14f6defdfab37ab8afbd5b3a207192a9b774e43b16e2b0218da8cfdaf2f99cb5

Analysis

max time kernel
140s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47eb5b739c9b584985b337387da194e0_NeikiAnalytics.exe
Size

448KB
MD5

47eb5b739c9b584985b337387da194e0
SHA1

0d8c355c5b04c5a82ae4dedec4e246fd95a95013
SHA256

14f6defdfab37ab8afbd5b3a207192a9b774e43b16e2b0218da8cfdaf2f99cb5
SHA512

d0dc476d834770ebe26a11840745610d84056950dd54508e67157ff9a96953a70e8fdd3330b780450504f3380d21921d8a2f8573074517de9f2e9a01d8d2b947
SSDEEP

12288:dHoYa/mwpV6yYPMLnfBJKFbhDwBpV6yYP6Utri+Woh3YRVDDf1LcXD3v+2JFrfzj:RNsHWMLnfBJKhVwBW6Utri+WoxYRVDrs

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Jjmhppqd.exeJmbklj32.exeJpaghf32.exeKgdbkohf.exeIikopmkd.exeJaedgjjd.exeJbocea32.exeKgfoan32.exeLcbiao32.exeIdacmfkj.exeKaqcbi32.exeLmccchkn.exeLgkhlnbn.exeLijdhiaa.exeJmkdlkph.exeKgbefoji.exeLiggbi32.exeNgpjnkpf.exeJiikak32.exeKaemnhla.exeKajfig32.exeNcihikcg.exeKkkdan32.exeKacphh32.exeLalcng32.exeLcdegnep.exeIfmcdblq.exeJpjqhgol.exeJdmcidam.exeLpappc32.exeNdidbn32.exeIjkljp32.exeNggqoj32.exeJbfpobpb.exeKkihknfg.exeKinemkko.exeKagichjo.exeKckbqpnj.exeLdohebqh.exeIjfboafl.exeKbdmpqcb.exeNjcpee32.exeJdjfcecp.exeJjpeepnb.exeJdhine32.exeKcifkp32.exeKmnjhioc.exeLaciofpa.exeNkncdifl.exeKdhbec32.exeJbmfoa32.exeJdcpcf32.exeJaimbj32.exeJfffjqdf.exeKilhgk32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe

Malware Dropper & Backdoor - Berbew 33 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Ibojncfj.exe	family_berbew
C:\Windows\SysWOW64\Ijfboafl.exe	family_berbew
C:\Windows\SysWOW64\Iapjlk32.exe	family_berbew
C:\Windows\SysWOW64\Idofhfmm.exe	family_berbew
C:\Windows\SysWOW64\Iikopmkd.exe	family_berbew
C:\Windows\SysWOW64\Jdcpcf32.exe	family_berbew
C:\Windows\SysWOW64\Jjmhppqd.exe	family_berbew
C:\Windows\SysWOW64\Jdhine32.exe	family_berbew
C:\Windows\SysWOW64\Jangmibi.exe	family_berbew
C:\Windows\SysWOW64\Jmbklj32.exe	family_berbew
C:\Windows\SysWOW64\Jfhbppbc.exe	family_berbew
C:\Windows\SysWOW64\Jbmfoa32.exe	family_berbew
C:\Windows\SysWOW64\Jdjfcecp.exe	family_berbew
C:\Windows\SysWOW64\Jaljgidl.exe	family_berbew
C:\Windows\SysWOW64\Jmpngk32.exe	family_berbew
C:\Windows\SysWOW64\Jjbako32.exe	family_berbew
C:\Windows\SysWOW64\Jfffjqdf.exe	family_berbew
C:\Windows\SysWOW64\Jaimbj32.exe	family_berbew
C:\Windows\SysWOW64\Jibeql32.exe	family_berbew
C:\Windows\SysWOW64\Jjpeepnb.exe	family_berbew
C:\Windows\SysWOW64\Jpjqhgol.exe	family_berbew
C:\Windows\SysWOW64\Jmkdlkph.exe	family_berbew
C:\Windows\SysWOW64\Jbfpobpb.exe	family_berbew
C:\Windows\SysWOW64\Jaedgjjd.exe	family_berbew
C:\Windows\SysWOW64\Iinlemia.exe	family_berbew
C:\Windows\SysWOW64\Ijkljp32.exe	family_berbew
C:\Windows\SysWOW64\Ifopiajn.exe	family_berbew
C:\Windows\SysWOW64\Idacmfkj.exe	family_berbew
C:\Windows\SysWOW64\Ipegmg32.exe	family_berbew
C:\Windows\SysWOW64\Imgkql32.exe	family_berbew
C:\Windows\SysWOW64\Ifmcdblq.exe	family_berbew
C:\Windows\SysWOW64\Imdnklfp.exe	family_berbew
C:\Windows\SysWOW64\Njcpee32.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Ibojncfj.exeIjfboafl.exeImdnklfp.exeIapjlk32.exeIdofhfmm.exeIfmcdblq.exeIikopmkd.exeImgkql32.exeIpegmg32.exeIdacmfkj.exeIfopiajn.exeIjkljp32.exeIinlemia.exeJaedgjjd.exeJdcpcf32.exeJbfpobpb.exeJjmhppqd.exeJmkdlkph.exeJpjqhgol.exeJjpeepnb.exeJibeql32.exeJaimbj32.exeJdhine32.exeJfffjqdf.exeJjbako32.exeJmpngk32.exeJaljgidl.exeJdjfcecp.exeJbmfoa32.exeJfhbppbc.exeJmbklj32.exeJangmibi.exeJpaghf32.exeJdmcidam.exeJbocea32.exeJkfkfohj.exeJiikak32.exeKaqcbi32.exeKpccnefa.exeKdopod32.exeKgmlkp32.exeKkihknfg.exeKilhgk32.exeKacphh32.exeKpepcedo.exeKdaldd32.exeKbdmpqcb.exeKkkdan32.exeKinemkko.exeKaemnhla.exeKphmie32.exeKbfiep32.exeKgbefoji.exeKipabjil.exeKagichjo.exeKpjjod32.exeKcifkp32.exeKgdbkohf.exeKkpnlm32.exeKmnjhioc.exeKajfig32.exeKdhbec32.exeKckbqpnj.exeKgfoan32.exe

