41c656a67cbf5f53753dfeb71784264402fb3f5a3fb8709bd4a086ae3ced6191

Analysis

max time kernel
136s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1525f2a864cfc103a8763066314c2670_NeikiAnalytics.exe
Size

81KB
MD5

1525f2a864cfc103a8763066314c2670
SHA1

7054096f118bebfaeef35e772c1aa05b6f07fda5
SHA256

41c656a67cbf5f53753dfeb71784264402fb3f5a3fb8709bd4a086ae3ced6191
SHA512

199143265225cd2e49b4c8074d64c0ea92b4f98e07466618c0bce3dd5b5e55659068416a1b82b04f92d67a29a26d5daaeb265282c1b6e18db086df3a95e5ec2c
SSDEEP

1536:BbSxgi2z3S/ZVJzi1Z47m4LO++/+1m6KadhYxU33HX0L:1aglzIZI4/LrCimBaH8UH30L

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Kaemnhla.exeKkbkamnl.exeLaefdf32.exeMnlfigcc.exeMaohkd32.exeMdpalp32.exeKbapjafe.exeKacphh32.exeLcbiao32.exeLcdegnep.exeMkgmcjld.exeNdbnboqb.exeNdghmo32.exeLaalifad.exeLdohebqh.exeNjacpf32.exeLknjmkdo.exeMcnhmm32.exeJpojcf32.exeJbmfoa32.exeKmlnbi32.exeNbhkac32.exeJmnaakne.exeJjbako32.exeLpocjdld.exeNgcgcjnc.exeNcldnkae.exe1525f2a864cfc103a8763066314c2670_NeikiAnalytics.exeKgphpo32.exeLkiqbl32.exeMgekbljc.exeNnolfdcn.exeJpaghf32.exeLmqgnhmp.exeLpfijcfl.exeLklnhlfb.exeMdiklqhm.exeNafokcol.exeKknafn32.exeMncmjfmk.exeKdcijcke.exeLnhmng32.exeLnjjdgee.exeMkpgck32.exeNddkgonp.exeJbkjjblm.exeLcpllo32.exeNacbfdao.exeJidbflcj.exeMpkbebbf.exeMcklgm32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1525f2a864cfc103a8763066314c2670_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe

Executes dropped EXE 64 IoCs

Processes:

Jbhmdbnp.exeJmnaakne.exeJaimbj32.exeJbkjjblm.exeJjbako32.exeJidbflcj.exeJpojcf32.exeJbmfoa32.exeJkdnpo32.exeJmbklj32.exeJpaghf32.exeJiikak32.exeKpccnefa.exeKbapjafe.exeKilhgk32.exeKacphh32.exeKbdmpqcb.exeKgphpo32.exeKaemnhla.exeKdcijcke.exeKknafn32.exeKmlnbi32.exeKpjjod32.exeKcifkp32.exeKkpnlm32.exeKdhbec32.exeKkbkamnl.exeLmqgnhmp.exeLpocjdld.exeLcmofolg.exeLkdggmlj.exeLpappc32.exeLcpllo32.exeLkgdml32.exeLnepih32.exeLaalifad.exeLdohebqh.exeLcbiao32.exeLkiqbl32.exeLnhmng32.exeLpfijcfl.exeLcdegnep.exeLklnhlfb.exeLnjjdgee.exeLaefdf32.exeLphfpbdi.exeLcgblncm.exeLknjmkdo.exeMnlfigcc.exeMpkbebbf.exeMdfofakp.exeMgekbljc.exeMkpgck32.exeMnocof32.exeMdiklqhm.exeMcklgm32.exeMkbchk32.exeMnapdf32.exeMpolqa32.exeMcnhmm32.exeMkepnjng.exeMncmjfmk.exeMaohkd32.exeMdmegp32.exe

