Malware Analysis Report

2025-01-18 13:52

Sample ID 240613-dkcd6swbkm
Target 595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe
SHA256 c9775b084e3456bc7beb320f45c5d1181b84ea42d396ae09e41cd3cedb31ea41
Tags
upx persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c9775b084e3456bc7beb320f45c5d1181b84ea42d396ae09e41cd3cedb31ea41

Threat Level: Known bad

The file 595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx persistence

Modifies WinLogon for persistence

Executes dropped EXE

UPX packed file

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:03

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:03

Reported

2024-06-13 03:06

Platform

win7-20240508-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\2DD1889.exe\"" C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\2DD1889.exe\"" C:\Windows\2DD1889.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\2DD1889.exe\"" C:\Windows\2DD1889QTQTTZ.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\2DD1889.exe N/A
N/A N/A C:\Windows\2DD1889QTQTTZ.exe N/A
N/A N/A C:\Windows\2DD1889QTQTTZ.exe N/A
N/A N/A C:\Windows\2DD1889.exe N/A
N/A N/A C:\Windows\2DD1889.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2DD1889.exe = "C:\\Windows\\2DD1889.exe" C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2DD1889.exe = "C:\\Windows\\2DD1889.exe" C:\Windows\2DD1889.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2DD1889.exe = "C:\\Windows\\2DD1889.exe" C:\Windows\2DD1889QTQTTZ.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\2DD1889QTQTTZ.exe C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\2DD1889.exe C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2084 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\2DD1889.exe
PID 2084 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\2DD1889.exe
PID 2084 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\2DD1889.exe
PID 2084 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\2DD1889.exe
PID 2552 wrote to memory of 2796 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2552 wrote to memory of 2796 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2552 wrote to memory of 2796 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2552 wrote to memory of 2796 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe"

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\2DD1889.exe

C:\Windows\2DD1889.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\2DD1889QTQTTZ.exe

C:\Windows\2DD1889QTQTTZ.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\2DD1889QTQTTZ.exe

C:\Windows\2DD1889QTQTTZ.exe

C:\Windows\2DD1889.exe

C:\Windows\2DD1889.exe

C:\Windows\2DD1889.exe

C:\Windows\2DD1889.exe

Network

N/A

Files

memory/2084-0-0x0000000000400000-0x000000000040F000-memory.dmp

C:\Windows\2DD1889QTQTTZ.exe

MD5 367ce4336cead85be93cb2d2dcbdffbe
SHA1 c6850eb965a2b6424502e419e78392bdbefb8a65
SHA256 ea2e67e1ec68f064f1f5c595aa792159ee58a1eb6eb49cbfe4fbf7da7a1a8bbe
SHA512 5ed7bca592842ca6ce6706f0d8e00612b6ced720c7ffbe785be9ef74cc3ec24a5de0ec8749134d972831329f88aee63722002d5a8fd7cb41d2b57c0bda2e1475

memory/2084-13-0x00000000001E0000-0x00000000001EF000-memory.dmp

memory/2084-12-0x00000000001E0000-0x00000000001EF000-memory.dmp

C:\Windows\2DD1889.exe

MD5 1d04b731e6eff9fc4160d870a20f793e
SHA1 1da3daa3296c58e372db5e5f201d17a6ca7becb0
SHA256 d04c018ca93017b4a5ff660eb1cd1fd6979774f01a25ded8d28c70b81b584cfa
SHA512 79c62cd5407676e73f11373c46ef0d6800254101da790cb0441c11cacfd14364281770e048afb3dd199a60f924d6e6275b639c572d2fa589827eb4442b702c0f

memory/2552-17-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2552-19-0x00000000002F0000-0x00000000002FF000-memory.dmp

memory/2008-28-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1636-33-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2604-39-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2084-41-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2552-42-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2552-43-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1704-44-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1704-45-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2552-46-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1704-47-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2552-48-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1704-49-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2552-50-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1704-51-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2552-52-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1704-53-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2552-54-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1704-55-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2552-56-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1704-57-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2552-58-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1704-59-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1704-61-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2552-60-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1704-63-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2552-62-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1704-65-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2552-64-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2552-66-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1704-67-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2552-68-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1704-69-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1704-71-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2552-70-0x0000000000400000-0x000000000040F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:03

