Malware Analysis Report

2025-08-10 12:16

Sample ID 240610-12yeassemd
Target 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe
SHA256 0e90a3fb1722c7dbc684ff259cb2657a84d06c4bc21bce02c372fab639aa6c1e
Tags
upx persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e90a3fb1722c7dbc684ff259cb2657a84d06c4bc21bce02c372fab639aa6c1e

Threat Level: Known bad

The file 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx persistence

Modifies WinLogon for persistence

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 22:09

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 22:09

Reported

2024-06-10 22:11

Platform

win7-20240508-en

Max time kernel

150s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\1D6600A.exe\"" C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\1D6600A.exe\"" C:\Windows\1D6600A.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\1D6600A.exe\"" C:\Windows\1D6600ASSQZSV.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\1D6600A.exe N/A
N/A N/A C:\Windows\1D6600ASSQZSV.exe N/A
N/A N/A C:\Windows\1D6600ASSQZSV.exe N/A
N/A N/A C:\Windows\1D6600A.exe N/A
N/A N/A C:\Windows\1D6600A.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1D6600A.exe = "C:\\Windows\\1D6600A.exe" C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1D6600A.exe = "C:\\Windows\\1D6600A.exe" C:\Windows\1D6600A.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1D6600A.exe = "C:\\Windows\\1D6600A.exe" C:\Windows\1D6600ASSQZSV.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\1D6600ASSQZSV.exe C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\1D6600A.exe C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2844 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\1D6600A.exe
PID 2844 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\1D6600A.exe
PID 2844 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\1D6600A.exe
PID 2844 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\1D6600A.exe
PID 2200 wrote to memory of 2104 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2200 wrote to memory of 2104 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2200 wrote to memory of 2104 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2200 wrote to memory of 2104 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe"

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\1D6600A.exe

C:\Windows\1D6600A.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\1D6600ASSQZSV.exe

C:\Windows\1D6600ASSQZSV.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\1D6600ASSQZSV.exe

C:\Windows\1D6600ASSQZSV.exe

C:\Windows\1D6600A.exe

C:\Windows\1D6600A.exe

C:\Windows\1D6600A.exe

C:\Windows\1D6600A.exe

Network

N/A

Files

memory/2844-0-0x0000000000400000-0x000000000040F000-memory.dmp

C:\Windows\1D6600A.exe

MD5 0727f639efb9f92749d6aef08ae2d902
SHA1 43097640d04a07228c1d52d376a122fa185d65f9
SHA256 c2ccbae0a961a025f103f59768dde94149d3c5d8f80ae4dbe0b2d1fe3c8fa955
SHA512 547ebc7674d7a4ce0751a5d6f6ece4878873a5e8fcf90ef82ec309216bca0e90024fecd0d29c19ef37f0602abba57253534e152270416dacd556b8e2cd09c610

memory/2844-12-0x0000000000260000-0x000000000026F000-memory.dmp

memory/2200-14-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2844-13-0x0000000000260000-0x000000000026F000-memory.dmp

memory/2200-20-0x00000000002B0000-0x00000000002BF000-memory.dmp

memory/2200-19-0x00000000002B0000-0x00000000002BF000-memory.dmp

C:\Windows\1D6600ASSQZSV.exe

MD5 dd8458aedbbd4a0ef1cc0030fe232d87
SHA1 425ce52efeed2db6d81d39b7c56555597578ab48
SHA256 11dce98da4350436be3a2bd90d320839d418c832883dc81e9f421ba0a9c4919b
SHA512 acf84e6a83eaefeea5beda5c000b878e662052964f1a2ec1e755cc3e4cef3b1db4f46c58b3e5939e5428ab9aa8363e8bea1ffdd1fd7c9d6806419f61faf29f72

memory/1968-26-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1968-30-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1320-29-0x0000000000360000-0x000000000036F000-memory.dmp

memory/284-35-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1704-43-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2844-41-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2200-44-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1320-45-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2200-46-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1320-49-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2200-48-0x00000000002B0000-0x00000000002BF000-memory.dmp

memory/2200-47-0x00000000002B0000-0x00000000002BF000-memory.dmp

memory/2200-50-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1320-51-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2200-52-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1320-53-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2200-56-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2200-58-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1320-59-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2200-60-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1320-61-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2200-62-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1320-63-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2200-64-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1320-65-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2200-68-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1320-69-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1320-71-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2200-72-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1320-73-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2200-74-0x0000000000400000-0x000000000040F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 22:09

