Malware Analysis Report

2024-09-11 12:22

Sample ID 240614-pf9pnazgnf
Target beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe
SHA256 31a8e7b5f0649df197cca6b351a8b6b5cd2b725bac70a0fbc7008bf627f43f83
Tags
sality backdoor evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

31a8e7b5f0649df197cca6b351a8b6b5cd2b725bac70a0fbc7008bf627f43f83

Threat Level: Known bad

The file beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion persistence trojan upx

Modifies firewall policy service

UAC bypass

Windows security bypass

Sality

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Loads dropped DLL

Deletes itself

Windows security modification

UPX packed file

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 12:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 12:17

Reported

2024-06-14 12:20

Platform

win7-20240611-en

Max time kernel

22s

Max time network

124s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\ProgramData\pappbt.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\ProgramData\pappbt.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\ProgramData\pappbt.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ProgramData\pappbt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\ProgramData\pappbt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\ProgramData\pappbt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\ProgramData\pappbt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\ProgramData\pappbt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\ProgramData\pappbt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\ProgramData\pappbt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\ProgramData\pappbt.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A

Disables Task Manager via registry modification

evasion

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\pappbt.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\pappbt.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\ProgramData\pappbt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\ProgramData\pappbt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\ProgramData\pappbt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\ProgramData\pappbt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\ProgramData\pappbt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\ProgramData\pappbt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\ProgramData\pappbt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\pappbt.exe" C:\ProgramData\pappbt.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ProgramData\pappbt.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
N/A N/A C:\ProgramData\pappbt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\pappbt.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\pappbt.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\pappbt.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\pappbt.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\pappbt.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\pappbt.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\pappbt.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\pappbt.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\pappbt.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\pappbt.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\pappbt.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\pappbt.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\pappbt.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\pappbt.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\pappbt.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\pappbt.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\pappbt.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\pappbt.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\pappbt.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\pappbt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2840 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\ProgramData\pappbt.exe
PID 2840 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\ProgramData\pappbt.exe
PID 2840 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\ProgramData\pappbt.exe
PID 2840 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\ProgramData\pappbt.exe
PID 2840 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2840 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2840 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2840 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 2624 wrote to memory of 1220 N/A C:\ProgramData\pappbt.exe C:\Windows\system32\taskhost.exe
PID 2624 wrote to memory of 1304 N/A C:\ProgramData\pappbt.exe C:\Windows\system32\Dwm.exe
PID 2624 wrote to memory of 1368 N/A C:\ProgramData\pappbt.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ProgramData\pappbt.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe"

C:\ProgramData\pappbt.exe

"C:\ProgramData\pappbt.exe"

Network

N/A

Files

memory/2840-0-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2840-6-0x0000000002060000-0x00000000030EE000-memory.dmp

memory/2840-5-0x0000000002060000-0x00000000030EE000-memory.dmp

memory/2840-8-0x0000000002060000-0x00000000030EE000-memory.dmp

memory/2840-3-0x0000000002060000-0x00000000030EE000-memory.dmp

memory/2840-7-0x0000000002060000-0x00000000030EE000-memory.dmp

memory/2840-11-0x0000000002060000-0x00000000030EE000-memory.dmp

memory/2840-9-0x0000000002060000-0x00000000030EE000-memory.dmp

memory/2840-4-0x0000000002060000-0x00000000030EE000-memory.dmp

memory/2840-10-0x0000000002060000-0x00000000030EE000-memory.dmp

C:\ProgramData\pappbt.exe

MD5 cd4dff21cdd4c6c7f8f4b846a6d0e9d5
SHA1 200f6801fcec220ad8979192b1bc42312572b9ad
SHA256 1a7484f91defd0cd6c625048126fc9b9afd309126812058c8f5a6a4cd35ab924
SHA512 1264da88098433af4f46d49cb94419d01d796396aa60b24709cbb2613ceed2c1f6375b929e7b47d6ab75115cbd9af76130e506c1eb36ec04ccb33680c9b9f02f

memory/2624-24-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2840-14-0x0000000002060000-0x00000000030EE000-memory.dmp

