02983207d8ded11cb84c3e1b4e4375697a797122618fd09e33aa355c218cf573d58884deb2ad4aa42e36fb0c2b4930fe9ee0e5679204e14a30f61acb28a85a6

C:\ProgramData\Saaaalamm\Mira.h

MD5 6f1656028d98fceaa83d9b6f8cc5459d
SHA1 7f2e990ad5347f6613683e7efa86f08ebfa9f4a6
SHA256 2121af2516f030cebfd88efb6b6c195ecc4573cdbc79595253af54970a0a8a9a
SHA512 cc0ede5bd411363d4f6a81e20521af15865decedbfb539702744f8cafc2087533a513f4a7541cb0eb3447411397cd042d00232e9d091a97e09043711379ce71e

memory/2700-144-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2700-149-0x0000000002370000-0x00000000033FE000-memory.dmp

memory/2700-150-0x0000000002370000-0x00000000033FE000-memory.dmp

memory/2700-154-0x0000000002370000-0x00000000033FE000-memory.dmp

memory/2700-153-0x0000000002370000-0x00000000033FE000-memory.dmp

memory/2700-152-0x0000000002370000-0x00000000033FE000-memory.dmp

memory/2700-148-0x0000000002370000-0x00000000033FE000-memory.dmp

memory/2700-155-0x0000000002370000-0x00000000033FE000-memory.dmp

memory/2700-151-0x0000000002370000-0x00000000033FE000-memory.dmp

memory/2700-170-0x0000000000630000-0x0000000000632000-memory.dmp

memory/2700-171-0x0000000000630000-0x0000000000632000-memory.dmp

memory/2700-169-0x0000000000890000-0x0000000000891000-memory.dmp

memory/2700-157-0x0000000002370000-0x00000000033FE000-memory.dmp

memory/2700-156-0x0000000002370000-0x00000000033FE000-memory.dmp

memory/2700-147-0x0000000002370000-0x00000000033FE000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 3bc0df160e7cb0a1d08a2a056a243bd3
SHA1 603449c25862ddd57d137aad84a8408cf7077da3
SHA256 3aed85bdc5f16bc014a85b7560b884e7bc8aa583db749fefe3615799e437f0c2
SHA512 2a4a6b731cfb46e706e7a5fc088818dadc7ef4f6c17b2b9256751f6a7ce5cb39de4a49f186acfece686d742b0301493f42c965fe21e18193a56c05ce65c093bb

memory/2700-172-0x0000000002370000-0x00000000033FE000-memory.dmp

memory/2700-203-0x0000000002370000-0x00000000033FE000-memory.dmp

memory/2700-208-0x0000000002370000-0x00000000033FE000-memory.dmp

memory/2700-521-0x0000000002370000-0x00000000033FE000-memory.dmp

memory/2700-591-0x0000000000630000-0x0000000000632000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 11:04

Reported

2024-06-12 11:06

Platform

win10v2004-20240611-en

Max time kernel

25s

Max time network

127s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\ProgramData\mbxkb.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\ProgramData\mbxkb.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\ProgramData\mbxkb.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ProgramData\mbxkb.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\ProgramData\mbxkb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\ProgramData\mbxkb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\ProgramData\mbxkb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\ProgramData\mbxkb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\ProgramData\mbxkb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\ProgramData\mbxkb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\ProgramData\mbxkb.exe N/A

