4c54fc3a6fc6be212b8fed13a9d961e8170405affb4f1d451d0d1c2af144892b

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

593676fa9e86e2baefcab6c33797eca0_NeikiAnalytics.exe
Size

63KB
MD5

593676fa9e86e2baefcab6c33797eca0
SHA1

9da38f64f0186e581eccaa27b739aa1a40f445b0
SHA256

4c54fc3a6fc6be212b8fed13a9d961e8170405affb4f1d451d0d1c2af144892b
SHA512

83be788ba011bb7c4ba6ed9dccb3113e26f1972f0586bc670a66610bd5b5992d52dcbc64a25c49a08fff32876f7d478801b246526a7129b41a3fedd6d2b89caf
SSDEEP

1536:frC3+G8wNlKI+xxZHFF17gNrFIJfakVZ04DX6fl:GewNsIAhFbZVZ0MK9

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Jdhine32.exeKgdbkohf.exeMcpebmkb.exeNbhkac32.exeJpjqhgol.exeIpegmg32.exeJdmcidam.exeLkdggmlj.exeMjhqjg32.exeImihfl32.exeNnolfdcn.exeJjpeepnb.exeMjeddggd.exeNklfoi32.exeNqiogp32.exeNcldnkae.exeIcljbg32.exeJdjfcecp.exeKilhgk32.exeLaalifad.exeMjjmog32.exeIbjqcd32.exeHjhfnccl.exeIjdeiaio.exeIpckgh32.exeNkqpjidj.exeHpbaqj32.exeJfffjqdf.exeKgmlkp32.exeNnmopdep.exeHfofbd32.exeJaedgjjd.exeJdcpcf32.exeJiikak32.exeIcjmmg32.exeKphmie32.exeLgbnmm32.exeMnocof32.exeMdiklqhm.exeHmioonpn.exeKacphh32.exeMglack32.exeLcbiao32.exeMaohkd32.exeMcbahlip.exeIikopmkd.exeNacbfdao.exeHmklen32.exeLaefdf32.exeMcnhmm32.exeImpepm32.exeJmbklj32.exeJidbflcj.exeKbfiep32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe

Executes dropped EXE 64 IoCs

Processes:

Hpbaqj32.exeHbanme32.exeHjhfnccl.exeHabnjm32.exeHpenfjad.exeHfofbd32.exeHmioonpn.exeHbeghene.exeHjmoibog.exeHmklen32.exeHcedaheh.exeHfcpncdk.exeHmmhjm32.exeIpldfi32.exeIbjqcd32.exeIjaida32.exeImpepm32.exeIcjmmg32.exeIjdeiaio.exeIannfk32.exeIcljbg32.exeIfjfnb32.exeImdnklfp.exeIpckgh32.exeIikopmkd.exeIpegmg32.exeIfopiajn.exeImihfl32.exeJaedgjjd.exeJdcpcf32.exeJjmhppqd.exeJmkdlkph.exeJpjqhgol.exeJjpeepnb.exeJaimbj32.exeJdhine32.exeJfffjqdf.exeJidbflcj.exeJaljgidl.exeJdjfcecp.exeJkdnpo32.exeJmbklj32.exeJdmcidam.exeJfkoeppq.exeJiikak32.exeKdopod32.exeKgmlkp32.exeKilhgk32.exeKacphh32.exeKbdmpqcb.exeKgphpo32.exeKinemkko.exeKphmie32.exeKbfiep32.exeKipabjil.exeKagichjo.exeKdffocib.exeKgdbkohf.exeKkpnlm32.exeKmnjhioc.exeKdhbec32.exeKgfoan32.exeLmqgnhmp.exeLpocjdld.exe

pid	process
3052	Hpbaqj32.exe
1260	Hbanme32.exe
3956	Hjhfnccl.exe
3372	Habnjm32.exe
2396	Hpenfjad.exe
3652	Hfofbd32.exe
5000	Hmioonpn.exe
2912	Hbeghene.exe
1816	Hjmoibog.exe
3076	Hmklen32.exe
2408	Hcedaheh.exe
4436	Hfcpncdk.exe
2328	Hmmhjm32.exe
1108	Ipldfi32.exe
4696	Ibjqcd32.exe
4676	Ijaida32.exe
1048	Impepm32.exe
4872	Icjmmg32.exe
3456	Ijdeiaio.exe
1268	Iannfk32.exe
2924	Icljbg32.exe
1072	Ifjfnb32.exe
3908	Imdnklfp.exe
1628	Ipckgh32.exe
1556	Iikopmkd.exe
3228	Ipegmg32.exe
1916	Ifopiajn.exe
1852	Imihfl32.exe
1400	Jaedgjjd.exe
2708	Jdcpcf32.exe
316	Jjmhppqd.exe
4316	Jmkdlkph.exe
1604	Jpjqhgol.exe
912	Jjpeepnb.exe
1372	Jaimbj32.exe
4716	Jdhine32.exe
5084	Jfffjqdf.exe
3832	Jidbflcj.exe
408	Jaljgidl.exe
3644	Jdjfcecp.exe
2988	Jkdnpo32.exe
872	Jmbklj32.exe
3304	Jdmcidam.exe
3216	Jfkoeppq.exe
3020	Jiikak32.exe
2680	Kdopod32.exe
1236	Kgmlkp32.exe
2384	Kilhgk32.exe
5076	Kacphh32.exe
3508	Kbdmpqcb.exe
2668	Kgphpo32.exe
4240	Kinemkko.exe
3968	Kphmie32.exe
4444	Kbfiep32.exe
1308	Kipabjil.exe
4260	Kagichjo.exe
4636	Kdffocib.exe
4612	Kgdbkohf.exe
4376	Kkpnlm32.exe
2820	Kmnjhioc.exe
4780	Kdhbec32.exe
2604	Kgfoan32.exe
5036	Lmqgnhmp.exe
3328	Lpocjdld.exe