memory/2840-54-0x0000000000400000-0x0000000000462000-memory.dmp

C:\ProgramData\Saaaalamm\Mira.h

MD5 6f1656028d98fceaa83d9b6f8cc5459d
SHA1 7f2e990ad5347f6613683e7efa86f08ebfa9f4a6
SHA256 2121af2516f030cebfd88efb6b6c195ecc4573cdbc79595253af54970a0a8a9a
SHA512 cc0ede5bd411363d4f6a81e20521af15865decedbfb539702744f8cafc2087533a513f4a7541cb0eb3447411397cd042d00232e9d091a97e09043711379ce71e

memory/2840-42-0x0000000002060000-0x00000000030EE000-memory.dmp

memory/2840-36-0x0000000005090000-0x0000000005091000-memory.dmp

memory/2840-34-0x0000000005090000-0x0000000005091000-memory.dmp

memory/2840-33-0x0000000003230000-0x0000000003232000-memory.dmp

memory/1220-25-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/2840-13-0x0000000002060000-0x00000000030EE000-memory.dmp

C:\MSOCache .exe

MD5 938c7659e46d3dee5d4e0db9d29893b8
SHA1 0ab98797b005da2b3858bb4751104479809d1b7d
SHA256 ab46a8c4ba8e3c8527a7bd262372d1f7d8d16a7cc883d7dccc766f31e5e9f0b2
SHA512 624ea2941500be5aeed435124d765d78e3b4f6eefdb6cf7cdf7323ab429e0d4e6415c98dbf094528808ce233266434be9b25f6a556276ae8105c5b4d66a5499d

memory/2840-22-0x0000000005050000-0x00000000050A9000-memory.dmp

memory/2840-21-0x0000000005050000-0x00000000050A9000-memory.dmp

memory/2624-84-0x0000000000400000-0x0000000000459000-memory.dmp

memory/2624-85-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/2624-105-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/2624-87-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/2624-104-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/2624-107-0x0000000002FE0000-0x0000000002FE2000-memory.dmp

memory/2624-92-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/2624-88-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/2624-90-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/2624-89-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/2624-106-0x0000000002FE0000-0x0000000002FE2000-memory.dmp

memory/2624-103-0x0000000004480000-0x0000000004481000-memory.dmp

memory/2624-91-0x0000000001F10000-0x0000000002F9E000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 a93d313b45cbddc40e266aedc032da00
SHA1 6a57d802b5c4b275bc7877d8945800b1f3b34613
SHA256 6f42b14c7aae3233126bca2cd62c7bd8a4169509f182ad848b3ad699df6589b3
SHA512 36347c3f8113164bc2f3ae96e9551b14b41ac763df408d3e45d3a1ee1739908e060f01fe1ded5a5dd3730489223dadd65f2df45d79fcf87e1a6ac95b2e8b89e4

memory/2624-138-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/2624-137-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/2624-139-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/2624-140-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/2624-173-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/2624-174-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/2624-443-0x0000000001F10000-0x0000000002F9E000-memory.dmp

memory/2624-481-0x0000000002FE0000-0x0000000002FE2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 12:17

Reported

2024-06-14 12:20

Platform

win10v2004-20240508-en

Max time kernel

22s

Max time network

151s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\ProgramData\heqam.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\ProgramData\heqam.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\ProgramData\heqam.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ProgramData\heqam.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\ProgramData\heqam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\ProgramData\heqam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\ProgramData\heqam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\ProgramData\heqam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\ProgramData\heqam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\ProgramData\heqam.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\ProgramData\heqam.exe N/A

