0b12d79d944342b869e0aa50c383f8374d2105495cd445f3420e02501cdf8d30

Analysis

max time kernel
130s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bb744bb24ecae9c9d4afc3b0725a540_NeikiAnalytics.exe
Size

336KB
MD5

5bb744bb24ecae9c9d4afc3b0725a540
SHA1

6d294ca174a7871e1209f57254d38c985a0d09b6
SHA256

0b12d79d944342b869e0aa50c383f8374d2105495cd445f3420e02501cdf8d30
SHA512

f72b1a1512814aaa5e82c234a3cfb4aef9e6fb5005aa577d3e98e6c69117f18f78f781a21252852eb27b25d8b95fb16a5999a72f574193b7347381e433ee6d57
SSDEEP

6144:utEZSV5q+owv7aOl3BzrUmKyIxLfYeOO9UmKyIxLiajOE:uSl+oi7aOlxzr3cOK3Taj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Jiikak32.exeKbdmpqcb.exeLgpagm32.exeLphfpbdi.exeGjclbc32.exeJbkjjblm.exeIjhodq32.exeLiggbi32.exeNkncdifl.exeLcbiao32.exeMnlfigcc.exeMgidml32.exeJibeql32.exeLkiqbl32.exeMamleegg.exeLdmlpbbj.exeKibnhjgj.exeMgghhlhq.exeNnmopdep.exeJaedgjjd.exeIdacmfkj.exeJigollag.exeKpepcedo.exeIpnalhii.exeIbjqcd32.exeHabnjm32.exeLpocjdld.exeMpmokb32.exeLpfijcfl.exeMkpgck32.exeImbaemhc.exeImpepm32.exeIfopiajn.exeJdcpcf32.exeKinemkko.exeKmlnbi32.exeKpmfddnf.exeMdfofakp.exeJbmfoa32.exeLcmofolg.exeLgkhlnbn.exeLnjjdgee.exeIpckgh32.exeIpqnahgf.exeImdnklfp.exeNqfbaq32.exeMaohkd32.exeKpjjod32.exeKajfig32.exeLcgblncm.exeNcihikcg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe

Executes dropped EXE 64 IoCs

Processes:

Gjclbc32.exeHclakimb.exeHboagf32.exeHmdedo32.exeHjhfnccl.exeHabnjm32.exeHibljoco.exeIbjqcd32.exeImpepm32.exeIpnalhii.exeImbaemhc.exeIpqnahgf.exeIfjfnb32.exeIjfboafl.exeImdnklfp.exeIpckgh32.exeIjhodq32.exeIdacmfkj.exeIfopiajn.exeIinlemia.exeJaedgjjd.exeJdcpcf32.exeJjmhppqd.exeJagqlj32.exeJibeql32.exeJbkjjblm.exeJmpngk32.exeJbmfoa32.exeJigollag.exeJmbklj32.exeJiikak32.exeKdopod32.exeKkihknfg.exeKmgdgjek.exeKpepcedo.exeKbdmpqcb.exeKgphpo32.exeKinemkko.exeKaemnhla.exeKdcijcke.exeKbfiep32.exeKknafn32.exeKmlnbi32.exeKpjjod32.exeKdffocib.exeKkpnlm32.exeKibnhjgj.exeKajfig32.exeKpmfddnf.exeKckbqpnj.exeLiekmj32.exeLalcng32.exeLpocjdld.exeLcmofolg.exeLkdggmlj.exeLiggbi32.exeLaopdgcg.exeLdmlpbbj.exeLgkhlnbn.exeLnepih32.exeLpcmec32.exeLcbiao32.exeLkiqbl32.exeLpfijcfl.exe

pid	process
1160	Gjclbc32.exe
3924	Hclakimb.exe
2660	Hboagf32.exe
1548	Hmdedo32.exe
1528	Hjhfnccl.exe
3504	Habnjm32.exe
2216	Hibljoco.exe
5048	Ibjqcd32.exe
60	Impepm32.exe
3516	Ipnalhii.exe
1832	Imbaemhc.exe
4336	Ipqnahgf.exe
4360	Ifjfnb32.exe
1416	Ijfboafl.exe
4856	Imdnklfp.exe
2996	Ipckgh32.exe
3792	Ijhodq32.exe
2520	Idacmfkj.exe
2560	Ifopiajn.exe
2252	Iinlemia.exe
1712	Jaedgjjd.exe
4572	Jdcpcf32.exe
4580	Jjmhppqd.exe
4820	Jagqlj32.exe
2912	Jibeql32.exe
4564	Jbkjjblm.exe
4344	Jmpngk32.exe
4880	Jbmfoa32.exe
4296	Jigollag.exe
5072	Jmbklj32.exe
3388	Jiikak32.exe
1252	Kdopod32.exe
4168	Kkihknfg.exe
1488	Kmgdgjek.exe
4500	Kpepcedo.exe
2776	Kbdmpqcb.exe
2364	Kgphpo32.exe
2576	Kinemkko.exe
3928	Kaemnhla.exe
4076	Kdcijcke.exe
2760	Kbfiep32.exe
4392	Kknafn32.exe
4644	Kmlnbi32.exe
3784	Kpjjod32.exe
2264	Kdffocib.exe
3580	Kkpnlm32.exe
4684	Kibnhjgj.exe
392	Kajfig32.exe
4332	Kpmfddnf.exe
3540	Kckbqpnj.exe
2656	Liekmj32.exe
2452	Lalcng32.exe
3328	Lpocjdld.exe
2180	Lcmofolg.exe
3008	Lkdggmlj.exe
1744	Liggbi32.exe
2640	Laopdgcg.exe
2884	Ldmlpbbj.exe
3592	Lgkhlnbn.exe
2908	Lnepih32.exe
432	Lpcmec32.exe
3636	Lcbiao32.exe
1980	Lkiqbl32.exe
4284	Lpfijcfl.exe