pid	process
5024	Jbhmdbnp.exe
5920	Jmnaakne.exe
3372	Jaimbj32.exe
1988	Jbkjjblm.exe
5060	Jjbako32.exe
6100	Jidbflcj.exe
5324	Jpojcf32.exe
5432	Jbmfoa32.exe
3904	Jkdnpo32.exe
4556	Jmbklj32.exe
4852	Jpaghf32.exe
1076	Jiikak32.exe
5072	Kpccnefa.exe
1160	Kbapjafe.exe
5940	Kilhgk32.exe
2044	Kacphh32.exe
3116	Kbdmpqcb.exe
5420	Kgphpo32.exe
5112	Kaemnhla.exe
5592	Kdcijcke.exe
4544	Kknafn32.exe
756	Kmlnbi32.exe
4216	Kpjjod32.exe
1340	Kcifkp32.exe
3844	Kkpnlm32.exe
2684	Kdhbec32.exe
2080	Kkbkamnl.exe
3656	Lmqgnhmp.exe
3700	Lpocjdld.exe
1552	Lcmofolg.exe
5504	Lkdggmlj.exe
428	Lpappc32.exe
3052	Lcpllo32.exe
4684	Lkgdml32.exe
388	Lnepih32.exe
4388	Laalifad.exe
1116	Ldohebqh.exe
5204	Lcbiao32.exe
5512	Lkiqbl32.exe
4356	Lnhmng32.exe
2664	Lpfijcfl.exe
4428	Lcdegnep.exe
5440	Lklnhlfb.exe
5192	Lnjjdgee.exe
5732	Laefdf32.exe
2520	Lphfpbdi.exe
2924	Lcgblncm.exe
5652	Lknjmkdo.exe
6104	Mnlfigcc.exe
6024	Mpkbebbf.exe
1516	Mdfofakp.exe
2296	Mgekbljc.exe
4416	Mkpgck32.exe
1948	Mnocof32.exe
2524	Mdiklqhm.exe
5952	Mcklgm32.exe
4176	Mkbchk32.exe
1064	Mnapdf32.exe
5376	Mpolqa32.exe
5384	Mcnhmm32.exe
712	Mkepnjng.exe
5644	Mncmjfmk.exe
3344	Maohkd32.exe
3196	Mdmegp32.exe

Drops file in System32 directory 64 IoCs

Processes:

Lphfpbdi.exeNafokcol.exeJbmfoa32.exeKbapjafe.exeKdcijcke.exeKkpnlm32.exeMaohkd32.exeLpappc32.exeLknjmkdo.exeMnapdf32.exeKpccnefa.exeLkdggmlj.exeMpolqa32.exeJjbako32.exeKmlnbi32.exeKcifkp32.exeJiikak32.exeLcbiao32.exeNgedij32.exeMgnnhk32.exeNnolfdcn.exeMdpalp32.exeMncmjfmk.exeLnjjdgee.exeMpkbebbf.exeMdfofakp.exeNddkgonp.exeLcgblncm.exeLnepih32.exeLnhmng32.exeLcdegnep.exeLaefdf32.exeMdiklqhm.exeKgphpo32.exeLmqgnhmp.exeLcmofolg.exeMkepnjng.exeKbdmpqcb.exeNbhkac32.exeLkgdml32.exeMkpgck32.exeNacbfdao.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jjbako32.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1128 2436 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
1128	2436	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Lnjjdgee.exeMnapdf32.exeMdpalp32.exeJmnaakne.exeKdhbec32.exeMaaepd32.exeNgpjnkpf.exeLmqgnhmp.exeLpocjdld.exeLkdggmlj.exeLcgblncm.exeJbhmdbnp.exeJpojcf32.exeKmlnbi32.exeMcnhmm32.exeKbdmpqcb.exeNgedij32.exeJkdnpo32.exeLaalifad.exeLcbiao32.exeNddkgonp.exeKpjjod32.exeLcdegnep.exeMdiklqhm.exeMkbchk32.exeNjogjfoj.exeNjacpf32.exeMcklgm32.exeMdmegp32.exeMgnnhk32.exeMkgmcjld.exeNacbfdao.exeLcpllo32.exeMdfofakp.exeNdbnboqb.exeLpfijcfl.exeLknjmkdo.exeMnocof32.exeNbhkac32.exeNdghmo32.exe1525f2a864cfc103a8763066314c2670_NeikiAnalytics.exeJpaghf32.exeJiikak32.exeLcmofolg.exeJaimbj32.exeMpkbebbf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1525f2a864cfc103a8763066314c2670_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1525f2a864cfc103a8763066314c2670_NeikiAnalytics.exeJbhmdbnp.exeJmnaakne.exeJaimbj32.exeJbkjjblm.exeJjbako32.exeJidbflcj.exeJpojcf32.exeJbmfoa32.exeJkdnpo32.exeJmbklj32.exeJpaghf32.exeJiikak32.exeKpccnefa.exeKbapjafe.exeKilhgk32.exeKacphh32.exeKbdmpqcb.exeKgphpo32.exeKaemnhla.exeKdcijcke.exeKknafn32.exe