Drops file in System32 directory 64 IoCs

Processes:

Hfcpncdk.exeJfkoeppq.exeMjjmog32.exeNbhkac32.exeIcjmmg32.exeJkdnpo32.exeJjmhppqd.exeMnapdf32.exeMaaepd32.exeNdghmo32.exeHabnjm32.exeHjmoibog.exeHmmhjm32.exeJidbflcj.exeMciobn32.exeNqiogp32.exeHpenfjad.exeHbeghene.exeIjdeiaio.exeKacphh32.exeLkdggmlj.exeNkqpjidj.exeHmklen32.exeKbfiep32.exeKdffocib.exeMjqjih32.exeNcldnkae.exeKgphpo32.exeKgfoan32.exeLmqgnhmp.exeLpocjdld.exeLaalifad.exeLgbnmm32.exeMkpgck32.exeMdpalp32.exeNgcgcjnc.exeJfffjqdf.exeKkpnlm32.exeNklfoi32.exeJdmcidam.exeNbkhfc32.exeIpckgh32.exeJjpeepnb.exeLaefdf32.exeMgnnhk32.exeHmioonpn.exeJdhine32.exeMaohkd32.exeNnjbke32.exeKilhgk32.exeLilanioo.exeIpegmg32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Kijjfe32.dll	Habnjm32.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Bekppcpp.dll	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Dnplgc32.dll	Hpenfjad.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lihoogdd.dll	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hmioonpn.exe
File opened for modification	C:\Windows\SysWOW64\Ipldfi32.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Ipegmg32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5528 5300 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
5528	5300	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Nnolfdcn.exeJidbflcj.exeKipabjil.exeMaaepd32.exeIpckgh32.exeJaedgjjd.exeLmqgnhmp.exeNnjbke32.exeHmklen32.exeKgmlkp32.exeLddbqa32.exeLijdhiaa.exeLaalifad.exeJdjfcecp.exeKdhbec32.exeKgfoan32.exeJdhine32.exeKgphpo32.exeKagichjo.exeLmccchkn.exeHcedaheh.exeIfjfnb32.exeIpegmg32.exeLaefdf32.exeMdiklqhm.exeMcpebmkb.exeNbkhfc32.exeHmioonpn.exeMjqjih32.exeMkpgck32.exeLkiqbl32.exeMglack32.exeMgnnhk32.exeNnhfee32.exeHabnjm32.exeHfcpncdk.exeKdopod32.exeKinemkko.exeNklfoi32.exeNkqpjidj.exeNcldnkae.exe593676fa9e86e2baefcab6c33797eca0_NeikiAnalytics.exeJiikak32.exeLcpllo32.exeMcklgm32.exeMnapdf32.exeJjmhppqd.exeJfkoeppq.exeLcmofolg.exeNddkgonp.exeIcljbg32.exeJmkdlkph.exeMnocof32.exeKbfiep32.exeKkpnlm32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmklen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmpolji.dll"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	593676fa9e86e2baefcab6c33797eca0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mdiklqhm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

593676fa9e86e2baefcab6c33797eca0_NeikiAnalytics.exeHpbaqj32.exeHbanme32.exeHjhfnccl.exeHabnjm32.exeHpenfjad.exeHfofbd32.exeHmioonpn.exeHbeghene.exeHjmoibog.exeHmklen32.exeHcedaheh.exeHfcpncdk.exeHmmhjm32.exeIpldfi32.exeIbjqcd32.exeIjaida32.exeImpepm32.exeIcjmmg32.exeIjdeiaio.exeIannfk32.exeIcljbg32.exe