pid	process
1504	Ibojncfj.exe
4912	Ijfboafl.exe
3940	Imdnklfp.exe
3228	Iapjlk32.exe
1396	Idofhfmm.exe
3712	Ifmcdblq.exe
4068	Iikopmkd.exe
3572	Imgkql32.exe
1420	Ipegmg32.exe
4744	Idacmfkj.exe
4392	Ifopiajn.exe
3376	Ijkljp32.exe
2380	Iinlemia.exe
5028	Jaedgjjd.exe
464	Jdcpcf32.exe
4840	Jbfpobpb.exe
2140	Jjmhppqd.exe
848	Jmkdlkph.exe
4412	Jpjqhgol.exe
2092	Jjpeepnb.exe
2676	Jibeql32.exe
2828	Jaimbj32.exe
4836	Jdhine32.exe
4556	Jfffjqdf.exe
1548	Jjbako32.exe
1440	Jmpngk32.exe
4472	Jaljgidl.exe
868	Jdjfcecp.exe
3152	Jbmfoa32.exe
3972	Jfhbppbc.exe
2288	Jmbklj32.exe
788	Jangmibi.exe
4996	Jpaghf32.exe
1784	Jdmcidam.exe
5064	Jbocea32.exe
552	Jkfkfohj.exe
232	Jiikak32.exe
1940	Kaqcbi32.exe
4192	Kpccnefa.exe
936	Kdopod32.exe
4464	Kgmlkp32.exe
516	Kkihknfg.exe
5048	Kilhgk32.exe
1636	Kacphh32.exe
4252	Kpepcedo.exe
3008	Kdaldd32.exe
1172	Kbdmpqcb.exe
1556	Kkkdan32.exe
1100	Kinemkko.exe
1788	Kaemnhla.exe
2536	Kphmie32.exe
3772	Kbfiep32.exe
4612	Kgbefoji.exe
792	Kipabjil.exe
1036	Kagichjo.exe
3104	Kpjjod32.exe
3844	Kcifkp32.exe
5004	Kgdbkohf.exe
2480	Kkpnlm32.exe
3468	Kmnjhioc.exe
4588	Kajfig32.exe
3736	Kdhbec32.exe
3524	Kckbqpnj.exe
2672	Kgfoan32.exe

Drops file in System32 directory 64 IoCs

Processes:

Ijfboafl.exeJbfpobpb.exeKaemnhla.exeKbfiep32.exeLpappc32.exeLdohebqh.exeJkfkfohj.exeJiikak32.exeLgikfn32.exeLcbiao32.exeNjogjfoj.exeIikopmkd.exeJfffjqdf.exeKbdmpqcb.exeLpocjdld.exeLijdhiaa.exeNgpjnkpf.exeNggqoj32.exe47eb5b739c9b584985b337387da194e0_NeikiAnalytics.exeIfmcdblq.exeLmqgnhmp.exeNcihikcg.exeKgbefoji.exeKpjjod32.exeKgfoan32.exeIjkljp32.exeKmnjhioc.exeLgkhlnbn.exeKaqcbi32.exeKipabjil.exeKckbqpnj.exeJaedgjjd.exeJbmfoa32.exeJpjqhgol.exeJdjfcecp.exeLalcng32.exeKagichjo.exeKkpnlm32.exeNdidbn32.exeImgkql32.exeJmbklj32.exeIdacmfkj.exeJibeql32.exeKkkdan32.exeJdmcidam.exeKcifkp32.exeJpaghf32.exeKajfig32.exeNafokcol.exeIapjlk32.exeJaimbj32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Ijfboafl.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Imgkql32.exe	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ibojncfj.exe	47eb5b739c9b584985b337387da194e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lihoogdd.dll	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jkfkfohj.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4796 5024 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
4796	5024	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Ldmlpbbj.exe47eb5b739c9b584985b337387da194e0_NeikiAnalytics.exeJdcpcf32.exeJkfkfohj.exeKajfig32.exeLkgdml32.exeNcihikcg.exeNdidbn32.exeJdmcidam.exeKdopod32.exeLpocjdld.exeLgkhlnbn.exeNnmopdep.exeJmbklj32.exeKilhgk32.exeJmkdlkph.exeNkncdifl.exeIdacmfkj.exeJdhine32.exeIinlemia.exeLgikfn32.exeIfmcdblq.exeJibeql32.exeJjmhppqd.exeKkpnlm32.exeLcmofolg.exeLdohebqh.exeImgkql32.exeKinemkko.exeKagichjo.exeKmnjhioc.exeKdhbec32.exeNjogjfoj.exeIdofhfmm.exeJdjfcecp.exeKpepcedo.exeLcbiao32.exeNafokcol.exeIpegmg32.exeJaljgidl.exeIapjlk32.exeJjbako32.exeKgbefoji.exeLkiqbl32.exeIbojncfj.exeJmpngk32.exeKacphh32.exeKcifkp32.exeLmqgnhmp.exeLijdhiaa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	47eb5b739c9b584985b337387da194e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	47eb5b739c9b584985b337387da194e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	47eb5b739c9b584985b337387da194e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lijdhiaa.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

47eb5b739c9b584985b337387da194e0_NeikiAnalytics.exeIbojncfj.exeIjfboafl.exeImdnklfp.exeIapjlk32.exeIdofhfmm.exeIfmcdblq.exeIikopmkd.exeImgkql32.exeIpegmg32.exeIdacmfkj.exeIfopiajn.exeIjkljp32.exeIinlemia.exeJaedgjjd.exeJdcpcf32.exeJbfpobpb.exeJjmhppqd.exeJmkdlkph.exeJpjqhgol.exeJjpeepnb.exeJibeql32.exe