description	pid	process	target process
PID 4896 wrote to memory of 5024	4896	1525f2a864cfc103a8763066314c2670_NeikiAnalytics.exe	Jbhmdbnp.exe
PID 4896 wrote to memory of 5024	4896	1525f2a864cfc103a8763066314c2670_NeikiAnalytics.exe	Jbhmdbnp.exe
PID 4896 wrote to memory of 5024	4896	1525f2a864cfc103a8763066314c2670_NeikiAnalytics.exe	Jbhmdbnp.exe
PID 5024 wrote to memory of 5920	5024	Jbhmdbnp.exe	Jmnaakne.exe
PID 5024 wrote to memory of 5920	5024	Jbhmdbnp.exe	Jmnaakne.exe
PID 5024 wrote to memory of 5920	5024	Jbhmdbnp.exe	Jmnaakne.exe
PID 5920 wrote to memory of 3372	5920	Jmnaakne.exe	Jaimbj32.exe
PID 5920 wrote to memory of 3372	5920	Jmnaakne.exe	Jaimbj32.exe
PID 5920 wrote to memory of 3372	5920	Jmnaakne.exe	Jaimbj32.exe
PID 3372 wrote to memory of 1988	3372	Jaimbj32.exe	Jbkjjblm.exe
PID 3372 wrote to memory of 1988	3372	Jaimbj32.exe	Jbkjjblm.exe
PID 3372 wrote to memory of 1988	3372	Jaimbj32.exe	Jbkjjblm.exe
PID 1988 wrote to memory of 5060	1988	Jbkjjblm.exe	Jjbako32.exe
PID 1988 wrote to memory of 5060	1988	Jbkjjblm.exe	Jjbako32.exe
PID 1988 wrote to memory of 5060	1988	Jbkjjblm.exe	Jjbako32.exe
PID 5060 wrote to memory of 6100	5060	Jjbako32.exe	Jidbflcj.exe
PID 5060 wrote to memory of 6100	5060	Jjbako32.exe	Jidbflcj.exe
PID 5060 wrote to memory of 6100	5060	Jjbako32.exe	Jidbflcj.exe
PID 6100 wrote to memory of 5324	6100	Jidbflcj.exe	Jpojcf32.exe
PID 6100 wrote to memory of 5324	6100	Jidbflcj.exe	Jpojcf32.exe
PID 6100 wrote to memory of 5324	6100	Jidbflcj.exe	Jpojcf32.exe
PID 5324 wrote to memory of 5432	5324	Jpojcf32.exe	Jbmfoa32.exe
PID 5324 wrote to memory of 5432	5324	Jpojcf32.exe	Jbmfoa32.exe
PID 5324 wrote to memory of 5432	5324	Jpojcf32.exe	Jbmfoa32.exe
PID 5432 wrote to memory of 3904	5432	Jbmfoa32.exe	Jkdnpo32.exe
PID 5432 wrote to memory of 3904	5432	Jbmfoa32.exe	Jkdnpo32.exe
PID 5432 wrote to memory of 3904	5432	Jbmfoa32.exe	Jkdnpo32.exe
PID 3904 wrote to memory of 4556	3904	Jkdnpo32.exe	Jmbklj32.exe
PID 3904 wrote to memory of 4556	3904	Jkdnpo32.exe	Jmbklj32.exe
PID 3904 wrote to memory of 4556	3904	Jkdnpo32.exe	Jmbklj32.exe
PID 4556 wrote to memory of 4852	4556	Jmbklj32.exe	Jpaghf32.exe
PID 4556 wrote to memory of 4852	4556	Jmbklj32.exe	Jpaghf32.exe
PID 4556 wrote to memory of 4852	4556	Jmbklj32.exe	Jpaghf32.exe
PID 4852 wrote to memory of 1076	4852	Jpaghf32.exe	Jiikak32.exe
PID 4852 wrote to memory of 1076	4852	Jpaghf32.exe	Jiikak32.exe
PID 4852 wrote to memory of 1076	4852	Jpaghf32.exe	Jiikak32.exe
PID 1076 wrote to memory of 5072	1076	Jiikak32.exe	Kpccnefa.exe
PID 1076 wrote to memory of 5072	1076	Jiikak32.exe	Kpccnefa.exe
PID 1076 wrote to memory of 5072	1076	Jiikak32.exe	Kpccnefa.exe
PID 5072 wrote to memory of 1160	5072	Kpccnefa.exe	Kbapjafe.exe
PID 5072 wrote to memory of 1160	5072	Kpccnefa.exe	Kbapjafe.exe
PID 5072 wrote to memory of 1160	5072	Kpccnefa.exe	Kbapjafe.exe
PID 1160 wrote to memory of 5940	1160	Kbapjafe.exe	Kilhgk32.exe
PID 1160 wrote to memory of 5940	1160	Kbapjafe.exe	Kilhgk32.exe
PID 1160 wrote to memory of 5940	1160	Kbapjafe.exe	Kilhgk32.exe
PID 5940 wrote to memory of 2044	5940	Kilhgk32.exe	Kacphh32.exe
PID 5940 wrote to memory of 2044	5940	Kilhgk32.exe	Kacphh32.exe
PID 5940 wrote to memory of 2044	5940	Kilhgk32.exe	Kacphh32.exe
PID 2044 wrote to memory of 3116	2044	Kacphh32.exe	Kbdmpqcb.exe
PID 2044 wrote to memory of 3116	2044	Kacphh32.exe	Kbdmpqcb.exe
PID 2044 wrote to memory of 3116	2044	Kacphh32.exe	Kbdmpqcb.exe
PID 3116 wrote to memory of 5420	3116	Kbdmpqcb.exe	Kgphpo32.exe
PID 3116 wrote to memory of 5420	3116	Kbdmpqcb.exe	Kgphpo32.exe
PID 3116 wrote to memory of 5420	3116	Kbdmpqcb.exe	Kgphpo32.exe
PID 5420 wrote to memory of 5112	5420	Kgphpo32.exe	Kaemnhla.exe
PID 5420 wrote to memory of 5112	5420	Kgphpo32.exe	Kaemnhla.exe
PID 5420 wrote to memory of 5112	5420	Kgphpo32.exe	Kaemnhla.exe
PID 5112 wrote to memory of 5592	5112	Kaemnhla.exe	Kdcijcke.exe
PID 5112 wrote to memory of 5592	5112	Kaemnhla.exe	Kdcijcke.exe
PID 5112 wrote to memory of 5592	5112	Kaemnhla.exe	Kdcijcke.exe
PID 5592 wrote to memory of 4544	5592	Kdcijcke.exe	Kknafn32.exe
PID 5592 wrote to memory of 4544	5592	Kdcijcke.exe	Kknafn32.exe
PID 5592 wrote to memory of 4544	5592	Kdcijcke.exe	Kknafn32.exe
PID 4544 wrote to memory of 756	4544	Kknafn32.exe	Kmlnbi32.exe