description	pid	process	target process
PID 5092 wrote to memory of 3052	5092	593676fa9e86e2baefcab6c33797eca0_NeikiAnalytics.exe	Hpbaqj32.exe
PID 5092 wrote to memory of 3052	5092	593676fa9e86e2baefcab6c33797eca0_NeikiAnalytics.exe	Hpbaqj32.exe
PID 5092 wrote to memory of 3052	5092	593676fa9e86e2baefcab6c33797eca0_NeikiAnalytics.exe	Hpbaqj32.exe
PID 3052 wrote to memory of 1260	3052	Hpbaqj32.exe	Hbanme32.exe
PID 3052 wrote to memory of 1260	3052	Hpbaqj32.exe	Hbanme32.exe
PID 3052 wrote to memory of 1260	3052	Hpbaqj32.exe	Hbanme32.exe
PID 1260 wrote to memory of 3956	1260	Hbanme32.exe	Hjhfnccl.exe
PID 1260 wrote to memory of 3956	1260	Hbanme32.exe	Hjhfnccl.exe
PID 1260 wrote to memory of 3956	1260	Hbanme32.exe	Hjhfnccl.exe
PID 3956 wrote to memory of 3372	3956	Hjhfnccl.exe	Habnjm32.exe
PID 3956 wrote to memory of 3372	3956	Hjhfnccl.exe	Habnjm32.exe
PID 3956 wrote to memory of 3372	3956	Hjhfnccl.exe	Habnjm32.exe
PID 3372 wrote to memory of 2396	3372	Habnjm32.exe	Hpenfjad.exe
PID 3372 wrote to memory of 2396	3372	Habnjm32.exe	Hpenfjad.exe
PID 3372 wrote to memory of 2396	3372	Habnjm32.exe	Hpenfjad.exe
PID 2396 wrote to memory of 3652	2396	Hpenfjad.exe	Hfofbd32.exe
PID 2396 wrote to memory of 3652	2396	Hpenfjad.exe	Hfofbd32.exe
PID 2396 wrote to memory of 3652	2396	Hpenfjad.exe	Hfofbd32.exe
PID 3652 wrote to memory of 5000	3652	Hfofbd32.exe	Hmioonpn.exe
PID 3652 wrote to memory of 5000	3652	Hfofbd32.exe	Hmioonpn.exe
PID 3652 wrote to memory of 5000	3652	Hfofbd32.exe	Hmioonpn.exe
PID 5000 wrote to memory of 2912	5000	Hmioonpn.exe	Hbeghene.exe
PID 5000 wrote to memory of 2912	5000	Hmioonpn.exe	Hbeghene.exe
PID 5000 wrote to memory of 2912	5000	Hmioonpn.exe	Hbeghene.exe
PID 2912 wrote to memory of 1816	2912	Hbeghene.exe	Hjmoibog.exe
PID 2912 wrote to memory of 1816	2912	Hbeghene.exe	Hjmoibog.exe
PID 2912 wrote to memory of 1816	2912	Hbeghene.exe	Hjmoibog.exe
PID 1816 wrote to memory of 3076	1816	Hjmoibog.exe	Hmklen32.exe
PID 1816 wrote to memory of 3076	1816	Hjmoibog.exe	Hmklen32.exe
PID 1816 wrote to memory of 3076	1816	Hjmoibog.exe	Hmklen32.exe
PID 3076 wrote to memory of 2408	3076	Hmklen32.exe	Hcedaheh.exe
PID 3076 wrote to memory of 2408	3076	Hmklen32.exe	Hcedaheh.exe
PID 3076 wrote to memory of 2408	3076	Hmklen32.exe	Hcedaheh.exe
PID 2408 wrote to memory of 4436	2408	Hcedaheh.exe	Hfcpncdk.exe
PID 2408 wrote to memory of 4436	2408	Hcedaheh.exe	Hfcpncdk.exe
PID 2408 wrote to memory of 4436	2408	Hcedaheh.exe	Hfcpncdk.exe
PID 4436 wrote to memory of 2328	4436	Hfcpncdk.exe	Hmmhjm32.exe
PID 4436 wrote to memory of 2328	4436	Hfcpncdk.exe	Hmmhjm32.exe
PID 4436 wrote to memory of 2328	4436	Hfcpncdk.exe	Hmmhjm32.exe
PID 2328 wrote to memory of 1108	2328	Hmmhjm32.exe	Ipldfi32.exe
PID 2328 wrote to memory of 1108	2328	Hmmhjm32.exe	Ipldfi32.exe
PID 2328 wrote to memory of 1108	2328	Hmmhjm32.exe	Ipldfi32.exe
PID 1108 wrote to memory of 4696	1108	Ipldfi32.exe	Ibjqcd32.exe
PID 1108 wrote to memory of 4696	1108	Ipldfi32.exe	Ibjqcd32.exe
PID 1108 wrote to memory of 4696	1108	Ipldfi32.exe	Ibjqcd32.exe
PID 4696 wrote to memory of 4676	4696	Ibjqcd32.exe	Ijaida32.exe
PID 4696 wrote to memory of 4676	4696	Ibjqcd32.exe	Ijaida32.exe
PID 4696 wrote to memory of 4676	4696	Ibjqcd32.exe	Ijaida32.exe
PID 4676 wrote to memory of 1048	4676	Ijaida32.exe	Impepm32.exe
PID 4676 wrote to memory of 1048	4676	Ijaida32.exe	Impepm32.exe
PID 4676 wrote to memory of 1048	4676	Ijaida32.exe	Impepm32.exe
PID 1048 wrote to memory of 4872	1048	Impepm32.exe	Icjmmg32.exe
PID 1048 wrote to memory of 4872	1048	Impepm32.exe	Icjmmg32.exe
PID 1048 wrote to memory of 4872	1048	Impepm32.exe	Icjmmg32.exe
PID 4872 wrote to memory of 3456	4872	Icjmmg32.exe	Ijdeiaio.exe
PID 4872 wrote to memory of 3456	4872	Icjmmg32.exe	Ijdeiaio.exe
PID 4872 wrote to memory of 3456	4872	Icjmmg32.exe	Ijdeiaio.exe
PID 3456 wrote to memory of 1268	3456	Ijdeiaio.exe	Iannfk32.exe
PID 3456 wrote to memory of 1268	3456	Ijdeiaio.exe	Iannfk32.exe
PID 3456 wrote to memory of 1268	3456	Ijdeiaio.exe	Iannfk32.exe
PID 1268 wrote to memory of 2924	1268	Iannfk32.exe	Icljbg32.exe
PID 1268 wrote to memory of 2924	1268	Iannfk32.exe	Icljbg32.exe
PID 1268 wrote to memory of 2924	1268	Iannfk32.exe	Icljbg32.exe
PID 2924 wrote to memory of 1072	2924	Icljbg32.exe	Ifjfnb32.exe