Drops file in System32 directory 64 IoCs

Processes:

Gjclbc32.exeHclakimb.exeIdacmfkj.exeJmbklj32.exeKpepcedo.exeLalcng32.exeLphfpbdi.exeNqklmpdd.exeKmgdgjek.exeLiekmj32.exeLkdggmlj.exeMkpgck32.exeMdkhapfj.exeMcpebmkb.exeNjljefql.exeNcihikcg.exeIpckgh32.exeKmlnbi32.exeLnepih32.exeNafokcol.exeImbaemhc.exeKinemkko.exeKaemnhla.exeLiggbi32.exeLcmofolg.exeIjfboafl.exeIfopiajn.exeJagqlj32.exeKkihknfg.exeMgghhlhq.exeMaohkd32.exeMkgmcjld.exeHmdedo32.exeKdopod32.exeKajfig32.exeKpmfddnf.exeJbmfoa32.exeLkiqbl32.exeIpnalhii.exeImdnklfp.exe5bb744bb24ecae9c9d4afc3b0725a540_NeikiAnalytics.exeKgphpo32.exeKckbqpnj.exeMnlfigcc.exeNqmhbpba.exeNdidbn32.exeIinlemia.exeKdffocib.exeLpcmec32.exeLgpagm32.exeMgnnhk32.exeMkbchk32.exeNkqpjidj.exeIbjqcd32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Hclakimb.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Hclakimb.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Ekmihm32.dll	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Imbaemhc.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Gjclbc32.exe	5bb744bb24ecae9c9d4afc3b0725a540_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Cgkghl32.dll	Gjclbc32.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jmbklj32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

6060 5892 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
6060	5892	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Kckbqpnj.exeLaopdgcg.exeJaedgjjd.exeJagqlj32.exeJibeql32.exeJbmfoa32.exeKmgdgjek.exeLgpagm32.exeMgekbljc.exeNjljefql.exeGjclbc32.exeIfjfnb32.exeLpocjdld.exeNafokcol.exeMnfipekh.exeJmbklj32.exeJiikak32.exeLalcng32.exeLpfijcfl.exeLnjjdgee.exeKkihknfg.exeKpepcedo.exeNnmopdep.exeKkpnlm32.exeLpcmec32.exeMaohkd32.exeNqklmpdd.exeIbjqcd32.exeIdacmfkj.exeKgphpo32.exeKajfig32.exeMjqjih32.exeMkpgck32.exeNkncdifl.exeMkbchk32.exe5bb744bb24ecae9c9d4afc3b0725a540_NeikiAnalytics.exeIinlemia.exeLcmofolg.exeMdfofakp.exeNceonl32.exeKaemnhla.exeMkgmcjld.exeKpjjod32.exeKpmfddnf.exeMpmokb32.exeIjfboafl.exeKbfiep32.exeKknafn32.exeMnlfigcc.exeNdidbn32.exeLkiqbl32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	5bb744bb24ecae9c9d4afc3b0725a540_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lkiqbl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5bb744bb24ecae9c9d4afc3b0725a540_NeikiAnalytics.exeGjclbc32.exeHclakimb.exeHboagf32.exeHmdedo32.exeHjhfnccl.exeHabnjm32.exeHibljoco.exeIbjqcd32.exeImpepm32.exeIpnalhii.exeImbaemhc.exeIpqnahgf.exeIfjfnb32.exeIjfboafl.exeImdnklfp.exeIpckgh32.exeIjhodq32.exeIdacmfkj.exeIfopiajn.exeIinlemia.exeJaedgjjd.exe