description	pid	process	target process
PID 4904 wrote to memory of 1504	4904	47eb5b739c9b584985b337387da194e0_NeikiAnalytics.exe	Ibojncfj.exe
PID 4904 wrote to memory of 1504	4904	47eb5b739c9b584985b337387da194e0_NeikiAnalytics.exe	Ibojncfj.exe
PID 4904 wrote to memory of 1504	4904	47eb5b739c9b584985b337387da194e0_NeikiAnalytics.exe	Ibojncfj.exe
PID 1504 wrote to memory of 4912	1504	Ibojncfj.exe	Ijfboafl.exe
PID 1504 wrote to memory of 4912	1504	Ibojncfj.exe	Ijfboafl.exe
PID 1504 wrote to memory of 4912	1504	Ibojncfj.exe	Ijfboafl.exe
PID 4912 wrote to memory of 3940	4912	Ijfboafl.exe	Imdnklfp.exe
PID 4912 wrote to memory of 3940	4912	Ijfboafl.exe	Imdnklfp.exe
PID 4912 wrote to memory of 3940	4912	Ijfboafl.exe	Imdnklfp.exe
PID 3940 wrote to memory of 3228	3940	Imdnklfp.exe	Iapjlk32.exe
PID 3940 wrote to memory of 3228	3940	Imdnklfp.exe	Iapjlk32.exe
PID 3940 wrote to memory of 3228	3940	Imdnklfp.exe	Iapjlk32.exe
PID 3228 wrote to memory of 1396	3228	Iapjlk32.exe	Idofhfmm.exe
PID 3228 wrote to memory of 1396	3228	Iapjlk32.exe	Idofhfmm.exe
PID 3228 wrote to memory of 1396	3228	Iapjlk32.exe	Idofhfmm.exe
PID 1396 wrote to memory of 3712	1396	Idofhfmm.exe	Ifmcdblq.exe
PID 1396 wrote to memory of 3712	1396	Idofhfmm.exe	Ifmcdblq.exe
PID 1396 wrote to memory of 3712	1396	Idofhfmm.exe	Ifmcdblq.exe
PID 3712 wrote to memory of 4068	3712	Ifmcdblq.exe	Iikopmkd.exe
PID 3712 wrote to memory of 4068	3712	Ifmcdblq.exe	Iikopmkd.exe
PID 3712 wrote to memory of 4068	3712	Ifmcdblq.exe	Iikopmkd.exe
PID 4068 wrote to memory of 3572	4068	Iikopmkd.exe	Imgkql32.exe
PID 4068 wrote to memory of 3572	4068	Iikopmkd.exe	Imgkql32.exe
PID 4068 wrote to memory of 3572	4068	Iikopmkd.exe	Imgkql32.exe
PID 3572 wrote to memory of 1420	3572	Imgkql32.exe	Ipegmg32.exe
PID 3572 wrote to memory of 1420	3572	Imgkql32.exe	Ipegmg32.exe
PID 3572 wrote to memory of 1420	3572	Imgkql32.exe	Ipegmg32.exe
PID 1420 wrote to memory of 4744	1420	Ipegmg32.exe	Idacmfkj.exe
PID 1420 wrote to memory of 4744	1420	Ipegmg32.exe	Idacmfkj.exe
PID 1420 wrote to memory of 4744	1420	Ipegmg32.exe	Idacmfkj.exe
PID 4744 wrote to memory of 4392	4744	Idacmfkj.exe	Ifopiajn.exe
PID 4744 wrote to memory of 4392	4744	Idacmfkj.exe	Ifopiajn.exe
PID 4744 wrote to memory of 4392	4744	Idacmfkj.exe	Ifopiajn.exe
PID 4392 wrote to memory of 3376	4392	Ifopiajn.exe	Ijkljp32.exe
PID 4392 wrote to memory of 3376	4392	Ifopiajn.exe	Ijkljp32.exe
PID 4392 wrote to memory of 3376	4392	Ifopiajn.exe	Ijkljp32.exe
PID 3376 wrote to memory of 2380	3376	Ijkljp32.exe	Iinlemia.exe
PID 3376 wrote to memory of 2380	3376	Ijkljp32.exe	Iinlemia.exe
PID 3376 wrote to memory of 2380	3376	Ijkljp32.exe	Iinlemia.exe
PID 2380 wrote to memory of 5028	2380	Iinlemia.exe	Jaedgjjd.exe
PID 2380 wrote to memory of 5028	2380	Iinlemia.exe	Jaedgjjd.exe
PID 2380 wrote to memory of 5028	2380	Iinlemia.exe	Jaedgjjd.exe
PID 5028 wrote to memory of 464	5028	Jaedgjjd.exe	Jdcpcf32.exe
PID 5028 wrote to memory of 464	5028	Jaedgjjd.exe	Jdcpcf32.exe
PID 5028 wrote to memory of 464	5028	Jaedgjjd.exe	Jdcpcf32.exe
PID 464 wrote to memory of 4840	464	Jdcpcf32.exe	Jbfpobpb.exe
PID 464 wrote to memory of 4840	464	Jdcpcf32.exe	Jbfpobpb.exe
PID 464 wrote to memory of 4840	464	Jdcpcf32.exe	Jbfpobpb.exe
PID 4840 wrote to memory of 2140	4840	Jbfpobpb.exe	Jjmhppqd.exe
PID 4840 wrote to memory of 2140	4840	Jbfpobpb.exe	Jjmhppqd.exe
PID 4840 wrote to memory of 2140	4840	Jbfpobpb.exe	Jjmhppqd.exe
PID 2140 wrote to memory of 848	2140	Jjmhppqd.exe	Jmkdlkph.exe
PID 2140 wrote to memory of 848	2140	Jjmhppqd.exe	Jmkdlkph.exe
PID 2140 wrote to memory of 848	2140	Jjmhppqd.exe	Jmkdlkph.exe
PID 848 wrote to memory of 4412	848	Jmkdlkph.exe	Jpjqhgol.exe
PID 848 wrote to memory of 4412	848	Jmkdlkph.exe	Jpjqhgol.exe
PID 848 wrote to memory of 4412	848	Jmkdlkph.exe	Jpjqhgol.exe
PID 4412 wrote to memory of 2092	4412	Jpjqhgol.exe	Jjpeepnb.exe
PID 4412 wrote to memory of 2092	4412	Jpjqhgol.exe	Jjpeepnb.exe
PID 4412 wrote to memory of 2092	4412	Jpjqhgol.exe	Jjpeepnb.exe
PID 2092 wrote to memory of 2676	2092	Jjpeepnb.exe	Jibeql32.exe
PID 2092 wrote to memory of 2676	2092	Jjpeepnb.exe	Jibeql32.exe
PID 2092 wrote to memory of 2676	2092	Jjpeepnb.exe	Jibeql32.exe
PID 2676 wrote to memory of 2828	2676	Jibeql32.exe	Jaimbj32.exe