C:\Users\Admin\AppData\Local\Temp\1525f2a864cfc103a8763066314c2670_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1525f2a864cfc103a8763066314c2670_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\SysWOW64\Jbhmdbnp.exe
C:\Windows\system32\Jbhmdbnp.exe
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\Jmnaakne.exe
C:\Windows\system32\Jmnaakne.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5920

C:\Windows\SysWOW64\Jaimbj32.exe
C:\Windows\system32\Jaimbj32.exe
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\SysWOW64\Jbkjjblm.exe
C:\Windows\system32\Jbkjjblm.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\Jjbako32.exe
C:\Windows\system32\Jjbako32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\Jidbflcj.exe
C:\Windows\system32\Jidbflcj.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6100

C:\Windows\SysWOW64\Jpojcf32.exe
C:\Windows\system32\Jpojcf32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5324

C:\Windows\SysWOW64\Jbmfoa32.exe
C:\Windows\system32\Jbmfoa32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5432

C:\Windows\SysWOW64\Jkdnpo32.exe
C:\Windows\system32\Jkdnpo32.exe
10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\Jmbklj32.exe
C:\Windows\system32\Jmbklj32.exe
11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\SysWOW64\Jpaghf32.exe
C:\Windows\system32\Jpaghf32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4852

C:\Windows\SysWOW64\Jiikak32.exe
C:\Windows\system32\Jiikak32.exe
13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\Kpccnefa.exe
C:\Windows\system32\Kpccnefa.exe
14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\Kilhgk32.exe
C:\Windows\system32\Kilhgk32.exe
16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5940

C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5420

C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5592

C:\Windows\SysWOW64\Kknafn32.exe
C:\Windows\system32\Kknafn32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:756

C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
24⤵
- Executes dropped EXE
- Modifies registry class
PID:4216

C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1340

C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3844

C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
27⤵
- Executes dropped EXE
- Modifies registry class
PID:2684

C:\Windows\SysWOW64\Kkbkamnl.exe
C:\Windows\system32\Kkbkamnl.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2080

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3656

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3700

C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1552

C:\Windows\SysWOW64\Lkdggmlj.exe
C:\Windows\system32\Lkdggmlj.exe
32⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5504