description	pid	process	target process
PID 2204 wrote to memory of 1160	2204	5bb744bb24ecae9c9d4afc3b0725a540_NeikiAnalytics.exe	Gjclbc32.exe
PID 2204 wrote to memory of 1160	2204	5bb744bb24ecae9c9d4afc3b0725a540_NeikiAnalytics.exe	Gjclbc32.exe
PID 2204 wrote to memory of 1160	2204	5bb744bb24ecae9c9d4afc3b0725a540_NeikiAnalytics.exe	Gjclbc32.exe
PID 1160 wrote to memory of 3924	1160	Gjclbc32.exe	Hclakimb.exe
PID 1160 wrote to memory of 3924	1160	Gjclbc32.exe	Hclakimb.exe
PID 1160 wrote to memory of 3924	1160	Gjclbc32.exe	Hclakimb.exe
PID 3924 wrote to memory of 2660	3924	Hclakimb.exe	Hboagf32.exe
PID 3924 wrote to memory of 2660	3924	Hclakimb.exe	Hboagf32.exe
PID 3924 wrote to memory of 2660	3924	Hclakimb.exe	Hboagf32.exe
PID 2660 wrote to memory of 1548	2660	Hboagf32.exe	Hmdedo32.exe
PID 2660 wrote to memory of 1548	2660	Hboagf32.exe	Hmdedo32.exe
PID 2660 wrote to memory of 1548	2660	Hboagf32.exe	Hmdedo32.exe
PID 1548 wrote to memory of 1528	1548	Hmdedo32.exe	Hjhfnccl.exe
PID 1548 wrote to memory of 1528	1548	Hmdedo32.exe	Hjhfnccl.exe
PID 1548 wrote to memory of 1528	1548	Hmdedo32.exe	Hjhfnccl.exe
PID 1528 wrote to memory of 3504	1528	Hjhfnccl.exe	Habnjm32.exe
PID 1528 wrote to memory of 3504	1528	Hjhfnccl.exe	Habnjm32.exe
PID 1528 wrote to memory of 3504	1528	Hjhfnccl.exe	Habnjm32.exe
PID 3504 wrote to memory of 2216	3504	Habnjm32.exe	Hibljoco.exe
PID 3504 wrote to memory of 2216	3504	Habnjm32.exe	Hibljoco.exe
PID 3504 wrote to memory of 2216	3504	Habnjm32.exe	Hibljoco.exe
PID 2216 wrote to memory of 5048	2216	Hibljoco.exe	Ibjqcd32.exe
PID 2216 wrote to memory of 5048	2216	Hibljoco.exe	Ibjqcd32.exe
PID 2216 wrote to memory of 5048	2216	Hibljoco.exe	Ibjqcd32.exe
PID 5048 wrote to memory of 60	5048	Ibjqcd32.exe	Impepm32.exe
PID 5048 wrote to memory of 60	5048	Ibjqcd32.exe	Impepm32.exe
PID 5048 wrote to memory of 60	5048	Ibjqcd32.exe	Impepm32.exe
PID 60 wrote to memory of 3516	60	Impepm32.exe	Ipnalhii.exe
PID 60 wrote to memory of 3516	60	Impepm32.exe	Ipnalhii.exe
PID 60 wrote to memory of 3516	60	Impepm32.exe	Ipnalhii.exe
PID 3516 wrote to memory of 1832	3516	Ipnalhii.exe	Imbaemhc.exe
PID 3516 wrote to memory of 1832	3516	Ipnalhii.exe	Imbaemhc.exe
PID 3516 wrote to memory of 1832	3516	Ipnalhii.exe	Imbaemhc.exe
PID 1832 wrote to memory of 4336	1832	Imbaemhc.exe	Ipqnahgf.exe
PID 1832 wrote to memory of 4336	1832	Imbaemhc.exe	Ipqnahgf.exe
PID 1832 wrote to memory of 4336	1832	Imbaemhc.exe	Ipqnahgf.exe
PID 4336 wrote to memory of 4360	4336	Ipqnahgf.exe	Ifjfnb32.exe
PID 4336 wrote to memory of 4360	4336	Ipqnahgf.exe	Ifjfnb32.exe
PID 4336 wrote to memory of 4360	4336	Ipqnahgf.exe	Ifjfnb32.exe
PID 4360 wrote to memory of 1416	4360	Ifjfnb32.exe	Ijfboafl.exe
PID 4360 wrote to memory of 1416	4360	Ifjfnb32.exe	Ijfboafl.exe
PID 4360 wrote to memory of 1416	4360	Ifjfnb32.exe	Ijfboafl.exe
PID 1416 wrote to memory of 4856	1416	Ijfboafl.exe	Imdnklfp.exe
PID 1416 wrote to memory of 4856	1416	Ijfboafl.exe	Imdnklfp.exe
PID 1416 wrote to memory of 4856	1416	Ijfboafl.exe	Imdnklfp.exe
PID 4856 wrote to memory of 2996	4856	Imdnklfp.exe	Ipckgh32.exe
PID 4856 wrote to memory of 2996	4856	Imdnklfp.exe	Ipckgh32.exe
PID 4856 wrote to memory of 2996	4856	Imdnklfp.exe	Ipckgh32.exe
PID 2996 wrote to memory of 3792	2996	Ipckgh32.exe	Ijhodq32.exe
PID 2996 wrote to memory of 3792	2996	Ipckgh32.exe	Ijhodq32.exe
PID 2996 wrote to memory of 3792	2996	Ipckgh32.exe	Ijhodq32.exe
PID 3792 wrote to memory of 2520	3792	Ijhodq32.exe	Idacmfkj.exe
PID 3792 wrote to memory of 2520	3792	Ijhodq32.exe	Idacmfkj.exe
PID 3792 wrote to memory of 2520	3792	Ijhodq32.exe	Idacmfkj.exe
PID 2520 wrote to memory of 2560	2520	Idacmfkj.exe	Ifopiajn.exe
PID 2520 wrote to memory of 2560	2520	Idacmfkj.exe	Ifopiajn.exe
PID 2520 wrote to memory of 2560	2520	Idacmfkj.exe	Ifopiajn.exe
PID 2560 wrote to memory of 2252	2560	Ifopiajn.exe	Iinlemia.exe
PID 2560 wrote to memory of 2252	2560	Ifopiajn.exe	Iinlemia.exe
PID 2560 wrote to memory of 2252	2560	Ifopiajn.exe	Iinlemia.exe
PID 2252 wrote to memory of 1712	2252	Iinlemia.exe	Jaedgjjd.exe
PID 2252 wrote to memory of 1712	2252	Iinlemia.exe	Jaedgjjd.exe
PID 2252 wrote to memory of 1712	2252	Iinlemia.exe	Jaedgjjd.exe
PID 1712 wrote to memory of 4572	1712	Jaedgjjd.exe	Jdcpcf32.exe