C:\Users\Admin\AppData\Local\Temp\47eb5b739c9b584985b337387da194e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\47eb5b739c9b584985b337387da194e0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\Ibojncfj.exe
C:\Windows\system32\Ibojncfj.exe
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\Ijfboafl.exe
C:\Windows\system32\Ijfboafl.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\SysWOW64\Imdnklfp.exe
C:\Windows\system32\Imdnklfp.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\SysWOW64\Iapjlk32.exe
C:\Windows\system32\Iapjlk32.exe
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\SysWOW64\Idofhfmm.exe
C:\Windows\system32\Idofhfmm.exe
6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\Ifmcdblq.exe
C:\Windows\system32\Ifmcdblq.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\SysWOW64\Iikopmkd.exe
C:\Windows\system32\Iikopmkd.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\Imgkql32.exe
C:\Windows\system32\Imgkql32.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\SysWOW64\Ipegmg32.exe
C:\Windows\system32\Ipegmg32.exe
10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\Idacmfkj.exe
C:\Windows\system32\Idacmfkj.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\Ifopiajn.exe
C:\Windows\system32\Ifopiajn.exe
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\SysWOW64\Ijkljp32.exe
C:\Windows\system32\Ijkljp32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\SysWOW64\Iinlemia.exe
C:\Windows\system32\Iinlemia.exe
14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\SysWOW64\Jaedgjjd.exe
C:\Windows\system32\Jaedgjjd.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\Jdcpcf32.exe
C:\Windows\system32\Jdcpcf32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\SysWOW64\Jbfpobpb.exe
C:\Windows\system32\Jbfpobpb.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\SysWOW64\Jjmhppqd.exe
C:\Windows\system32\Jjmhppqd.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\Jmkdlkph.exe
C:\Windows\system32\Jmkdlkph.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\Jpjqhgol.exe
C:\Windows\system32\Jpjqhgol.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\SysWOW64\Jjpeepnb.exe
C:\Windows\system32\Jjpeepnb.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\Jibeql32.exe
C:\Windows\system32\Jibeql32.exe
22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\Jaimbj32.exe
C:\Windows\system32\Jaimbj32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2828

C:\Windows\SysWOW64\Jdhine32.exe
C:\Windows\system32\Jdhine32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4836

C:\Windows\SysWOW64\Jfffjqdf.exe
C:\Windows\system32\Jfffjqdf.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4556

C:\Windows\SysWOW64\Jjbako32.exe
C:\Windows\system32\Jjbako32.exe
26⤵
- Executes dropped EXE
- Modifies registry class
PID:1548

C:\Windows\SysWOW64\Jmpngk32.exe
C:\Windows\system32\Jmpngk32.exe
27⤵
- Executes dropped EXE
- Modifies registry class
PID:1440

C:\Windows\SysWOW64\Jaljgidl.exe
C:\Windows\system32\Jaljgidl.exe
28⤵
- Executes dropped EXE
- Modifies registry class
PID:4472

C:\Windows\SysWOW64\Jdjfcecp.exe
C:\Windows\system32\Jdjfcecp.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:868

C:\Windows\SysWOW64\Jbmfoa32.exe
C:\Windows\system32\Jbmfoa32.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3152

C:\Windows\SysWOW64\Jfhbppbc.exe
C:\Windows\system32\Jfhbppbc.exe
31⤵
- Executes dropped EXE
PID:3972

C:\Windows\SysWOW64\Jmbklj32.exe
C:\Windows\system32\Jmbklj32.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2288

C:\Windows\SysWOW64\Jangmibi.exe
C:\Windows\system32\Jangmibi.exe
33⤵
- Executes dropped EXE
PID:788

C:\Windows\SysWOW64\Jpaghf32.exe
C:\Windows\system32\Jpaghf32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4996

C:\Windows\SysWOW64\Jdmcidam.exe
C:\Windows\system32\Jdmcidam.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1784

C:\Windows\SysWOW64\Jbocea32.exe
C:\Windows\system32\Jbocea32.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5064

C:\Windows\SysWOW64\Jkfkfohj.exe
C:\Windows\system32\Jkfkfohj.exe
37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:552