Disables Task Manager via registry modification

evasion

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\heqam.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\heqam.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\ProgramData\heqam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\ProgramData\heqam.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\ProgramData\heqam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\ProgramData\heqam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\ProgramData\heqam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\ProgramData\heqam.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\ProgramData\heqam.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\heqam.exe" C:\ProgramData\heqam.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ProgramData\heqam.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
N/A N/A C:\ProgramData\heqam.exe N/A
N/A N/A C:\ProgramData\heqam.exe N/A
N/A N/A C:\ProgramData\heqam.exe N/A
N/A N/A C:\ProgramData\heqam.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3920 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3920 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3920 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 3920 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 3920 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3920 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 3920 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 3920 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3920 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 3920 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3920 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3920 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3920 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3920 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3920 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3920 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3920 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\ProgramData\heqam.exe
PID 3920 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\ProgramData\heqam.exe
PID 3920 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe C:\ProgramData\heqam.exe
PID 4148 wrote to memory of 796 N/A C:\ProgramData\heqam.exe C:\Windows\system32\fontdrvhost.exe
PID 4148 wrote to memory of 804 N/A C:\ProgramData\heqam.exe C:\Windows\system32\fontdrvhost.exe
PID 4148 wrote to memory of 316 N/A C:\ProgramData\heqam.exe C:\Windows\system32\dwm.exe
PID 4148 wrote to memory of 2636 N/A C:\ProgramData\heqam.exe C:\Windows\system32\sihost.exe
PID 4148 wrote to memory of 3120 N/A C:\ProgramData\heqam.exe C:\Windows\system32\svchost.exe
PID 4148 wrote to memory of 3200 N/A C:\ProgramData\heqam.exe C:\Windows\system32\taskhostw.exe
PID 4148 wrote to memory of 3500 N/A C:\ProgramData\heqam.exe C:\Windows\Explorer.EXE
PID 4148 wrote to memory of 3628 N/A C:\ProgramData\heqam.exe C:\Windows\system32\svchost.exe
PID 4148 wrote to memory of 3824 N/A C:\ProgramData\heqam.exe C:\Windows\system32\DllHost.exe
PID 4148 wrote to memory of 3948 N/A C:\ProgramData\heqam.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4148 wrote to memory of 4012 N/A C:\ProgramData\heqam.exe C:\Windows\System32\RuntimeBroker.exe
PID 4148 wrote to memory of 4092 N/A C:\ProgramData\heqam.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4148 wrote to memory of 4140 N/A C:\ProgramData\heqam.exe C:\Windows\System32\RuntimeBroker.exe
PID 4148 wrote to memory of 4288 N/A C:\ProgramData\heqam.exe C:\Windows\System32\RuntimeBroker.exe
PID 4148 wrote to memory of 4544 N/A C:\ProgramData\heqam.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4148 wrote to memory of 3568 N/A C:\ProgramData\heqam.exe C:\Windows\System32\RuntimeBroker.exe
PID 4148 wrote to memory of 772 N/A C:\ProgramData\heqam.exe C:\Windows\System32\RuntimeBroker.exe
PID 4148 wrote to memory of 796 N/A C:\ProgramData\heqam.exe C:\Windows\system32\fontdrvhost.exe
PID 4148 wrote to memory of 804 N/A C:\ProgramData\heqam.exe C:\Windows\system32\fontdrvhost.exe
PID 4148 wrote to memory of 316 N/A C:\ProgramData\heqam.exe C:\Windows\system32\dwm.exe
PID 4148 wrote to memory of 2636 N/A C:\ProgramData\heqam.exe C:\Windows\system32\sihost.exe
PID 4148 wrote to memory of 3120 N/A C:\ProgramData\heqam.exe C:\Windows\system32\svchost.exe
PID 4148 wrote to memory of 3200 N/A C:\ProgramData\heqam.exe C:\Windows\system32\taskhostw.exe
PID 4148 wrote to memory of 3500 N/A C:\ProgramData\heqam.exe C:\Windows\Explorer.EXE
PID 4148 wrote to memory of 3628 N/A C:\ProgramData\heqam.exe C:\Windows\system32\svchost.exe
PID 4148 wrote to memory of 3824 N/A C:\ProgramData\heqam.exe C:\Windows\system32\DllHost.exe
PID 4148 wrote to memory of 3948 N/A C:\ProgramData\heqam.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4148 wrote to memory of 4012 N/A C:\ProgramData\heqam.exe C:\Windows\System32\RuntimeBroker.exe
PID 4148 wrote to memory of 4092 N/A C:\ProgramData\heqam.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4148 wrote to memory of 4140 N/A C:\ProgramData\heqam.exe C:\Windows\System32\RuntimeBroker.exe
PID 4148 wrote to memory of 4288 N/A C:\ProgramData\heqam.exe C:\Windows\System32\RuntimeBroker.exe
PID 4148 wrote to memory of 4544 N/A C:\ProgramData\heqam.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4148 wrote to memory of 3568 N/A C:\ProgramData\heqam.exe C:\Windows\System32\RuntimeBroker.exe
PID 4148 wrote to memory of 772 N/A C:\ProgramData\heqam.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\ProgramData\heqam.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\beb5adf4ae8a73da530d622acfa6d6c0_NeikiAnalytics.exe"

C:\ProgramData\heqam.exe

"C:\ProgramData\heqam.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 52.111.229.48:443 tcp