C:\Users\Admin\AppData\Local\Temp\5bb744bb24ecae9c9d4afc3b0725a540_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5bb744bb24ecae9c9d4afc3b0725a540_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\Gjclbc32.exe
C:\Windows\system32\Gjclbc32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\Hclakimb.exe
C:\Windows\system32\Hclakimb.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\SysWOW64\Hboagf32.exe
C:\Windows\system32\Hboagf32.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\Hmdedo32.exe
C:\Windows\system32\Hmdedo32.exe
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\Hjhfnccl.exe
C:\Windows\system32\Hjhfnccl.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\Habnjm32.exe
C:\Windows\system32\Habnjm32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\SysWOW64\Hibljoco.exe
C:\Windows\system32\Hibljoco.exe
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\Ibjqcd32.exe
C:\Windows\system32\Ibjqcd32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\Impepm32.exe
C:\Windows\system32\Impepm32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\SysWOW64\Ipnalhii.exe
C:\Windows\system32\Ipnalhii.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\SysWOW64\Imbaemhc.exe
C:\Windows\system32\Imbaemhc.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\Ipqnahgf.exe
C:\Windows\system32\Ipqnahgf.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\SysWOW64\Ifjfnb32.exe
C:\Windows\system32\Ifjfnb32.exe
14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\SysWOW64\Ijfboafl.exe
C:\Windows\system32\Ijfboafl.exe
15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\Imdnklfp.exe
C:\Windows\system32\Imdnklfp.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\SysWOW64\Ipckgh32.exe
C:\Windows\system32\Ipckgh32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\Ijhodq32.exe
C:\Windows\system32\Ijhodq32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\SysWOW64\Idacmfkj.exe
C:\Windows\system32\Idacmfkj.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\Ifopiajn.exe
C:\Windows\system32\Ifopiajn.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\Iinlemia.exe
C:\Windows\system32\Iinlemia.exe
21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\Jaedgjjd.exe
C:\Windows\system32\Jaedgjjd.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\Jdcpcf32.exe
C:\Windows\system32\Jdcpcf32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4572

C:\Windows\SysWOW64\Jjmhppqd.exe
C:\Windows\system32\Jjmhppqd.exe
24⤵
- Executes dropped EXE
PID:4580

C:\Windows\SysWOW64\Jagqlj32.exe
C:\Windows\system32\Jagqlj32.exe
25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4820

C:\Windows\SysWOW64\Jibeql32.exe
C:\Windows\system32\Jibeql32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2912

C:\Windows\SysWOW64\Jbkjjblm.exe
C:\Windows\system32\Jbkjjblm.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4564

C:\Windows\SysWOW64\Jmpngk32.exe
C:\Windows\system32\Jmpngk32.exe
28⤵
- Executes dropped EXE
PID:4344

C:\Windows\SysWOW64\Jbmfoa32.exe
C:\Windows\system32\Jbmfoa32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4880

C:\Windows\SysWOW64\Jigollag.exe
C:\Windows\system32\Jigollag.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4296

C:\Windows\SysWOW64\Jmbklj32.exe
C:\Windows\system32\Jmbklj32.exe
31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5072

C:\Windows\SysWOW64\Jiikak32.exe
C:\Windows\system32\Jiikak32.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3388

C:\Windows\SysWOW64\Kdopod32.exe
C:\Windows\system32\Kdopod32.exe
33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1252

C:\Windows\SysWOW64\Kkihknfg.exe
C:\Windows\system32\Kkihknfg.exe
34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4168

C:\Windows\SysWOW64\Kmgdgjek.exe
C:\Windows\system32\Kmgdgjek.exe
35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1488

C:\Windows\SysWOW64\Kpepcedo.exe
C:\Windows\system32\Kpepcedo.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4500

C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776

C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2364

C:\Windows\SysWOW64\Kinemkko.exe
C:\Windows\system32\Kinemkko.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2576

C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3928

C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
41⤵
- Executes dropped EXE
PID:4076

C:\Windows\SysWOW64\Kbfiep32.exe
C:\Windows\system32\Kbfiep32.exe
42⤵
- Executes dropped EXE
- Modifies registry class
PID:2760

C:\Windows\SysWOW64\Kknafn32.exe
C:\Windows\system32\Kknafn32.exe
43⤵
- Executes dropped EXE
- Modifies registry class
PID:4392

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4644

C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3784

C:\Windows\SysWOW64\Kdffocib.exe
C:\Windows\system32\Kdffocib.exe
46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2264

C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
47⤵
- Executes dropped EXE
- Modifies registry class
PID:3580

C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4684

C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:392

C:\Windows\SysWOW64\Kpmfddnf.exe
C:\Windows\system32\Kpmfddnf.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4332

C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3540

C:\Windows\SysWOW64\Liekmj32.exe
C:\Windows\system32\Liekmj32.exe
52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2656

C:\Windows\SysWOW64\Lalcng32.exe
C:\Windows\system32\Lalcng32.exe
53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2452

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3328

C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2180

C:\Windows\SysWOW64\Lkdggmlj.exe
C:\Windows\system32\Lkdggmlj.exe
56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3008

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1744

C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
58⤵
- Executes dropped EXE
- Modifies registry class
PID:2640

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2884

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3592

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2908

C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:432

C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3636

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1980

C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4284

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3168

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5080

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3184

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2024

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
70⤵
- Modifies registry class
PID:1300

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1836

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1412

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
73⤵
- Modifies registry class
PID:1788

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:744

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4088

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1624

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
77⤵
- Drops file in System32 directory
- Modifies registry class
PID:3972

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4540

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
79⤵
- Drops file in System32 directory
PID:4816

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4160

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1708

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
82⤵
- Drops file in System32 directory
PID:1572

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
83⤵
- Drops file in System32 directory
- Modifies registry class
PID:524

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
84⤵
- Modifies registry class
PID:1520

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
85⤵
PID:5144

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
86⤵
- Drops file in System32 directory
PID:5180

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
87⤵
- Drops file in System32 directory
- Modifies registry class
PID:5228