C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:428

C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3052

C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4684

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:388

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4388

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1116

C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5204

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5512

C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4356

C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2664

C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4428

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5440

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5192

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5732

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2520

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2924

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5652

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:6104

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:6024

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1516

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2296

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4416

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
55⤵
- Executes dropped EXE
- Modifies registry class
PID:1948

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2524

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5952

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
58⤵
- Executes dropped EXE
- Modifies registry class
PID:4176

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1064

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5376

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5384

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:712

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5644

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3344

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
65⤵
- Executes dropped EXE
- Modifies registry class
PID:3196

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5372

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
67⤵
- Modifies registry class
PID:5596

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4972

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
69⤵
- Drops file in System32 directory
- Modifies registry class
PID:1260

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5956

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1096

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
72⤵
- Modifies registry class
PID:3184

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
73⤵
- Modifies registry class
PID:1796

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4912

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1012

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5540

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1612

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:220

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1768

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
80⤵
- Drops file in System32 directory
- Modifies registry class
PID:2884

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1388

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
82⤵
PID:2200

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3636

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
84⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 400
85⤵
- Program crash
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2436 -ip 2436
1⤵
PID:5028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jaimbj32.exe
Filesize
81KB

MD5
734a0caec053c6637402a5becdd2ff6d

SHA1
b51b78065707477225cc2614227218624f569615

SHA256
5b00d8ee229d981e461d419add2db77a871b89ddfd289edca3ec448a8544cc8d

SHA512
43561714a47a88eb0113aaa45746372ed4cb2709e4333afe20d5c762ca89b79a3b907702d6e4472e3dd34d65ca7f6cc9fbdbb6f68d7fcd0c83fe748504666841

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe
Filesize
81KB

MD5
9b8500933033d7f7fbe530330789ee61

SHA1
8ceabc7df140a03ba863c859efa0abdca2779092

SHA256
7a12afc4a268ac7e04d2735c43ec5de08e8f2aeb835d5420f6b2122786a53f50

SHA512
517b8d99c49c8fc3d9accbd0f482fd72a60a5b0b6ae31e9bad1a6e8d8813ba1b39bd00f28864f71c93ebfed8734a0c8ff6c926d9ac09d90540913cf4f646f76c

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe
Filesize
81KB

MD5
59b059d91b5adb6b6a74c3b11bd52394

SHA1
6b8b59663fb77a46247d47911558f744ca4fdc37

SHA256
8619111ad44087fb0bbb91d8a0bc8d1843ead002abf75a24a18ba04a6b44bce0

SHA512
882453c7dc9dcf92fb053c32d60927a7e6b655e9f29570b146d96f0063d8c3f5b1563a077dcfe6a948b138dd6b7cdc651e151757c66e0c55719dc1bbadb92a67

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe
Filesize
81KB

MD5
0dc343de62f263bc333c550415992b53

SHA1
6b1bafffbfa72c4b7a7e09cb7955e290569484eb

SHA256
614681eb4a7a20a1514c82f4eef2ccaa5f1210a065839faac901cfa21826069e

SHA512
7a44ef1c4951f0cad80c66b0db4292ce0ec159191631ca752b289acf1ecfd24567733e9bb64e965920eb2bcce889485acfe8b621a3cf0381f4d88261860e1234

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe
Filesize
81KB

MD5
4361ed792a73a0f8a8d93e38fa62725d

SHA1
44be6e1c02785bd5707176f94d9a11490b267355

SHA256
edde8f2a5e02336b59bd1329da1028705dcbbd4350ab43f8cfacb8c37869fae7

SHA512
3ab23b7812be57362084132d7da6f5d713b707b3d08335bd9d84763e188ef1dc696908ff741e2d560b4ac5ad2e055725a3f9ac160d0c5b1546cf03ea53572e1e

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe
Filesize
81KB

MD5
815ed77199df499838541e9add7afeab

SHA1
cd65faeb15050dbcabb5a4b32ca61f76fc4b3539

SHA256
d98d34ba81268355841df71a8f2e4473841e2a7081efd3a4fe8ba6879472c0d1

SHA512
aee4cf5b7bf70ed65c1a01bf129a017036ff3c9e9e07ebc5254c1db19d8b9e17c22d5d6f8008f41a519f4b6744512f38510f165d249e9bc5069d96559ced36c2

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe
Filesize
81KB

MD5
ccae67aeed8c7287040541cdd51488ca

SHA1
f2bd7417f8d99b1d07aaa9b5467b0a57a36d8ff3

SHA256
3af747617e9b5d99745ef5a9ce342a2d31531fb32d083363d0f8bf1259bc95e0

SHA512
f7ca22c832bd9adb7af02f60ef2177e62b4ce80afeda7473ff0a8a9e29f3d331db263626bb4fd44e82cec8993ad223d7f22a0d845e48ca3defd35f0654647719