Disables Task Manager via registry modification

evasion

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\mbxkb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\mbxkb.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\ProgramData\mbxkb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\ProgramData\mbxkb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\ProgramData\mbxkb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\ProgramData\mbxkb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\ProgramData\mbxkb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\ProgramData\mbxkb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\ProgramData\mbxkb.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\mbxkb.exe" C:\ProgramData\mbxkb.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ProgramData\mbxkb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
N/A N/A C:\ProgramData\mbxkb.exe N/A
N/A N/A C:\ProgramData\mbxkb.exe N/A
N/A N/A C:\ProgramData\mbxkb.exe N/A
N/A N/A C:\ProgramData\mbxkb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\mbxkb.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\mbxkb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4404 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 4404 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 4404 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 4404 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 4404 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 4404 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 4404 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 4404 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 4404 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 4404 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4404 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4404 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4404 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4404 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4404 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4404 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4404 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4404 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\Windows\system32\BackgroundTaskHost.exe
PID 4404 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\ProgramData\mbxkb.exe
PID 4404 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\ProgramData\mbxkb.exe
PID 4404 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe C:\ProgramData\mbxkb.exe
PID 2356 wrote to memory of 780 N/A C:\ProgramData\mbxkb.exe C:\Windows\system32\fontdrvhost.exe
PID 2356 wrote to memory of 788 N/A C:\ProgramData\mbxkb.exe C:\Windows\system32\fontdrvhost.exe
PID 2356 wrote to memory of 340 N/A C:\ProgramData\mbxkb.exe C:\Windows\system32\dwm.exe
PID 2356 wrote to memory of 2700 N/A C:\ProgramData\mbxkb.exe C:\Windows\system32\sihost.exe
PID 2356 wrote to memory of 772 N/A C:\ProgramData\mbxkb.exe C:\Windows\system32\svchost.exe
PID 2356 wrote to memory of 3140 N/A C:\ProgramData\mbxkb.exe C:\Windows\system32\taskhostw.exe
PID 2356 wrote to memory of 3376 N/A C:\ProgramData\mbxkb.exe C:\Windows\Explorer.EXE
PID 2356 wrote to memory of 3536 N/A C:\ProgramData\mbxkb.exe C:\Windows\system32\svchost.exe
PID 2356 wrote to memory of 3748 N/A C:\ProgramData\mbxkb.exe C:\Windows\system32\DllHost.exe
PID 2356 wrote to memory of 3840 N/A C:\ProgramData\mbxkb.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2356 wrote to memory of 3912 N/A C:\ProgramData\mbxkb.exe C:\Windows\System32\RuntimeBroker.exe
PID 2356 wrote to memory of 4012 N/A C:\ProgramData\mbxkb.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2356 wrote to memory of 4116 N/A C:\ProgramData\mbxkb.exe C:\Windows\System32\RuntimeBroker.exe
PID 2356 wrote to memory of 1308 N/A C:\ProgramData\mbxkb.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2356 wrote to memory of 524 N/A C:\ProgramData\mbxkb.exe C:\Windows\System32\RuntimeBroker.exe
PID 2356 wrote to memory of 4284 N/A C:\ProgramData\mbxkb.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2356 wrote to memory of 404 N/A C:\ProgramData\mbxkb.exe C:\Windows\System32\RuntimeBroker.exe
PID 2356 wrote to memory of 4428 N/A C:\ProgramData\mbxkb.exe C:\Windows\System32\RuntimeBroker.exe
PID 2356 wrote to memory of 780 N/A C:\ProgramData\mbxkb.exe C:\Windows\system32\fontdrvhost.exe
PID 2356 wrote to memory of 788 N/A C:\ProgramData\mbxkb.exe C:\Windows\system32\fontdrvhost.exe
PID 2356 wrote to memory of 340 N/A C:\ProgramData\mbxkb.exe C:\Windows\system32\dwm.exe
PID 2356 wrote to memory of 2700 N/A C:\ProgramData\mbxkb.exe C:\Windows\system32\sihost.exe
PID 2356 wrote to memory of 772 N/A C:\ProgramData\mbxkb.exe C:\Windows\system32\svchost.exe
PID 2356 wrote to memory of 3140 N/A C:\ProgramData\mbxkb.exe C:\Windows\system32\taskhostw.exe
PID 2356 wrote to memory of 3376 N/A C:\ProgramData\mbxkb.exe C:\Windows\Explorer.EXE
PID 2356 wrote to memory of 3536 N/A C:\ProgramData\mbxkb.exe C:\Windows\system32\svchost.exe
PID 2356 wrote to memory of 3748 N/A C:\ProgramData\mbxkb.exe C:\Windows\system32\DllHost.exe
PID 2356 wrote to memory of 3840 N/A C:\ProgramData\mbxkb.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2356 wrote to memory of 3912 N/A C:\ProgramData\mbxkb.exe C:\Windows\System32\RuntimeBroker.exe
PID 2356 wrote to memory of 4012 N/A C:\ProgramData\mbxkb.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2356 wrote to memory of 4116 N/A C:\ProgramData\mbxkb.exe C:\Windows\System32\RuntimeBroker.exe
PID 2356 wrote to memory of 1308 N/A C:\ProgramData\mbxkb.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2356 wrote to memory of 524 N/A C:\ProgramData\mbxkb.exe C:\Windows\System32\RuntimeBroker.exe
PID 2356 wrote to memory of 4284 N/A C:\ProgramData\mbxkb.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2356 wrote to memory of 404 N/A C:\ProgramData\mbxkb.exe C:\Windows\System32\RuntimeBroker.exe
PID 2356 wrote to memory of 4428 N/A C:\ProgramData\mbxkb.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ProgramData\mbxkb.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\BackgroundTaskHost.exe