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5272

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
89⤵
- Modifies registry class
PID:5320

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
90⤵
- Drops file in System32 directory
- Modifies registry class
PID:5360

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
91⤵
PID:5408

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5456

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5504

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
94⤵
- Drops file in System32 directory
- Modifies registry class
PID:5548

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5608

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
96⤵
- Drops file in System32 directory
PID:5676

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
97⤵
PID:5736

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
98⤵
- Drops file in System32 directory
PID:5800

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
99⤵
- Drops file in System32 directory
- Modifies registry class
PID:5848

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
100⤵
PID:5892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5892 -s 412
101⤵
- Program crash
PID:6060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5892 -ip 5892
1⤵
PID:6024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gjclbc32.exe
Filesize
336KB

MD5
ec137df3eead1a6be1544858e2c9930c

SHA1
118f3a5efc551c5e3a5a7d3d75ae4b22c47bd0aa

SHA256
644d2cb2227abf8d615e7b48673a53a860807542d5002afa90323d1da08342c2

SHA512
7c427024a0ba448778391564a0ee038320e34f4795031c7bf408ebc8eaacd115052584fe6ed6412a5c4535ea9bf914e726fcd35be8e302855bf01a5bfd48fef3

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe
Filesize
336KB

MD5
09ccb3916f16536764753de7fba8db69

SHA1
043da9c602f9d464da5159138e8d9c9d22aa2822

SHA256
da5f224e6cb83eb6d63658a75bcfb7670105cf4655604272b666792cd60511d3

SHA512
5d0ef97861575daf7bf0554c840003ff1499e89d13326f08793e01f73d7b10e2a6e620f055c1effa3ff5b81de7bb27ec922c6cfc52f594eb92d5704ee253263f

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe
Filesize
336KB

MD5
fa920fa13d4bbd3d18e628c25735b3a1

SHA1
7fefe5da5f67b21b407020e5a24b841333f0cdec

SHA256
17e289f11c89196cdf518b5b7c87c6943c3788cf5365de8ad5a65d60143bb00c

SHA512
f70ede770a339d7873688a045a8ea00bbeccbddabb694a95c8632fc1b21e683a7ba30b0e359e2c0fd45da09cddef8caee7cd4a862537a72710a6886d79fb1178

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe
Filesize
336KB

MD5
0848846e60c372d1c24ec6f23229c908

SHA1
31c89d91a8f926dff6e6e5702c0282fd77d0e58b

SHA256
f72af1c9b87a7bc2994fa0386d3622a7b0885ed943fe7c5200f32a28952a3ffd

SHA512
3fb658c7e9e7cbf825c22a0ec18dd97dbd5fd80f3b921340e12411e14ec2818532048dcc6bfbc356f84f3c85dc008eaa8d88ddc037aaa48ec2da14688830aad4

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe
Filesize
336KB

MD5
be38e970f970ebc0d472e8386972772e

SHA1
927dc8c0a86b27ba8e071cd89b064c81fdcb7eaa

SHA256
21ebb3b1f16ca106c17a9bb6ec1c6dd2fd5d1caba6b744e2929cbb8b959500f5

SHA512
f8acb8d0e7b0f7b372376eee73c2f1c164a661ac8a0fdabbd04e30cb949f766ee18d97efd5e83abc1f27760f8b0b4c5c768dfeffe8d2beabb86a385b6ac7eaf2

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe
Filesize
336KB

MD5
cd42936be6ddf5abf403cd21baaeaa92

SHA1
6deb6fae69c0e94e38ff1efc5c1d8b0e0f845b32

SHA256
ba6dee87a12383777fbd8b22e52a4e0e6c7a5e0bc1c151010acb089b8e3a56ab

SHA512
a6d1a19c38db852a960806867400be258b9ab3b0b3abcb29c0255979a2baab07c4d4d3d8ec5657d912b21a383c497748b28fabeba081d322c4919482fca431a8

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe
Filesize
336KB

MD5
60aa9c54b07608af1cdd65fdb46ea90f

SHA1
2c059c670f1180ae68d0142cd434f6e2ad1e143f

SHA256
e185b62ba2267b5f199b553da464ed2564bbe778259350d832ef89867bd241d2

SHA512
de2ccd6c3adb6badc6b88f621cafa456ca9b9cec7d2bae02bb314d0cb2b6675ee03e7ad47ae47351719fc487082c305a06cb1321f229b06cf0d363a8af2451bb

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe
Filesize
336KB

MD5
73c4a75c9a454633bdfaabce15b74258

SHA1
e160bd5cf38b77aa6472ac9a3cca46c039628d38

SHA256
282b3f3998ee7d2de45e5f233acec9d9d2b298463bf7ad1af3026ad1d6aa9d52

SHA512
c164814ca5d56b6fcd7ca0ad5e6a7d2d47addf17c82dd8f5386621531c55370c27fae58e3d5969ff5e833954b41e2b11461e3ed41438c374b98fd748618de881

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe
Filesize
336KB

MD5
186566d0e086c184926bab03bd316ff6

SHA1
a8ddc5c3edff61f1be6d5712b369d798fecaaca0

SHA256
a3466834c0db0d97737a4a6c0090b6516ab9422b29a166d8eb2d8a4099eda9bf

SHA512
2a178d7da05d1f485269103e71793edd6824e765840ea4715e1b18814d9de40f79f9325a0f56b44cb964ebb6437fcd367a1b91edd7d05585f113403735db947a