Reported

2024-06-10 22:11

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\1D6600A.exe\"" C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\1D6600A.exe\"" C:\Windows\1D6600A.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\1D6600A.exe\"" C:\Windows\1D6600ASSQZSV.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\1D6600A.exe N/A
N/A N/A C:\Windows\1D6600ASSQZSV.exe N/A
N/A N/A C:\Windows\1D6600ASSQZSV.exe N/A
N/A N/A C:\Windows\1D6600A.exe N/A
N/A N/A C:\Windows\1D6600A.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1D6600A.exe = "C:\\Windows\\1D6600A.exe" C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1D6600A.exe = "C:\\Windows\\1D6600A.exe" C:\Windows\1D6600A.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1D6600A.exe = "C:\\Windows\\1D6600A.exe" C:\Windows\1D6600ASSQZSV.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\1D6600A.exe C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\1D6600ASSQZSV.exe C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3324 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3324 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\1D6600A.exe
PID 3324 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\1D6600A.exe
PID 3324 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe C:\Windows\1D6600A.exe
PID 3080 wrote to memory of 3996 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3080 wrote to memory of 3996 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3080 wrote to memory of 3996 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3080 wrote to memory of 3968 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3080 wrote to memory of 3968 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3080 wrote to memory of 3968 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3080 wrote to memory of 3880 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3080 wrote to memory of 3880 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3080 wrote to memory of 3880 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3080 wrote to memory of 1808 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3080 wrote to memory of 1808 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3080 wrote to memory of 1808 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3080 wrote to memory of 2156 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3080 wrote to memory of 2156 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3080 wrote to memory of 2156 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3080 wrote to memory of 1052 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3080 wrote to memory of 1052 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3080 wrote to memory of 1052 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3080 wrote to memory of 5088 N/A C:\Windows\1D6600A.exe C:\Windows\SysWOW64\TASKKILL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe"

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\1D6600A.exe

C:\Windows\1D6600A.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\1D6600ASSQZSV.exe

C:\Windows\1D6600ASSQZSV.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\1D6600ASSQZSV.exe

C:\Windows\1D6600ASSQZSV.exe

C:\Windows\1D6600A.exe

C:\Windows\1D6600A.exe

C:\Windows\1D6600A.exe

C:\Windows\1D6600A.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 224.0.0.251:5353 udp

Files

memory/3324-0-0x0000000000400000-0x000000000040F000-memory.dmp

C:\Windows\1D6600ASSQZSV.exe

MD5 d5df33021ae9d196431bbf2f9498ebbd
SHA1 07adb50306b248d7f2286ac9efb7a9b298fa5438
SHA256 935bdc794957a925b277f57e9bcdea37447d178b7138bc8395122f9850ced70f
SHA512 5c2c9b86beb413a77e579866bc35e428e29396cd71e26c4d7d0651e21e038f048d0253c96981ae79087495260e35219ab2909dee52634c6a6fc61286f6a4d4e3

memory/3080-10-0x0000000000400000-0x000000000040F000-memory.dmp

C:\Windows\1D6600A.exe

MD5 80c6d202d1baa4e47c68c299e02a5b83
SHA1 a2dce074163bed60d4c9ee548135c3ddd6c39307
SHA256 d1cd4f0b72ba3fc5c2e2ef0e42fa080490ef61b195a6a9a927fecd4013b48efa
SHA512 07f1f171caed67fe45218b7bbff93ced98d20a8f4222aad829d0b519d2d1855bc054fe90ea78a3fb26873502d9139fb04b90f977a41943df562de4c12f99b1f2

memory/2524-24-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2392-29-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1268-35-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3324-37-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4012-39-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3080-38-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3080-40-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4012-41-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4012-43-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3080-42-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4012-45-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3080-44-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3080-46-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4012-47-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3080-48-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4012-49-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3080-50-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4012-51-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4012-53-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3080-52-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4012-55-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3080-54-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4012-57-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3080-56-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4012-59-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3080-58-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3080-60-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4012-61-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3080-62-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4012-63-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3080-64-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4012-65-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4012-67-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3080-66-0x0000000000400000-0x000000000040F000-memory.dmp