Files

memory/3920-0-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3920-1-0x0000000002760000-0x00000000037EE000-memory.dmp

memory/3920-4-0x0000000002760000-0x00000000037EE000-memory.dmp

memory/3920-9-0x0000000002760000-0x00000000037EE000-memory.dmp

memory/3920-13-0x0000000000770000-0x0000000000772000-memory.dmp

memory/3920-15-0x0000000002760000-0x00000000037EE000-memory.dmp

memory/3920-35-0x0000000000400000-0x0000000000462000-memory.dmp

C:\ProgramData\Saaaalamm\Mira.h

MD5 6f1656028d98fceaa83d9b6f8cc5459d
SHA1 7f2e990ad5347f6613683e7efa86f08ebfa9f4a6
SHA256 2121af2516f030cebfd88efb6b6c195ecc4573cdbc79595253af54970a0a8a9a
SHA512 cc0ede5bd411363d4f6a81e20521af15865decedbfb539702744f8cafc2087533a513f4a7541cb0eb3447411397cd042d00232e9d091a97e09043711379ce71e

memory/4148-23-0x0000000000400000-0x0000000000459000-memory.dmp

memory/3920-28-0x0000000002760000-0x00000000037EE000-memory.dmp

memory/3920-14-0x0000000002760000-0x00000000037EE000-memory.dmp

C:\Documents and Settings .exe

MD5 61281987c620e21bab219c5ac66ea1d6
SHA1 0aa796af537ccc8f0730d07ac3f633d683a58e25
SHA256 42b7dca43598c8417753ad9841bf9fa0aabec71efda7458a520b4ef2ebf6abbb
SHA512 b6ae81b4c1e88ffc42f6ac3b9eae2f6fe644c3bbaf001b2af8adf721a06802c434942eb47f01ba157cac4e462dd8ca383f5e6f21e92cf133793b066c6c67a287

C:\ProgramData\heqam.exe

MD5 cd4dff21cdd4c6c7f8f4b846a6d0e9d5
SHA1 200f6801fcec220ad8979192b1bc42312572b9ad
SHA256 1a7484f91defd0cd6c625048126fc9b9afd309126812058c8f5a6a4cd35ab924
SHA512 1264da88098433af4f46d49cb94419d01d796396aa60b24709cbb2613ceed2c1f6375b929e7b47d6ab75115cbd9af76130e506c1eb36ec04ccb33680c9b9f02f

memory/3920-11-0x0000000002760000-0x00000000037EE000-memory.dmp

memory/3920-12-0x0000000002760000-0x00000000037EE000-memory.dmp

memory/3920-8-0x0000000002760000-0x00000000037EE000-memory.dmp

memory/3920-5-0x0000000002760000-0x00000000037EE000-memory.dmp

memory/3920-3-0x0000000002760000-0x00000000037EE000-memory.dmp

memory/3920-7-0x0000000000780000-0x0000000000781000-memory.dmp

memory/3920-10-0x0000000000770000-0x0000000000772000-memory.dmp

memory/3920-6-0x0000000000770000-0x0000000000772000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 d2842e2cd63fed7f4ce7746f8f911e86
SHA1 734487ca11e2012a1b4e964537c7567a7fd3729e
SHA256 a45985257d7f56da67f876889a9d0b7ccae82eedb19883e5c93f122a125a43f5
SHA512 e78e1ec78abf54dbd142e2e635d6b9558eee7a737f822d71ef7bbe34a1d405ed6a41ee8078a7394fd96322fd6b389e96eaabdbefbd4e0a3dff7abf0753ad1bf9

memory/4148-101-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-104-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4148-103-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-106-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-111-0x0000000000800000-0x0000000000802000-memory.dmp

memory/4148-112-0x0000000000800000-0x0000000000802000-memory.dmp

memory/4148-110-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-109-0x0000000000810000-0x0000000000811000-memory.dmp

memory/4148-102-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-97-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-100-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-99-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-107-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-114-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-113-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-145-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-146-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-150-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-154-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-185-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-186-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-187-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-194-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-195-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-229-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-230-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-234-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-235-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-237-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-271-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-272-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-276-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-278-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-309-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-310-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-493-0x0000000002820000-0x00000000038AE000-memory.dmp

memory/4148-556-0x0000000000800000-0x0000000000802000-memory.dmp