"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3507dbf274b65cc1c6914ae559925750_NeikiAnalytics.exe"

C:\ProgramData\mbxkb.exe

"C:\ProgramData\mbxkb.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 243.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/4404-0-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4404-4-0x0000000002680000-0x000000000370E000-memory.dmp

memory/4404-3-0x0000000002680000-0x000000000370E000-memory.dmp

memory/4404-5-0x0000000002680000-0x000000000370E000-memory.dmp

memory/4404-7-0x0000000002680000-0x000000000370E000-memory.dmp

memory/4404-15-0x0000000004990000-0x0000000004992000-memory.dmp

memory/4404-12-0x0000000002680000-0x000000000370E000-memory.dmp

memory/4404-8-0x0000000002680000-0x000000000370E000-memory.dmp

memory/4404-11-0x0000000002680000-0x000000000370E000-memory.dmp

memory/4404-10-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

memory/4404-9-0x0000000004990000-0x0000000004992000-memory.dmp

memory/4404-14-0x0000000004990000-0x0000000004992000-memory.dmp

C:\ProgramData\mbxkb.exe

MD5 dc82d9db2ec2c19d75aaa69b0801502d
SHA1 33b168672d5053894b8412ff793b13b005c5a83f
SHA256 019eed9260359958457cd26037dda53d3cca4e7dc9aec2e8f6de84273f9b4101
SHA512 19525d128e635f792d454b3f538e50608d182466694c88119198bbb03b00fc3eb9c7f60a6914877940a1ade5a76d3891736a06a0c43ec2b5e46850e5a9913ecc

memory/4404-24-0x0000000004990000-0x0000000004992000-memory.dmp

memory/4404-35-0x0000000000400000-0x0000000000462000-memory.dmp

C:\ProgramData\Saaaalamm\Mira.h

MD5 6f1656028d98fceaa83d9b6f8cc5459d
SHA1 7f2e990ad5347f6613683e7efa86f08ebfa9f4a6
SHA256 2121af2516f030cebfd88efb6b6c195ecc4573cdbc79595253af54970a0a8a9a
SHA512 cc0ede5bd411363d4f6a81e20521af15865decedbfb539702744f8cafc2087533a513f4a7541cb0eb3447411397cd042d00232e9d091a97e09043711379ce71e

memory/4404-23-0x0000000002680000-0x000000000370E000-memory.dmp

memory/4404-13-0x0000000002680000-0x000000000370E000-memory.dmp

memory/2356-20-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4404-1-0x0000000002680000-0x000000000370E000-memory.dmp

C:\Documents and Settings .exe

MD5 d33dc257d62819459bfc7150a7672879
SHA1 1664c94693192c4bab1af60e8f07682489310298
SHA256 c18d231cf53d68dc1a3832522f640ee0df55972d3412249a9a672ece7c155d63
SHA512 03e5395f02de572a0479b036e9ce72f079040c3996b1f8eb05e0f142c692bfaea60027018c40da1fccab77b6b1df9e1e6b30bf5fdd4dc26a608290708422b860

C:\Windows\SYSTEM.INI

MD5 3a189568068ba5dd77be28a0af62af48
SHA1 231992cfc797eb00d7a3128d1fc56c21b00665a2
SHA256 c71265a7f58b77993cd42c3543428fab426f44f6aac9999f70eb6b920987782e
SHA512 e0920de2238403123f4f1956a43b16a65749cbb06f23c408a0ece9cf11c85b9d3ca3d020ef6e6df031734262443a7c3432784352b95af14c7b7c52c384302dc6

memory/2356-100-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-102-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-101-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-97-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-106-0x00000000007D0000-0x00000000007D1000-memory.dmp

memory/2356-104-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2356-103-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-99-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-108-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-112-0x00000000007C0000-0x00000000007C2000-memory.dmp

memory/2356-111-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-110-0x00000000007C0000-0x00000000007C2000-memory.dmp

memory/2356-109-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-144-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-122-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-145-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-146-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-180-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-184-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-186-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-221-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-225-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-227-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-231-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-232-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-266-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-271-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-272-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-307-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-308-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-309-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-310-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-586-0x00000000026C0000-0x000000000374E000-memory.dmp

memory/2356-647-0x00000000007C0000-0x00000000007C2000-memory.dmp