C:\Users\Admin\AppData\Local\Temp\593676fa9e86e2baefcab6c33797eca0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\593676fa9e86e2baefcab6c33797eca0_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\SysWOW64\Hpbaqj32.exe
C:\Windows\system32\Hpbaqj32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\Hbanme32.exe
C:\Windows\system32\Hbanme32.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\Hjhfnccl.exe
C:\Windows\system32\Hjhfnccl.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\Habnjm32.exe
C:\Windows\system32\Habnjm32.exe
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\SysWOW64\Hpenfjad.exe
C:\Windows\system32\Hpenfjad.exe
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\SysWOW64\Hfofbd32.exe
C:\Windows\system32\Hfofbd32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\SysWOW64\Hmioonpn.exe
C:\Windows\system32\Hmioonpn.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\SysWOW64\Hbeghene.exe
C:\Windows\system32\Hbeghene.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\Hjmoibog.exe
C:\Windows\system32\Hjmoibog.exe
10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\Hmklen32.exe
C:\Windows\system32\Hmklen32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3076

C:\Windows\SysWOW64\Hcedaheh.exe
C:\Windows\system32\Hcedaheh.exe
12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\SysWOW64\Hfcpncdk.exe
C:\Windows\system32\Hfcpncdk.exe
13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\Hmmhjm32.exe
C:\Windows\system32\Hmmhjm32.exe
14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\Ipldfi32.exe
C:\Windows\system32\Ipldfi32.exe
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\Ibjqcd32.exe
C:\Windows\system32\Ibjqcd32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\SysWOW64\Ijaida32.exe
C:\Windows\system32\Ijaida32.exe
17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\SysWOW64\Impepm32.exe
C:\Windows\system32\Impepm32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\Icjmmg32.exe
C:\Windows\system32\Icjmmg32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SysWOW64\Ijdeiaio.exe
C:\Windows\system32\Ijdeiaio.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\SysWOW64\Iannfk32.exe
C:\Windows\system32\Iannfk32.exe
21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\Icljbg32.exe
C:\Windows\system32\Icljbg32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\Ifjfnb32.exe
C:\Windows\system32\Ifjfnb32.exe
23⤵
- Executes dropped EXE
- Modifies registry class
PID:1072

C:\Windows\SysWOW64\Imdnklfp.exe
C:\Windows\system32\Imdnklfp.exe
24⤵
- Executes dropped EXE
PID:3908

C:\Windows\SysWOW64\Ipckgh32.exe
C:\Windows\system32\Ipckgh32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1628

C:\Windows\SysWOW64\Iikopmkd.exe
C:\Windows\system32\Iikopmkd.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1556

C:\Windows\SysWOW64\Ipegmg32.exe
C:\Windows\system32\Ipegmg32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3228

C:\Windows\SysWOW64\Ifopiajn.exe
C:\Windows\system32\Ifopiajn.exe
28⤵
- Executes dropped EXE
PID:1916

C:\Windows\SysWOW64\Imihfl32.exe
C:\Windows\system32\Imihfl32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1852

C:\Windows\SysWOW64\Jaedgjjd.exe
C:\Windows\system32\Jaedgjjd.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1400

C:\Windows\SysWOW64\Jdcpcf32.exe
C:\Windows\system32\Jdcpcf32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2708

C:\Windows\SysWOW64\Jjmhppqd.exe
C:\Windows\system32\Jjmhppqd.exe
32⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:316

C:\Windows\SysWOW64\Jmkdlkph.exe
C:\Windows\system32\Jmkdlkph.exe
33⤵
- Executes dropped EXE
- Modifies registry class
PID:4316

C:\Windows\SysWOW64\Jpjqhgol.exe
C:\Windows\system32\Jpjqhgol.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1604

C:\Windows\SysWOW64\Jjpeepnb.exe
C:\Windows\system32\Jjpeepnb.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:912

C:\Windows\SysWOW64\Jaimbj32.exe
C:\Windows\system32\Jaimbj32.exe
36⤵
- Executes dropped EXE
PID:1372

C:\Windows\SysWOW64\Jdhine32.exe
C:\Windows\system32\Jdhine32.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4716

C:\Windows\SysWOW64\Jfffjqdf.exe
C:\Windows\system32\Jfffjqdf.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5084

C:\Windows\SysWOW64\Jidbflcj.exe
C:\Windows\system32\Jidbflcj.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3832

C:\Windows\SysWOW64\Jaljgidl.exe
C:\Windows\system32\Jaljgidl.exe
40⤵
- Executes dropped EXE
PID:408

C:\Windows\SysWOW64\Jdjfcecp.exe
C:\Windows\system32\Jdjfcecp.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3644

C:\Windows\SysWOW64\Jkdnpo32.exe
C:\Windows\system32\Jkdnpo32.exe
42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2988

C:\Windows\SysWOW64\Jmbklj32.exe
C:\Windows\system32\Jmbklj32.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:872

C:\Windows\SysWOW64\Jdmcidam.exe
C:\Windows\system32\Jdmcidam.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3304

C:\Windows\SysWOW64\Jfkoeppq.exe
C:\Windows\system32\Jfkoeppq.exe
45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3216

C:\Windows\SysWOW64\Jiikak32.exe
C:\Windows\system32\Jiikak32.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3020

C:\Windows\SysWOW64\Kdopod32.exe
C:\Windows\system32\Kdopod32.exe
47⤵
- Executes dropped EXE
- Modifies registry class
PID:2680

C:\Windows\SysWOW64\Kgmlkp32.exe
C:\Windows\system32\Kgmlkp32.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1236