Download Submit
C:\Windows\SysWOW64\Ibilnj32.dll
Filesize
7KB

MD5
f11ad8a881851fd4b5900deadde4f441

SHA1
522451f80163f9d44486e7310b165d4c68f2f314

SHA256
7b17848f741038e57a5b885f694d8358d95936840008c30cf10c5e8b270ec7f4

SHA512
0f839966a9cc915afe628a4775f13a1d4260d907ac5442517a8a2cfb7f6b08847932a3e8b3da181d1756c4ab8cfd1d196a8f910189e87be9d7af7d41689c64d0

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe
Filesize
336KB

MD5
f2d35fdd0daaa7629ebd3b9863c36008

SHA1
2ba33673d6a60afad7c43c2f0b919d5b79d9a2ca

SHA256
19232777df5b89f023011def7f29fd11eb7b29d741584c56ff9b1de52f01a08d

SHA512
c53e5d74702f358a6c06dbcd3346e0b8c1960dd532e742b9937af2a744e10773544d2b4cf2352d507419418399fe29fc521e0c41a7d9ef54e42697d62d42d71d

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe
Filesize
336KB

MD5
eb30440b6e5c886ff36f4d3652fb7507

SHA1
9a777b8b818058607ce2b71461f874720a31e7e4

SHA256
75fb871def6de05199f39f906739501df3295925197fec9f2d7f9028579aac47

SHA512
19dfc6fbaf02435cd34b9dbc3b23083c26e36b338cce4f8b265a0db4ad16576ba36e5415ead8f85e0b23e143d0d4a19a57cefbc2d09a1e36a920203a2ba49db4

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe
Filesize
336KB

MD5
a4ce31e6954d8f0aeddc7f37b8454952

SHA1
491a06fa1813b2f537eb57bae6c18c2e879b29f0

SHA256
9251d57c156032e43c161859f7e60e24cba788609ef16efe33d951f420741c33

SHA512
466a63bc09e06b879714632195216829a5443a56644406fdbc28d6137a487343dbeb9923b3ecbf4ec28230f77280a7c83dfba7073039f2b7f1b628dddd10abb6

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe
Filesize
336KB

MD5
81c66e85755351a7c06e7f169212c4f9

SHA1
64344fc8f0242529f7dd031648c35f70b00abbb7

SHA256
7d6887785edd29aa358a9537f7ec2f6ae50ec6a108841c686aa900682b1781b8

SHA512
362a5764bc4bbca1a79583443b383bcecca0e66c90f72d6fa9ed009e4f3fea312575c838a7f143112fff02e6c2145009c9853540ae978f57661ffd3e0e30c252

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe
Filesize
336KB

MD5
7fa8e488b67be9f79ab9a4bc22ff03c5

SHA1
8284e34db2a08e1a89663fc127a6d70e0f0ce076

SHA256
f1a7f110a1f852ad882ef296b321753b5dd419382e2413bc1b599f3efb58f27f

SHA512
9055d8465f6a1b01fc1949b604ba278eecd1fcb51516a65ad1d31fdc0bba401105a8127245497c155d1bfd2eeb0e5ed02dea02bbf0ab115fbff3fd88d2ff840e

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe
Filesize
336KB

MD5
8b86d51042933f87d66d35021126e09a

SHA1
fc221a116bd1e79767fd24b29845acb2eaa1be09

SHA256
6a3ffa879177985afdb626e86983346616de471431f45317c86598c5db3f83af

SHA512
d675236331bfb717e0137dfabd8d4c9dc29b6ee5786d17f24c46c84ef0fd3826752fb9456b5fd51eef86d32ec11ddd91fe532d81229e30e89edb787773df5de2

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe
Filesize
336KB

MD5
3a7adbecf2ec45e09f11418d6c433feb

SHA1
c8fe7fb7d27cfa60456303057da6b61ed4373c28

SHA256
07db2b8898830414f18287052d022d439c920aba1c2ca066e51f7cceb9be9bdc

SHA512
14ef0a71a42362f0ae30a9c075cfee827e3a03dd4a6ae5278ec92924f70e7c4dc78c2d90d81841661cc9ba01c6bd6d53a2799a4c0285db41fb5ceacb34e353e2

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe
Filesize
336KB

MD5
7fb5a1671fb69889ce17d9452c787a25

SHA1
7b37c35a2aa5738a4276eb2b61b170f8b764e73a

SHA256
4242a4d63e1eff847522124d255f64be169b988c8377e1a66c3e7137e5193373

SHA512
06bda50b66ab78348f000975896577e8c287ce4f23b771e12f6a2901e0500ef224b704a6e0c8019da7bb56206575880a2d7d5a1bde36912396553eea62bf81ab

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe
Filesize
336KB

MD5
edab10daf2df4bbc494121aab1ad6535

SHA1
f373d6d8816be1875db0d13afd68de4dd82ed0d4

SHA256
35bc8a7ca8a4dd53f70750ea83d58d99ecf2e3aa91a7c90c3b6f093a237f6208

SHA512
62be163487cbc43c40d81f62809c860962e588e897b5ee8e6472caa792ce4fa131c01edb412c4a0b942afdaad11a656d99fc74ff8b55bc015638520bc5d652f1

Download Submit
C:\Windows\SysWOW64\Impepm32.exe
Filesize
336KB

MD5
ea674de5c709a1becee19151b511601f

SHA1
2ab6f2c10e4b88d48bc1d2ae75c3f4f52a95379f

SHA256
ea079f9c0dd2bc3ae4c68f6bd6fb0a2824f747e0aa24610a34cc7b8a298498b8

SHA512
c1b312358389c8141726703ded7b4babe83a9271c593612c5625a2bb8c2e25b25773efd7a4e2f4c4b5725699522f75f43479f9182da32f9b4f200479b34564f7