C:\Windows\SysWOW64\Jiikak32.exe
C:\Windows\system32\Jiikak32.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:232

C:\Windows\SysWOW64\Kaqcbi32.exe
C:\Windows\system32\Kaqcbi32.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1940

C:\Windows\SysWOW64\Kpccnefa.exe
C:\Windows\system32\Kpccnefa.exe
40⤵
- Executes dropped EXE
PID:4192

C:\Windows\SysWOW64\Kdopod32.exe
C:\Windows\system32\Kdopod32.exe
41⤵
- Executes dropped EXE
- Modifies registry class
PID:936

C:\Windows\SysWOW64\Kgmlkp32.exe
C:\Windows\system32\Kgmlkp32.exe
42⤵
- Executes dropped EXE
PID:4464

C:\Windows\SysWOW64\Kkihknfg.exe
C:\Windows\system32\Kkihknfg.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:516

C:\Windows\SysWOW64\Kilhgk32.exe
C:\Windows\system32\Kilhgk32.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5048

C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1636

C:\Windows\SysWOW64\Kpepcedo.exe
C:\Windows\system32\Kpepcedo.exe
46⤵
- Executes dropped EXE
- Modifies registry class
PID:4252

C:\Windows\SysWOW64\Kdaldd32.exe
C:\Windows\system32\Kdaldd32.exe
47⤵
- Executes dropped EXE
PID:3008

C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1172

C:\Windows\SysWOW64\Kkkdan32.exe
C:\Windows\system32\Kkkdan32.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1556

C:\Windows\SysWOW64\Kinemkko.exe
C:\Windows\system32\Kinemkko.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1100

C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1788

C:\Windows\SysWOW64\Kphmie32.exe
C:\Windows\system32\Kphmie32.exe
52⤵
- Executes dropped EXE
PID:2536

C:\Windows\SysWOW64\Kbfiep32.exe
C:\Windows\system32\Kbfiep32.exe
53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3772

C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4612

C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:792

C:\Windows\SysWOW64\Kagichjo.exe
C:\Windows\system32\Kagichjo.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1036

C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3104

C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3844

C:\Windows\SysWOW64\Kgdbkohf.exe
C:\Windows\system32\Kgdbkohf.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5004

C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2480

C:\Windows\SysWOW64\Kmnjhioc.exe
C:\Windows\system32\Kmnjhioc.exe
61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3468

C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4588

C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3736

C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3524

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2672

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
66⤵
- Drops file in System32 directory
- Modifies registry class
PID:2792

C:\Windows\SysWOW64\Lalcng32.exe
C:\Windows\system32\Lalcng32.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4688

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
68⤵
- Drops file in System32 directory
- Modifies registry class
PID:5108

C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
69⤵
- Modifies registry class
PID:3576

C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
70⤵
- Drops file in System32 directory
- Modifies registry class
PID:4844

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3004

C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2840

C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5032

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
74⤵
- Modifies registry class
PID:2908

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5012

C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
76⤵
- Modifies registry class
PID:3992

C:\Windows\SysWOW64\Lijdhiaa.exe
C:\Windows\system32\Lijdhiaa.exe
77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1364

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
78⤵
PID:1744

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:908

C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2068

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
81⤵
- Modifies registry class
PID:3396

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:728

C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2712

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
85⤵
- Drops file in System32 directory
- Modifies registry class
PID:2708

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
86⤵
- Drops file in System32 directory
- Modifies registry class
PID:4676

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
87⤵
PID:1660

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5020

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
89⤵
- Modifies registry class
PID:4280

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2304

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4428

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:644

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3932

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
94⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 412
95⤵
- Program crash
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5024 -ip 5024
1⤵
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eddbig32.dll
Filesize
7KB

MD5
50c97065feb430250e274d92bf255555

SHA1
96df074e11299fd435030432fd31f0feb33eb8e2

SHA256
789287eda13121a76dbf708a5cd455a55beab137cc96b4247056f1a7ef81401f

SHA512
03fcc9ec824955d5d2e5c462d1bfb4f7d36ab02239a8d83a157816014e8f556db08bf07f0e97d6551f0712f4014415e59580f40743ce2c912e67127d9e75ffb9

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe
Filesize
448KB

MD5
7daed48a4ca5de7c3809a55d9ec4077e

SHA1
23087c54ac8053a099bf9928dc64a72a90499268

SHA256
d012712e82a6492e82b4bac6e43c7bb41f7d2a69ea1cf4b7b714421870702843

SHA512
961e12eafbd31b38a04c69fed439c27451dfbbb26ec0ba8d28000f0c61a4f9a359765edc8736df7560e8b93e3c832cb9f1fbbf66ee4abd4ac0d4c6538c08af5b