C:\Windows\SysWOW64\Kilhgk32.exe
C:\Windows\system32\Kilhgk32.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2384

C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5076

C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
51⤵
- Executes dropped EXE
PID:3508

C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2668

C:\Windows\SysWOW64\Kinemkko.exe
C:\Windows\system32\Kinemkko.exe
53⤵
- Executes dropped EXE
- Modifies registry class
PID:4240

C:\Windows\SysWOW64\Kphmie32.exe
C:\Windows\system32\Kphmie32.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3968

C:\Windows\SysWOW64\Kbfiep32.exe
C:\Windows\system32\Kbfiep32.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4444

C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
56⤵
- Executes dropped EXE
- Modifies registry class
PID:1308

C:\Windows\SysWOW64\Kagichjo.exe
C:\Windows\system32\Kagichjo.exe
57⤵
- Executes dropped EXE
- Modifies registry class
PID:4260

C:\Windows\SysWOW64\Kdffocib.exe
C:\Windows\system32\Kdffocib.exe
58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4636

C:\Windows\SysWOW64\Kgdbkohf.exe
C:\Windows\system32\Kgdbkohf.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4612

C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4376

C:\Windows\SysWOW64\Kmnjhioc.exe
C:\Windows\system32\Kmnjhioc.exe
61⤵
- Executes dropped EXE
PID:2820

C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
62⤵
- Executes dropped EXE
- Modifies registry class
PID:4780

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2604

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5036

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3328

C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
66⤵
- Modifies registry class
PID:2432

C:\Windows\SysWOW64\Lkdggmlj.exe
C:\Windows\system32\Lkdggmlj.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:884

C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
68⤵
- Modifies registry class
PID:3680

C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
69⤵
- Modifies registry class
PID:4420

C:\Windows\SysWOW64\Lijdhiaa.exe
C:\Windows\system32\Lijdhiaa.exe
70⤵
- Modifies registry class
PID:3900

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4832

C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4336

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
73⤵
- Modifies registry class
PID:3704

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
74⤵
- Drops file in System32 directory
PID:2444

C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
75⤵
PID:2972

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3272

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
77⤵
- Modifies registry class
PID:2832

C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3980

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
79⤵
- Drops file in System32 directory
- Modifies registry class
PID:4092

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
80⤵
PID:3760

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
81⤵
- Drops file in System32 directory
PID:4644

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
82⤵
- Drops file in System32 directory
- Modifies registry class
PID:3856

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3120

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4300

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
85⤵
- Modifies registry class
PID:3068

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
87⤵
- Drops file in System32 directory
- Modifies registry class
PID:916

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3944

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3392

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5128

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5172

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5216

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5260

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
94⤵
- Drops file in System32 directory
- Modifies registry class
PID:5304

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
95⤵
- Drops file in System32 directory
PID:5348

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5392

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
97⤵
- Drops file in System32 directory
- Modifies registry class
PID:5428

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
98⤵
PID:5476

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
99⤵
- Modifies registry class
PID:5516

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5564

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5600

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
102⤵
- Drops file in System32 directory
- Modifies registry class
PID:5644

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5684

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
104⤵
- Modifies registry class
PID:5732

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
105⤵
- Drops file in System32 directory
PID:5776

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
106⤵
PID:5816

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5864

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5908

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
109⤵
- Drops file in System32 directory
PID:5952

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
110⤵
PID:5984

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6040

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6080

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
113⤵
- Drops file in System32 directory
- Modifies registry class
PID:6120

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
114⤵
PID:5068

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5192

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
116⤵
PID:5300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 408
117⤵
- Program crash
PID:5528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5300 -ip 5300
1⤵
PID:5412

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Habnjm32.exe
Filesize
63KB

MD5
4802a931eddb73eafc6972a401262d14

SHA1
f22cfe6ce1f71ead12af99975e8492971a5be147

SHA256
e8eee2c07e909976c5ed971995adf90e0f9cde68e13a17a0b44a3d92a1ce7733

SHA512
a110cea8ebefab6b45325ab29ba6163d151ccdaf081d2dbf5d34ec46065f6af0aab532723595b51083459843ddb4f16055ef511304257c50b74c4b267f22026e

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe
Filesize
63KB

MD5
89c03a160f384d8f3edb1800896c410e

SHA1
ba1d9c9c15dcce2a4df8269c1f99028a3064440f

SHA256
7d8f27e55a864d2db32865d6a7c61e0af89d88866148eb8d0d1136e9953bfe1d

SHA512
f415633f04215ba8d6356b4ded556a967d07c2676bae7d98a521d07eff9bbeae6d0f8bf7f5820b0c49d48c082a7493bc344257492a14446c8ca6ead233de79f7

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe
Filesize
63KB

MD5
236273b77cd64882744a0a1854855439

SHA1
5b655afc4b785dddb70da4cbabafd0700de7def1

SHA256
73dec85b8a97fb66b332b251aaf415d47df0fc1d8a1968e779e0c5772de9a80b

SHA512
d6b270709a60e98985fa24ebd41043cc422af4cb6fd122ec5ec9b6f6c22ff17b995235a14dedff4c35787c9a49b32370f3e6a68231fef41a3d1976aaafa3e2c3

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe
Filesize
63KB

MD5
e2b2e4c315ca2b5fa62fa2552d0ca3bf

SHA1
74a9b007cd360752cef2b9228055d0a84a2d9a22

SHA256
6206728bff4d6b45e65e6307a4634cb4e8765129a65449097d0dbf642e4123e4

SHA512
918934bc50382be42a5ec65709b68ddc23974d611541e0131f76fd8bd4f77b410004ff3c0a2aba74b47aecbb5043178b103b1c2932264fa8e69bf4f596c4dfe8