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe
Filesize
81KB

MD5
5aa8766176f63b83939e617e66baf08c

SHA1
b5a7290bddde3936130306de81841e7227a4b373

SHA256
410d52a848829de047d76665a2ec074e6d11ceb81f5ced9642106434351251a4

SHA512
8bb23a3917566150198af73cb825c5784e9d91b00f9011284e315c5fff729cb4d1be90bdade33083d171398c94750dc03b3006a38048c3ff8aaf6e1c55f1e386

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe
Filesize
81KB

MD5
2b42d252c545667a917a480324bd0f2e

SHA1
299a2835b165cec9e791547f242c4e073b50d1c7

SHA256
9edc808a98214fd64bdb6e3d3dc41a7b86693bb30ae9f9a54465a353fd0aeb19

SHA512
1e48e6f84889579713def9d25cdfc25f8fe5d5406049184e27b69859efa7568f890bb650a44ce558f5e33815e7cb5ba5e056e6760415231a8b481371a9e5340a

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe
Filesize
81KB

MD5
80ac495d7273c22c0e66cb8a2209f7a1

SHA1
f54497c7fea635a336968af7cd171f3c3f54988d

SHA256
2cdb93a1d2cf8626df75bc0c4ed30c1307eb6611ff71fca28d375098154dbc28

SHA512
87e8451dc3650c5bd241f2f0be1260a77f2b30c7517b0a2d611514816a72651c1387620b84134887438f92104c5521553605c0935d2fe6d2963dd3057b724a9f

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe
Filesize
81KB

MD5
8a255d9c540c2b603e10180e5d6a65cc

SHA1
8d0f493d123b163a488f80b377777b91a958717b

SHA256
7bcd4d657c956a28106caa84cc598665b36200678aac476af68af77bf977d236

SHA512
c9599c21e23b210dc526be0ec5e3d147ea2fbca39b27fefe540c42a61d71c50e178b32edcb277f687fc70fafcf8829821f5cc1c9c4d4da8a42b81cc331a14f81

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe
Filesize
81KB

MD5
d63331392266a1271a4e76d70aa48d48

SHA1
f7eb776b45b5c499bbf6790b4d57584e89bf6b3d

SHA256
11e8cbdfd39746ea3b1be2442b91834f4b06218f78cee8d218a11efa68d2a86f

SHA512
7ad57dd14fc9e5b7eac3bfc9c8b492dffa9eadf7c5833c3a2c0d60af9ef900ea528f9646475feb95eda10cb89413a43dfbe2e819aa4a71e601c4351af9bf47b0

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe
Filesize
81KB

MD5
d1689f02ad92238b6367766b851f37ec

SHA1
58f78706a9353335bfc0bf3ee56d317221eded51

SHA256
8f0e4b02b4f9b09f37eb77eddb8c3d5f5cc14aad46e79cf6a028e13047d8c602

SHA512
2536abdb13d58b4f1a9256c101e3e5da581b4b0fd0bb94a542cf23b1cae09b1b9b47ec9d33bace3d457b9d292b322ad6a9ed430889d5d474f3e61883a2620c1f

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe
Filesize
81KB

MD5
062c0a1abccccd503af1ee52f307dabe

SHA1
30efa71e0310fd172e3dfedb32e5b364420c76bc

SHA256
0ca5eda7fbc34a9afe28f7ba66951e3419f33d1128b55d13604ce624eee00c3f

SHA512
42b7c0459ec8c20aba011f6c81b019f0da8499e6d26c74a28c825c98db6c1b89dcb31ecd47564d40e855c13eba26caaac6e2a8a2b2edabcc7924799edc816f35

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe
Filesize
81KB

MD5
9832dece592eed8f2fa1cd48b3523701

SHA1
b9467c1c88dd532ec8f21f3d24f0cbbd9cb79a9e

SHA256
e1ccb15872d48b99149312c9171bad470c7680401dcd623525deba48c3961196

SHA512
28cb488c9a14573a3c9a5e0e35b059170202e176426b9f012b20d7b683386d6b38faca1092f2306922f846e1290523a42e188ac08de0c9b447e2aa0bd201a734