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe
Filesize
336KB

MD5
e2d80f46a9e597fa3e4519928602699b

SHA1
bb214550357ac0df3df225f207cc65e0aa85f784

SHA256
ec003aa8727d7cbd1119790445b32ae4a6a6694578d84ffd9f170d0cfea8004d

SHA512
21acaa274e99aa43864dde63a28b6906e604e2349597b065875f181d2e74a56968f8c57815282885076d567f7b5886698e5c7d71c0a57ade6a4ef356dae1ce4d

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe
Filesize
336KB

MD5
685ea74c48627113c869e8356cb64122

SHA1
cf509e1e443743dfd0675b99e33521a877a344b6

SHA256
ba9805774c3e25144fb87a157ef5e516199f9f56317d0585dc9c5da33ef5904b

SHA512
ca558a1598a2a1310121fe58b62b5c9dffc15ce445fe1800d4739e046025381f7380671e95c5ded29152e36816158b8f4c78d5a3895fa8210f9ca8d8fbdc5b5b

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe
Filesize
336KB

MD5
87e10e0fe931e71496d259f54495808c

SHA1
edd94b5e6ed4825e351d86d8ce536a1578648a80

SHA256
8c328a95cdb1e07a762bbbdaa9b59a88379d64f4f5af11a63f7f1be61ae9f739

SHA512
cd15be3ab08ffc58f6582e3d2ed91a303cd0d95b3bcf2522d1866b19309736746db4c37ae322ce4fe99c11f3fb402cb9517b25056404e8e59d88932b5d2dd543

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe
Filesize
336KB

MD5
83883a7e2d121b119390ac9bd0df95e1

SHA1
0f9c9f11bda1f86fdfb2e6b3c0fe238d5da5538d

SHA256
bc5fe942b761dfd4e663d9efce968b38313cc76a03e0fef1002a4c931c92cf2f

SHA512
cddda2389e55b07c71b606073928815f6a89116a9f8ef872de8e52b5d0fa226da8125f34d249df81f7ce267bc2db5e8962f662820d79858a48bff9a24b6e981e

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe
Filesize
336KB

MD5
585a0c10ddf33d4b069a45e549512517

SHA1
a0e3a57901fff8b77219078965612f419ce08593

SHA256
fd255bb88d8b1b5b00791ab5821978c06f8768a23d2a47705e76a43dafc97a76

SHA512
3f7145dbf415082b9d952ec8c84958b29667de15099c16c4ed8c42a2b539cbd4817808a8aa6d13f399063fa1265a56d8dd70fe1646acecd9b2ef3e54d0110c57

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe
Filesize
336KB

MD5
fab0e11bae13956f70694d8a052664cf

SHA1
bd306f6ecbe10a59b43c4255c411b68a094e3175

SHA256
97a94a44f82ce818d9b1ba006ac8122c1a891ddde86330b87729b1d51cc117db

SHA512
fca10c734ab3bdb6956d056dafa2fe18585c67baf5e8bb398a9902e6d753a3adf3b34681de2b39108bc11b4b6be857ec41f36ee28cc8834412abc57fad8f0345

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe
Filesize
336KB

MD5
fe0bff15d7428091cdf7232ca9b608cf

SHA1
49d7b8a6ab4f927cbd616ef74f6047e996648a6f

SHA256
af355bbc218f1be019cb20153c61c1dab10c0771072939968468c2c74bd20873

SHA512
1ac809663797fa9c1aadc267ab694ae0e285b92bf79350fab3854e2fa98127512121a693a8cd622ff7a7da2e6f909c8f42919e5f5054d53b71e97d7355bb48c7

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe
Filesize
336KB

MD5
dd9c19f07d6dfd8962e6552c67ec9c85

SHA1
807ac8754801a939b52489391edbabe44ac67c3a

SHA256
784b7b46102f98fd2d1500ec03fe0e2bc9ef825a92baeddd89400abe6a5374e1

SHA512
ef5810d3a90b1c977dc20b55690acd3bc6a135e48ccfac01ca11a77d7c58b8deb177d97f013d9c9d9d47dcbe8e9f93f2d0c953cb6e0b6012825b8f34f3817216

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe
Filesize
336KB

MD5
a5b6d21feedad90b313bb713e7fdb164

SHA1
de93b2ce5e903d78a398da8397b01fc11ea4ba65

SHA256
2fe93a1260b8685d7b36d55f1c0f36c3db44fef44da97f98324ac541d595cebf

SHA512
c9b85bdf2840e2acfddcf6a7e40e2e484fece1f95c5e1df6b944403fb7e92991e5fc1ea458306be3c4e314ba89bb2c1bdab3d45e5b460266d5bf84c365069e5c

Download Submit
C:\Windows\SysWOW64\Jigollag.exe
Filesize
336KB

MD5
c9f3099adc95edcc84ed09ebcb887284

SHA1
86afdcec2a0665d3681c8238110fb378ab2f6c69

SHA256
5fc02f3d3847dbd042fb441a9cef3c764e6837dc1256cf799353fc4fef80cf63

SHA512
5400dd9079c8d752d3db22b85e69909d40425c0f4c919e2b8f52837b0e5d48e19b9226a7b6563d9875afe5e4594c48cc1d36fa5e0d7508f70e4dea252d14ff72