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe
Filesize
63KB

MD5
8a22cc50fa0b31a5105197cdbe5d66bf

SHA1
e8aea201642cfef4a85b473fdc403da297280112

SHA256
5e93ec3af2871edd65d0540759e034596e2bd9facde507a88dd1c4c7933c7e22

SHA512
d240f406b977383161702745eaae88ce1847ac0c1c5fdd55c568e9ba1cc34e000f1f39f51c9f7166e75a2787096167cf504a18ba9eb3fe4c680dbd7f6aa2881e

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe
Filesize
63KB

MD5
bb2013c7a8afa1bec6bab99a52800946

SHA1
5d5f96157c97db5481747edbed024bd86849d56d

SHA256
6ad7f627ce3584a0d34a812d04e1f281203b53c1ac1151356c5942b7fe04e537

SHA512
a4ff17c7a6e9ec7fb73bcba2a7d87bcfa4556a21e52deee20bbb9b314ba644466c821cac27579c6ccae21d20fd2103dcb520de8309376cc378e429715a488109

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe
Filesize
63KB

MD5
da5a4a04512fef0065f81fb0a4c84862

SHA1
347045aef10723ad70f610751e204ff88ec4e351

SHA256
f516e31ecdca9fc96b4b7dc0bc64a57e4c71a5bf1e2eea78f2fb6b2bce5a0318

SHA512
de9a179b8e0a647395f5c27007ff98cffd0a065dbcdd0b2fa146505bf693c4dcaddff72af423446e1bffc44eefd07dec58d4e1721ff934b30f703fac381fa9ec

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe
Filesize
63KB

MD5
b12d3eacec14dc3839934fd1e4564b67

SHA1
4468526509b43735b869dd764d8567eff2b4d82e

SHA256
a073957024d1e9a73bff8fcb8f6a1d6dee26d5923f555de7ba6c9f9a666047cd

SHA512
4882b67bba13cf6a2ba11c6860fca5bc692281f993799269653954b70270e102db313129d68290af399eb22cab75faad8d0010c7db98f8fd01ef0ddd9cf4d562

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe
Filesize
63KB

MD5
6a612811ceb912ce6a3761ebf406109a

SHA1
5bf401298e394a2dec7532442f4520a2c42424ec

SHA256
07c17874477908d87c0bd65aee835495c08e7a095d3a55769ffa6565f110f58d

SHA512
e239b0f775b39c413f7b1ec2a77658bedea4fe5d7fd9e0a4da3183b66acef1c19d28a385ef3e546ff698ae2034f79d0aef081da51e713c31292210f04933ced7

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe
Filesize
63KB

MD5
295893f810679579889a683d12bc5844

SHA1
91cf9d1a04531f89faead31bf0d396e5898bdbd4

SHA256
cc449b9fc40d9b4e15e52409e9dde0205e1f82635cb6b2201de3059eb0a37c21

SHA512
2b44c3b9a28c2f2ff449e6c6e05f78ee865e392ef22a8b480d21b595c577aa47796766975d7219ae4d0a8e0cab2de6ba10f47a16b61115b9d3c080f79ea2087c

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe
Filesize
63KB

MD5
f195fa945744416a36f0bd01a622e7b4

SHA1
ac19e221d23ee7b8c6d1c2570ad99ebd3d383795

SHA256
2d563b271c7ea0636dbac9089bc59b4dd134a74f2febd33d1fc049ad53809c67

SHA512
d25081b27a0382c230b483fa26fe4b023ea046634f1b5da2c3d0d36c257b6c15f1280bbedd21024c5912058897dac5c0aa9315f3274d80494519ee348a2d1c60

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe
Filesize
63KB

MD5
6b952e8a565f4f530029c182f8090a7f

SHA1
ed136e32811cb04cf57b89ffe02ff7e99292cde6

SHA256
7c43c880c3e200e288bc6a05cb1dab60a32a23b51369a65430e41e9baad80d8d

SHA512
62e1045d0aedc282344ca2661962738b5977aeed8336c837fb51f56bf354b0d81aa9c4c60bf897e63a1458fe30a26405a1996614c6cb12451b1eac3cc23890be

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe
Filesize
63KB

MD5
98818dfe063fddedb3e7a531f1c187fe

SHA1
28b190a6f0f87f981dab1f772a34700a1fff31e8

SHA256
7fcbd2d95cb9c20212c28c64e552c31ca6c8164e6c9eb5821ee6aee199194d7d

SHA512
009a8b457e3684371b41b46b212096b3b7ae10d298c4c2517ae77749c181b1cda92f197aaf54dfd0ef0edbc2fda39c7f633af3ea316f0ec4d93bc391b8cb214c

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe
Filesize
63KB

MD5
33aa4af3909393d890d37238ceb41f2d

SHA1
aeb0c986acd66400e2b6402128a7343df82c37a0

SHA256
e9d646c855aece02a15c31e7d74f3f5ef86352b904f1b3fc1dc4e5cc901699d6

SHA512
061251a89b9ff0c671b441c9fce3d55b39556b76cbc55db9c55ed913e578e281bb875d783e430828380f625942d92dce186bbf0ed086a3b12c2fab2a09feca51