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe
Filesize
81KB

MD5
a12949d533d73f216b3427323d0992d6

SHA1
51a351b90814cd751f3382c72cf35a0fd4065707

SHA256
ae7e4e27eb434c9397c8a0d0b5c6e2d9c147dc171b62c951648f4976b949d858

SHA512
702ce02dca7bb3f4de3ae6cd1e0aba37f3fa67f942abc2cc0c592e22c9360294d820c343b6e1505737e5285d3cfa303193b48512dad32790b314d9fde35f1d46

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe
Filesize
81KB

MD5
51015fb51fb82ebd8c1a56f3be472ce7

SHA1
40b609f2127e469dab659479798117b15ff5f74f

SHA256
7ae692cc5533559704e2eb7101d500e892c92f521b8d9d421820d5de6209da33

SHA512
c07839393f8545c57c351dcf1f192f377bc6c7f46fffeceab19edfed73f8ecfee2375ed83572d94cef01a5ca00dd56e2539f1729e5eccfdc4039522446ed1d28

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe
Filesize
81KB

MD5
b493dfc8049d4db5678c6292541e85a9

SHA1
9f3557c95363d161601d44249be8a95bc80521f0

SHA256
654d5b75658867dba83ce34a25a608f2a0ca7b75bf58536b55010e3b026e6522

SHA512
5bd550c4dbefeed2f951c61b94c5bc69d2c771a39beeea96228e5fa3c19fe1256eeb8066ce49c19341c49cf1a317aa8b05493fd1b21041719773210d11f0c9d4

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe
Filesize
81KB

MD5
fde5d948092c18ae9ec27cbebb1712da

SHA1
29c438b476c5987e7a065fb0235da12e60e38874

SHA256
f3d2deef340db5819918b4a15f7812d9aaae5c5f14de9a9949e1f7bbc9c9d850

SHA512
ed24ee1948f555498bc662c0b8c26e97b901f23443c4c184b00792fd44ef787a77e317faeebf21fa4624dc10203392aa679487fcf5ca527dce7fadff679bcf0b

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe
Filesize
81KB

MD5
7eee329f6957b7de9df162b162dd0e5e

SHA1
4597fbbb12224d11d25d3b81b8a3fc7ad2655731

SHA256
ea39bc41696035f592d022c5513350164d215f4a87865b5d170163abe8458c2c

SHA512
58416ebd0629e75df0b79c0c68c4e77535bb1d2e1e049aea9d9502955a51490ecb6ce384cfe065e2a92a1353dde446e276e98482e63e2233b1a2f61afc97b34d

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe
Filesize
81KB

MD5
7715e002ba80fa4ffde63311bb766f04

SHA1
908c4481702857b78707197dfa32d3729481f2f7

SHA256
87a77a3780b7020f4cce04fcca74c2d81e7f72ee593a7ad8fcdd701dcd55da6e

SHA512
9fd304aefc01700633820d09c7c3560be479b48f4d7d82f51501120e0911a53960bbdccde0db76dd973a6b546f4169a4b5969025dbd68d6ac1052ae82f7a2e43

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe
Filesize
81KB

MD5
021c8c74a0e3c29f9e673e070edb4215

SHA1
85586533d9ab12d49748dea48b756f1cc6fce138

SHA256
1c2dacf87fa7b2eeee7a38a743233e8139d56b57b666cbe12507c63706d1d2ac

SHA512
0ada3d2c721fe7ea5c450f16d5e9446d03551614433f1587291a7e908a3d29dc543bc7d1536d798d19a6da5b04a6ad5c5d0892ba1da1ed7ad616ff0b6444d66e

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe
Filesize
81KB

MD5
684949d985f492a9e7eb53a71e3e3b0c

SHA1
0fc4c04a982d9ebfae03b0db1f1dc9a208c08c10

SHA256
2515f48cc68d6888f73ea33ca569662b2f270a44da4874800a4eca302c4f8c14

SHA512
95d2b23adf591be9c711acff73395dd6aab7cd976033da26de4be92b6d9e3710f488dec635b1a751b4b43c3b21a57a37f0d54afd773a51a8e4ba4f9efc034712

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe
Filesize
81KB

MD5
9b3ae6b9e6093bceaa860219df236218

SHA1
18b894653a65a3ab6a39187f1eea04c93a81c15d

SHA256
c71a92722552a9e216aeae5ef02f167131e7a9041901e36f8b4c9b25aee48111

SHA512
f1a2bf9c1e545209fea2554d284686a8fb0c31d7e83113f0d1f2980b40737601b06160c2f2aabda66074d7da086c3d37c48d2334a2377e9c4d05a3e8410750b8