Reported

2024-06-13 03:06

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\2DD1889.exe\"" C:\Windows\2DD1889.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\2DD1889.exe\"" C:\Windows\2DD1889QTQTTZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\2DD1889.exe\"" C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\2DD1889.exe N/A
N/A N/A C:\Windows\2DD1889QTQTTZ.exe N/A
N/A N/A C:\Windows\2DD1889QTQTTZ.exe N/A
N/A N/A C:\Windows\2DD1889.exe N/A
N/A N/A C:\Windows\2DD1889.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2DD1889.exe = "C:\\Windows\\2DD1889.exe" C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2DD1889.exe = "C:\\Windows\\2DD1889.exe" C:\Windows\2DD1889.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2DD1889.exe = "C:\\Windows\\2DD1889.exe" C:\Windows\2DD1889QTQTTZ.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\2DD1889.exe C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\2DD1889QTQTTZ.exe C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
N/A N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3124 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3124 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\2DD1889.exe
PID 3124 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\2DD1889.exe
PID 3124 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe C:\Windows\2DD1889.exe
PID 3512 wrote to memory of 2708 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3512 wrote to memory of 2708 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3512 wrote to memory of 2708 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3512 wrote to memory of 2876 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3512 wrote to memory of 2876 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3512 wrote to memory of 2876 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3512 wrote to memory of 4004 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3512 wrote to memory of 4004 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3512 wrote to memory of 4004 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3512 wrote to memory of 1740 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3512 wrote to memory of 1740 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3512 wrote to memory of 1740 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3512 wrote to memory of 944 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3512 wrote to memory of 944 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3512 wrote to memory of 944 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3512 wrote to memory of 4704 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3512 wrote to memory of 4704 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3512 wrote to memory of 4704 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3512 wrote to memory of 4204 N/A C:\Windows\2DD1889.exe C:\Windows\SysWOW64\TASKKILL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\595f2e93b06dd486f3eb92e113f95b40_NeikiAnalytics.exe"

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\2DD1889.exe

C:\Windows\2DD1889.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\2DD1889QTQTTZ.exe

C:\Windows\2DD1889QTQTTZ.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM services.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM smss.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T

C:\Windows\2DD1889QTQTTZ.exe

C:\Windows\2DD1889QTQTTZ.exe

C:\Windows\2DD1889.exe

C:\Windows\2DD1889.exe

C:\Windows\2DD1889.exe

C:\Windows\2DD1889.exe

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

memory/3124-0-0x0000000000400000-0x000000000040F000-memory.dmp

C:\Windows\2DD1889.exe

MD5 99e1710d11c09ca4e980bfd6d2e986c7
SHA1 0a5cfb7f6bbbb640423f96f9022f2fd00091cacc
SHA256 69b7fb6926018591189f0c6a31a23b852273788acb4143e1914e253d1a8b0427
SHA512 893a1b8bb934f4074cf295db14eca7bf734b7faee9997ef38b7873489420593a10c365dd940e6995f8ea5fcc3bc1d399d3a8d7874f5f0bee8e0fd468d6efddd8

memory/3512-10-0x0000000000400000-0x000000000040F000-memory.dmp

C:\Windows\2DD1889QTQTTZ.exe

MD5 b60050e4986ebda75680ced43ce51aa7
SHA1 6a75f2557a09fabf95b5ca404eed598c4b9ca613
SHA256 32bb0e7c55dec24c5853f76a3a0346ebacbd3ed4e66f6603823cb944c0139780
SHA512 a2a0c60c1eb8be200cb8a0749ce0d9cdd8f65027d210dc9ada48f0c9fbf36ae66bc6214d21616ac5b07432b59e8c3553ac5a97fda34c2f28c234c16c115d6ae9

memory/3436-15-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3816-24-0x0000000000400000-0x000000000040F000-memory.dmp

memory/956-29-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2896-35-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3124-37-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3512-38-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3436-39-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3512-40-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3436-41-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3512-42-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3436-43-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3436-45-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3512-44-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3436-47-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3512-46-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3512-48-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3436-49-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3436-51-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3512-50-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3436-53-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3512-52-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3436-55-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3512-54-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3512-56-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3436-57-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3512-58-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3436-59-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3512-60-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3436-61-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3512-62-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3436-63-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3512-64-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3436-65-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3512-66-0x0000000000400000-0x000000000040F000-memory.dmp

memory/3436-67-0x0000000000400000-0x000000000040F000-memory.dmp