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe
Filesize
63KB

MD5
a4a152a19f7f1e9fb613ff81ccfdb62c

SHA1
7ba8dbcc362cec3fb2551ca1112ab3f40b6238be

SHA256
d68f4f4d76d8b6c68e56324c4aacb77a89086b1825469bd5c4458e4997a5f656

SHA512
3438d70c0796de4826df041205c3a555f57ac2307d2c0f7683f83b9c7a6759d7637be2bdcb55a2843694044d2c86b6c64dcde3081a063cd40d9e8cc6c7669743

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe
Filesize
63KB

MD5
0852dfe65590ebaca23f23bac8ce605c

SHA1
8ba0ce516495bd8e62f942eaffda02564abfaf2f

SHA256
c690da4d68b0a5bd8c8876e31c16cd0001f20d211a964d7e5dec3b29a29fb7af

SHA512
ee8f05ec4c3260ca9f509eac822d77e85e9ca1bef91a2c6cae6bf5cecb8b7fb8c470568c325933b6c6e38f19b11305e8d352d38610d8de035712b25a79e2a444

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe
Filesize
63KB

MD5
b5a89e0d7ee346c7ec2b5412f5f24005

SHA1
37a7481fa01e2f7a431c707d774f0513fd125e47

SHA256
e86d2b465ec215e385fae7c15491bcd73cce2c342ca35cdcce2088803975da8d

SHA512
907b8a4cedbd7809d8a74ec567fa52a3c70fc6bd767d126ed495c6b95eb2c99b920ecb853c3ab35dc6f6c8794d0f0e94beeab0b6c6956eca8436b0d6845b173a

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe
Filesize
63KB

MD5
ba6d65b685314616455f1c3bce1af9e9

SHA1
d2424bcf7cf8df43f8fcbc73d3e1c97ac2590d9c

SHA256
a78dc4cf59f8cdfc8078a74f217e800c2079937dcff4f1613d7d6b932b3af5b0

SHA512
c0f1ed3762016e70169d955fb38a60ceef56061f5ea71a69e70ace39797622699344d2f295bb4a32d6307a4f64b9099efad31a678f2873a3bc17a7fe905f7f62

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe
Filesize
63KB

MD5
ac45cfa500c9ba1bbef862cfc5a2d8ec

SHA1
37817624916f422b20079804552a8ede2df48e44

SHA256
17970b20525565598872837701dc42f0492fe9b6780cbe6b77443058cd291bb8

SHA512
ba045b8a9845e3bbc5674ee60df01f432df5d3b4465173ef8f1357da4644d944b38edc4a2faca59c1c62d95105cef6c9230ca38ba3234c481a48eddb8a5e0026

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe
Filesize
63KB

MD5
5ec9a3a3401909f6876906b92f6f1387

SHA1
afaa9feb9676b3a0c4f39a893dc12b94c80a276d

SHA256
89d87a727e65f28b01719a9f6f0d159c1933cd0b4b0a9a2ad6cfde926350ec7e

SHA512
374d6c2e994b979d8d48c89b87866f78919de0eae8a6e3adcb32f9ed18215aacf74bd2fd4d37594487eabb700268eb3acafb99bdea8b3012ff58c5881fea5bc3

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe
Filesize
63KB

MD5
3e43c5f466d6f9188e946ddd9d77c3d2

SHA1
5fe2edb6d6b56734797e205eebdf9d98b98824f0

SHA256
533e76596362f72fd06ed6ed606d8386a05834d46930be19c3c3a3f7027d1885

SHA512
aaafc42924ea2fa17138f25198ac091e9b274b1b1cd0eaa4eaa93ea6510376938afd2150bf21c990d51747e97a48dfcce9c6c9a3af8d0d81940848f0e131151b

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe
Filesize
63KB

MD5
b72d4238f63d331307e6ea810ebba6cf

SHA1
b9e5a65c6cca7a052bc6d517cf5dedc85e6cc170

SHA256
f04b9dcc69b5a23e3de52dabe984ffe211e65de759fc07cde302e23b0fc677e0

SHA512
78ac3543ce4f1a222c8dd1b83dccf4bbd6e15409015b9808bb2e80b29a1e4964743fa2133cb9e758bf1e4f486b341ec70c8e5ceef12a317d6bad5efb5e6fe04a

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe
Filesize
63KB

MD5
76361f2b9eac96c5c43866d0fc086bf1

SHA1
a32434f5f2bbf67666c9b666fbabcc67f92baa57

SHA256
b7aa13218ad9af8afd0e301c57d903cfedf399852ac5900f53754aae267e960a

SHA512
68ad2db697a9efbec03a2eff1b149b29cc4217025184b28338fdf36ad06374a05208c8844bac6cdbb55f09495ce8c4558ae21d5b4512c0fc989d1594cf8b9d64

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe
Filesize
63KB

MD5
e0e81891e5a2d6bc827abc3a8dd4379b

SHA1
67ee2e65f7d2e5d2c890f48df5da471494fad663

SHA256
058a15583954a0f5ea6765a6fe08931ddd25be8f094a1309887ca34c7c4c6fc7

SHA512
0c261898c54917afa63995cecb26589a1e67e2650a65cf7246687ebec0fbd0435cc1b8e72e5c4bf42da00e8620cd4814d30730cd10dda26a14291fa18722222b