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe
Filesize
81KB

MD5
c2674dc4d4f2d48660ca7a696dec8bae

SHA1
9164dd660c4d1e7d3c268155f3fa0d59338365e2

SHA256
c5ddaa92eea904de23133ff13102737ada3561a3996b775c193ab980e9f9ea04

SHA512
fd59f78d4041e16dc4973725de2035af46f3a0daa7c0c7af625c517d1bf73b4fdd8659735c3dda67b233c2d4c8883ca9f6ebb30ebf74bd2ea4a2be9e70ec27ac

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe
Filesize
81KB

MD5
0d86a056e9334bdee36c1b01fdc9ded4

SHA1
d75ac6d393b6b547f77eebd7292b48782bf89fdc

SHA256
64d17eeb0f0f46bfc880c100125eac1a75319b57ae8074f68f29852ef023e725

SHA512
9190f244869ec988ab558c69f659ce67af4dec69f4befe0b6d75ef774733548301c3c211c41a51a707c8ba6775cb19df367fa07fa1430ad874035bbc9575c428

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe
Filesize
81KB

MD5
50e8af5cd1475ed60c7700f2626261fb

SHA1
f6c4bf27112e3d718546c50ff75c366441828490

SHA256
ea0a1be75992d131fb9afdf59528c7da14acfea0fc0edf8d156325eaedb69a6c

SHA512
097b973e6c19c2524f93d5659afeb0f2a36f978904e1b67640b958a54949bd15d4e7876287e707b8a9f895c1aa5ab5fa278623de1e25670d972202afa28f5197

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe
Filesize
81KB

MD5
986239d8d774bcf0f6b9a720a7fa23d6

SHA1
9a6b814ff0d6fa17b5db55ec76b38a212aab9133

SHA256
22098afba6166d2169b75dbdfddb2b1550f78098921c7325fc0f8344b72f2177

SHA512
2959f20575e25ff4c45055f6360545f36234dd38b339dc0b8decd2d0f5d8f50093544c72ca31591180b287aa540e74026f65dcdaadca276fcbcfdce1c6617c01

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe
Filesize
81KB

MD5
450576c37198bccdffa9f1c09248406e

SHA1
da58ca38160537cdf87fefa14202cdea5e144535

SHA256
d5b0b51c1d6ee6cb0f77884ca936cd289814529e51b1e9b1662593486d8a7be2

SHA512
65720db46391fa0ecd999fc32cb718154fd702df2df470bb5f9c1e5e3312c299dcd06ce6d11dda3c1248bd59096c04b7b6b605b4c96ce9651ee8b65e992b03b9

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe
Filesize
81KB

MD5
36bebb75a580375bbcb2a14a4490ce64

SHA1
582bd9a6cc28de111370a8ff372d62862f6f12ff

SHA256
c883e2f12e3570653095a8c144b15d5744f4fd877a17ac337f92ec149a285e31

SHA512
ca3a5b8964a8ef9941c588ae398470fab2a8621696eafb6a906d3786a0b9544519ee75c4fbfc0349c12aaf50a3a1e0ab78b2d57a67d905d6ef8bde3e8eddfd5f

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe
Filesize
81KB

MD5
41e4962478d758d03476fb237af9c889

SHA1
c0119fd49895f16849bee8e5b5a4377df0dca1ec

SHA256
b758404810cf42d80f7e9e268d094cce07e76d2497311a9a6e2bccaa6badc582

SHA512
d8ccb6ebbbdc20d8471ad87e6369f6680aa33b88b7dba5134a81834e872fb6911ee69c6e3a56c61da332b33d5a62ed9b2c5b02ecf4cec4075dd07e22ceb7686c

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe
Filesize
81KB

MD5
3a2d11bb788c99e414b8206647696dfa

SHA1
0266e3fa971ed95501a93f376a7010f063bd5f6a

SHA256
68a5fc90921b389ec45cb5376b7856d97ceae9cab77a351db549ebf9c17539fe

SHA512
f80512e6998b82dbca02fcb5ec2187f02a134beafc4d8fbae78cbccab48e28007fbdc055b1c5d70a19c51eb264d74bbeddb3fd80381c7143c882e8aa87d101f1

Download Submit
memory/220-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/220-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/388-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/428-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/712-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/756-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1076-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1096-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1116-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1796-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2044-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-645-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3184-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3372-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3372-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3636-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3636-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3656-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3844-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3904-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4176-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4216-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4912-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5192-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5204-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5324-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5372-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5376-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5384-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5420-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5432-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5440-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5504-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5512-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5540-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5540-582-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5592-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5596-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5644-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5652-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5732-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5920-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5920-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5940-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5952-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5956-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6024-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6100-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6104-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download