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe
Filesize
448KB

MD5
ed975afe44644bda67de4299b03b66b1

SHA1
634cdf3570849c34c2b338033f55d60b0cd15ce3

SHA256
9fe9a15080cd8fdf3c2beb97e923adcf837663e5578ee6c6564e48d96f7d8d13

SHA512
cf081d4072965aca8cd79a073dc5db3c4bf13f91317761b05ca7000c38f49efb5223c78e1d1308cf7ac0ce44fa14e181f7a1ac78299fb5a8ee091bbdfe09afd8

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe
Filesize
448KB

MD5
e9ebaadc3eedf024960454e1d0c8a252

SHA1
8ffbf5b55db42a099936bed8a832dbf1058c6f10

SHA256
8048f3069f687a4c8bb6e86bf14b611edc62996fb24784ad4dd80f967a6015c6

SHA512
58908d7ff0e95fec3f283651cf270e7cce6d305deb6073c85e183f76f9bc05477b8b44cb05c337e65ceec98b6a3e1b3dabc39b5e2634ae62f3cac53521bd376a

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe
Filesize
448KB

MD5
85eb2089daa6eef1552bd99be93ac32d

SHA1
118e9c26fc4d9becc598631302126ead1a99aff8

SHA256
1e6e240d6bc3d0fd3bde753102fcfb77ba1c7829e071b525c2689f41c071f3d0

SHA512
38105075ec8c361ac999e9b4fe6c297b37e99bf26ea3e530defd14ca1af53eb8164e9ee7cc400f13e8fa5328ee884752833d6b4a19d5c977bedd6d7189e176f4

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe
Filesize
448KB

MD5
2f11743ee89e6ed73165929120c3068e

SHA1
202c3b46bffb8b0bb5678fe40a57ff4624ea5f14

SHA256
303129ea2ad1a6092ad86ac9972a9ec7ea3a0a67889276fbd38fcbf043a375a2

SHA512
b6b6e325c4500eddff0d14ee66f5bf8b340280e1d1d7544fa71f1fd8a52406419a03546129ef42cb4ff6810991b1327fd4c25f2234ad54c6841c0edbac3f77bb

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe
Filesize
448KB

MD5
547ce91ade948b9a06d8aa90d644b7e7

SHA1
432d1e8bf42fb2aa50b20967dedf340ee5ed2764

SHA256
7209aec722199727b1520b31eba55219a696ce261ffa7c58c6f435432020c56d

SHA512
4ee0d46ef47638c2f36cd99585968badf7f86374a4e68549022fb8b75f28529b861687483a4c826cafab714add8e16e4cd862452462000b1095b6c37bb173f7f

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe
Filesize
448KB

MD5
6fd0e49a94b89dfb4cefff9b6543eed0

SHA1
23073d5cc2249d82d8691ea37aeebd5d7070b529

SHA256
72bf81f648bdfb93157fd23d8746b77c4505ab3490ff8659181bf3b5dee1f068

SHA512
66ddfe81dadff61f5fc5ba5d75eee08cb125bd402e2716c30971bc3f25ee93673a41272159f7b7b03a24672e035fc64b0879331d4ae3ee0d39c1b0f2ed01e357

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe
Filesize
448KB

MD5
6fad42779cb9dfb7283691a19677a79f

SHA1
31f83162203351fe14b582519130bf6378b4113e

SHA256
4881e6ee02f8c2b8416d89e2e56b88d5d8672d63cc8d07f0dec2ae80f24f4730

SHA512
6f46c0a76c520e19fe50ae1d80c4f7db1fec6231b2af55f21172db76a73ceb33aa552a734d31aafb9302f2657728fcb39cc1ca42ace2c429f3d325b404cc71ea

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe
Filesize
448KB

MD5
ce7cff38538a510058bdc4961281bf06

SHA1
479732e6ea3e32a8521dc48fe932efe37c904e8f

SHA256
6e925b105830e9cb756f32f0e8074e807543b157266d701b2efc0259b4a6846e

SHA512
ec9a5ed54fbad41f7387707a33fbf4e25bb9fd00bc0e874b5520f6da2c2fbd6b4a24a414c2a4293896c1a77d2d30257341ebed1e2121b0a2c86e4a379b9cd1ab

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe
Filesize
448KB

MD5
d5a3ab5d7637412870eb27fd6c24c562

SHA1
41839e5a309a85567e9e2f8dff17cea156ab436b

SHA256
35722861131a769d754ea37d8e17c33c04d286e4ad43775a6a9514ec3a968499

SHA512
f7ede83df1c32fdcb24276c1ab05485719fde675b5a44bdcbd64383308ebaad82d04b58aa3d52437f4bda0b69ff5c4777facde32e29169d63a90ded14c3f0e70