Download Submit
C:\Windows\SysWOW64\Impepm32.exe
Filesize
63KB

MD5
533ee82eaa0fbdbd13604cc2fefd9df7

SHA1
96d13ebd200b656dc8ae384f458d8dc6b296a656

SHA256
6c6e790a397658eff5104f525668ac6457ec92fab7d9a120100fb2b501dc8ed1

SHA512
0a7225c0de789a76e76df74057a5fd2e70e28f297dfa9b237f30b2066acf6750c1a5a488a34215623482f7cab42b1503a5ac06825eec7f665f80e7b0e4a19f47

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe
Filesize
63KB

MD5
b832fd3627d5b62ed9bc47107536bc47

SHA1
b0517c9d9ab0bdbbfd1bb5a0ead6abbb579d1c8a

SHA256
65bbf335c36707fbf019ce40c9beabe7db3ac1e8f46023203af17914ea70ab95

SHA512
c68a9d1069530e20bf017a929962d5af8f4179c1652649432cfb68d3825252a6aabcf5724bf3576e2867d96b12418bc4742dea5161d8f89cff3df944a8a478fe

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe
Filesize
63KB

MD5
c24f1a8631f098559827b24bf939960e

SHA1
a4068381a69d3c50284ef799cb916ef7997a7587

SHA256
884b9e88fdd5ef3dadc41a6d1037bd0a24d135a96b9b8ce0ed49bef998180f63

SHA512
ee0cd232375d0e44a2947ee4e101259e9a9b62a0f8dc5496d02d7f2a5fe32561c2015260cfcb4b9dd734fc7bca221163de71a5c8630040097bb401de5fc62e9f

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe
Filesize
63KB

MD5
12ff0f6f4acc6c44e3c63d7998df410e

SHA1
251e0fd21b3c05cbb8ebdb960e4c1b93a00cdbd5

SHA256
245804cc2791d4860ecf83731a33caf399597342622f5f7e7983ae2ad5ac60fe

SHA512
a326674c6f48571e8aab63caf716ba7eb54e84d393243ddea3f0dea543d9bd69bf096e2bdc0f7558015b69fa4872af011987eeb34304c1e20e3daa6df8b2b149

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe
Filesize
63KB

MD5
da226059a5e848a475a8560fadef6b05

SHA1
e989f13a498014dc805e916f90d4185894a8832d

SHA256
918502bda0cc7eb5991855eeaae0f387e9f76c8306f10c7e62a00b872568bc30

SHA512
e1a8b54611c60f41eb95c70f0c60262a43d55a39db0344a79df225a88a33c3bdeaa6ca9f641935433e0f8bb2bd6d78fa918dffeda5ea4f9329662952152bdfef

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe
Filesize
63KB

MD5
d1f70f747b988c10832ca5de8ab86acb

SHA1
8b6b2301626b5c8fa1770e9242189a9ae69a5947

SHA256
95df5a92d828a7ba50a065f6d2dcb8ab365a1bfca60d8c5edcf547b052c36814

SHA512
d204ddfe384a213e9d77e9a600b68bd8c2e16e86d5c843f7ca460cf1091fbaa846e76a54b55a0c8dd567ab830b2148fdca86ae11df2b5262ebedb2eff405f25f

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe
Filesize
63KB

MD5
e3c748290aa922189a5284ae87762680

SHA1
55302b1c59aefca4b55b93890ce6cdba97d10915

SHA256
eaa1c907e5b7f536c65a5bd9b1f2d57f110eab430aa0c0c0e4006c3aaf047389

SHA512
6321ac332aa23b94064ef25fe498f66e80e73e6ea57c9f618279aadc787d8e0aa2d062be4c9527f8f8654291f968f0ec313c0a68c56a941cf03dc1886b708c1c

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe
Filesize
63KB

MD5
37979edb343e108d565d1068972d926a

SHA1
423d5b0ea07b845cb0234694e3b0fa56d3da6d62

SHA256
a98a0bb882039e5327900425c22f1032551c7550cacfb2d695df65560594c907

SHA512
5a72b1836301b4812c57c96fe2fc0da1b4e4b51ac6ad3435aa2c96eefd8ebf27e1c80a9350773ebf6bff2beecc56920ff2e84467abb0ef00f6443d8a91f01021

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe
Filesize
63KB

MD5
f4b78872a00d53f70de239d4335e0a87

SHA1
6f364c2a7d4579740cc9ea46f357eb573cbc625c

SHA256
74d69debe1c10d8f9184c0c2039c1250c8f2f1cf432df7adfad9ebc65de8fad4

SHA512
474a411a7ce0822d39e0cda5e8cf4ee14427f357ea88141d7b2078edb436d75dd366065c9a67172162fb7e3a19ff25fb8ff3e7ab41988b7589ec9d06d0068638

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe
Filesize
63KB

MD5
593c24a0cd8df9e956225c72d108d16d

SHA1
4f9c23ff679b531fbae7c9ed4fb2409250c887d7

SHA256
0595bb3898b0f16ebce4230fbcef3401a8aed7148ce6df72e0e7c45a3cb60ef0

SHA512
8201da6cbf8ae41f9114d19a91ac438e5964972584a4a65eb073d80a630140edd6c9dd6fef716bec1d04ffb219c2d23b5c5e670f1d522ba9637b6c70612ed60c

Download Submit
memory/316-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/408-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/912-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1072-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1372-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1556-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1604-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2384-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2604-864-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2604-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-866-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3120-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3216-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3228-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3304-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3372-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-158-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3652-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3652-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-846-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3760-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3832-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3856-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3908-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3956-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-531-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-537-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4240-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-871-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-868-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4644-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-489-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-543-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/5172-818-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5216-817-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5516-807-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5600-805-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download