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe
Filesize
336KB

MD5
af187467b6d4e0505444334c02fd4cf3

SHA1
81203d7ca635415c72d5da692727d28d9ad0fe51

SHA256
6dd46445fbe82a790bcc1f4816ab3fa36b87538e8fe7f17dc03241c3e7567935

SHA512
2960109c2eeaa89037ea4043281471c5a9cb3dc4ce5f4016dd67a8a981e92440dd95191a71eebbf90031a293bf1e5bb17bdc21929871f5ce319eb6836fbe33a9

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe
Filesize
336KB

MD5
86b5d998a51e4c93a3e486a5a7b8e40b

SHA1
62e209140a619ed04f002c1e0b89c6f555694828

SHA256
ca9ef6a70c6bb4947af11db244841a34e84a7a1326782d256424379cee98b840

SHA512
a637674503063c22993c1a60448970dea3b6785ab9e51a9cc99c41e6cab6b3c58dd24723b57d4c494ab40b93182343af81dfe8c9d32e9afc30e7976dba5758a7

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe
Filesize
336KB

MD5
81cfc0c2fba9f95a73cdadd3f5b58a74

SHA1
866cc29e0a89d2508e114d75f1bea200c14a91c7

SHA256
b4eed8e5e606530a51fecb2531de089bd81d4a51d30110c1803ba01be79a13d1

SHA512
2f520f4f1eb7b2e997b40504aa31852154d1628e466ba06515c4e6e347974e2bd41f8f242f4fc606056f9b2160188f5f376f9d2ea3fef9eec73f163920175697

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe
Filesize
336KB

MD5
5c894a6d1f0df16798bc82074e2ee0a7

SHA1
5ae20ff1e677006b9253772acedc188016b3bcd1

SHA256
a526a65dfa4ec2afa21134c845ee11e06054516db3cc4b3bf82373797002185e

SHA512
393f76e1dc0afecd667fac77c975ed3284867f97f9916e6fd0f30f9d06b679d17e9e3f1ec2872526422bb88058a3454293f10ca51815f2190da867681d2edf1e

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe
Filesize
336KB

MD5
52c68e3c1d2216af25e792b031e6ae59

SHA1
2fde519117dccfa50544856e20dbb174aa37815b

SHA256
8d87e957c630a458b80bb1dbb41dc8ab5b1c963c5a7346f715b5750a43d572d6

SHA512
7ec14a80f488e3c1ff98aa96edcd8395287b811a122c916c7ab7b9b0029f922fdfbc2a83e027a541cb787710f7a64eae64b6881e521f716dbd2f1d48c731e7a9

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe
Filesize
336KB

MD5
bee8bc3f4ae4f4754ac8a5b73a358d80

SHA1
633d76ed212692c530f04eb38dd61a12964db18c

SHA256
a6b4f71603d7440736b123def9796855c1e77dbbb2eb403766a17a57d7543f72

SHA512
a8efa3acb0babeb47d38984a63fc24412c151d6264afe30a1b8e6487011bb38bf9b25cf34705d1420a2c7df8df20b4713e85787d1cd91758c58aee807abf255b

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe
Filesize
336KB

MD5
11f929dfd19b804b7722109297da0e5a

SHA1
6adfe1feb6fd0932e5d1937885e3f2f71abb66fa

SHA256
c9f043d6618d0affb1f446a45dde5e78834062af7fde1ac743bdbf849abd94f8

SHA512
e3b4b165a05b914d1b20867fb5ea9d22982bdd6f98ba10d74db5a96109ec6993d1d44062c01759b1dca5721118106f0ded4862fe9d5fdf026d4bbf401165ac67

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe
Filesize
336KB

MD5
a89935d3e8056058a2dc32ef0082fb3c

SHA1
0312814e9acc28e47eb6f372760fa704ad9c56a1

SHA256
11a3910e757e32b08001939a3f8e8e7f34f064a43ccace67251a0cc951c935cf

SHA512
f47e4904511aa755d41b9e2f30395c3fff1308eb67e7171e43cff167209b5ab0f92c2ef7e8b5e84f8e4bd60bd1d165179a8be89cf2d9feb933663b0314113827

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe
Filesize
336KB

MD5
9e11a40b02bb2cb245cab7881617a7aa

SHA1
32847c86a5bd976ccb9ad92ac3c38eee3daac292

SHA256
38ade37a175d817a3cc67378087ed26b2cb2b69b73369dbcab4a0c58a2c9db40

SHA512
0d27c90f29662b1d55d9bb6a6aff416e0d8cf5d81395d9550760c8cf21180f8b636c4a19634ae945e9379667ffb3197b830104c2dfdf2ad57d15f3f6769dc026

Download Submit
memory/60-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/392-357-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/432-434-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/524-562-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/744-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1160-563-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1160-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1252-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1300-482-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1412-494-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1416-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1488-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1520-568-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1528-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1528-590-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1548-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1548-583-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1572-550-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1624-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1708-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1712-172-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1744-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1788-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1832-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1836-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1980-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2024-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2180-393-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2204-559-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2204-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-604-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2252-165-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2264-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2364-288-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2452-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2520-148-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2560-157-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2576-294-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2640-410-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2656-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2660-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2660-576-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2760-315-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2776-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-416-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2908-429-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2912-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2996-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3008-398-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3168-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3184-471-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3328-386-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3388-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3504-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3504-597-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3516-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3540-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3580-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3592-422-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3636-441-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3784-332-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3792-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3924-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3928-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3972-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4076-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4088-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4160-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4168-267-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4284-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4296-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4332-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4336-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4344-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4360-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4392-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4500-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4540-530-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4564-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4572-181-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4580-189-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4644-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4684-351-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4816-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4820-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-125-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4880-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5048-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5072-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5144-574-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5180-577-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5228-588-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5272-591-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5320-602-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download