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe
Filesize
448KB

MD5
21ad84f211c7e76a7221c3f00775221d

SHA1
f5dff0b49c882187e12309357def00ae692b5d6c

SHA256
f4a4ac45bb26c191fe477260893e7a5d599fcdbee298bb4f8a48a45f989f28cc

SHA512
eebfaa682f0f1391db36d9f5ae0a7cf55f84b36b84b09714794b591baacde8164a980e12a54ac20e9e24e785c799b8c43e7c4c7a915a8003c8a4d541dbdb72ee

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe
Filesize
448KB

MD5
b04ed9ae6e0da58e2998bf91d91c9197

SHA1
87db0b1ac6f006e5eaff734f925d1ead00a63eb1

SHA256
c389ae0a7a67a577230342dc1ba05c7c3ee8a6f0f807b4d66730cb5908a41815

SHA512
b9920c170dececa03081c80efe57299c7ff55327908d7ef198fd4e37628cef556ebaf9def21e7db369185142dc425611437986549417f77a830128a3cf1ee63c

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe
Filesize
448KB

MD5
d46c880dc5a990b9c12f7a1e7bde45ba

SHA1
5d255a49a61cc8ddc7d1180db2cb222ae6ea8c8f

SHA256
a7643d15c0724d286d92bac0a59fc3a2f0108d92eea5bcff5e2629b9f6f4dfc1

SHA512
070a3649c2a98377b1768da75592e5b168eba560a8c237f93992c3ef02e3c74b7ee0c8ba802ed86f1a022062961fa05030b7de4b8b22c1bdd0602bcde9ee5c54

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe
Filesize
448KB

MD5
aceee8fc351a52ac7475d45c47663c74

SHA1
1d2e8d4396590ec1a28bc8e92a4c2578e1457154

SHA256
11d896da9637a70bb742fcf1e17610644656143bc58c6a4bd1603efd125997e1

SHA512
3d08aa1834e4da360a600999201d1385089ff5b74dc667c59e7536e9bee215ae2a44a88772b7a7edca10fb34a09f7362bb2bb52fcb923ae6fab05c87da612cbf

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe
Filesize
448KB

MD5
6fe9477a19eecb7d6bbb0c0b831dc175

SHA1
fbf3b6615a2a5484760d9d34a56aba1bea0458c6

SHA256
fc101949aaaf2a5c3dbaf1ae8fba120152417a950d4c68da19ce785131e20b62

SHA512
6302a0f628a7f6a9aa293c16e63f3483a928ef23d5a3c5794fdaa5f3ea3ada00dce651a423411251ea36033df0088f9005777974438c2f48312cae6975db3446

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe
Filesize
448KB

MD5
77f6d0cbfd1ad9750a98001672073ed4

SHA1
78b208061dcd229a47d031120b09d098be3a926d

SHA256
09af14c45e65d6adaa066a232e9e7a0cadd320bf52dafe79dfaa5d09bc0612fd

SHA512
646dec6787d3f4015cebbbe34580a89c9954d005031d224238f6101917bf4057cab918b11d6e0eb81817ec61673f0128c577341f82528f78f5f7679aa3921399

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe
Filesize
448KB

MD5
668bcecae375982102a09caee0d69e21

SHA1
3079e5e4f7055073f6ada2439ba4c2b939a2da15

SHA256
56094cfa4933e05c6e9ae246a2075af5fcbabb72359703bf4930987ef5792a3b

SHA512
7befcb1d29d2d3145924f89edb53361d9c74f51edc8b4831ff6345477748ea67a6ab49115ee879cda76e57683b1fef260dd3754868c729f986383cd1ddd662ea

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe
Filesize
448KB

MD5
1009abb818bd8c6f92238074f3298ab8

SHA1
1dcb4755d2a69efa236570e34e3c7dc5b0cbdbbd

SHA256
754ab7c17010983a75963e69522c500d6ad5601dea513450ae80be86c66343f1

SHA512
84e83aa3ee65264d231f72513e1bb73e54a69d3b8d25f3e310fd2b541ac74b6917e9990da98e10ecb916c7bbea72e08b9e5a1ab933fadb222848cf66dfe563a5

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe
Filesize
448KB

MD5
1a4be2f225fa05e0a897508b886e9acd

SHA1
837ca47afb0cd0418267a86ec54966769b83d018

SHA256
cd2f9b254eed6ce96d23ab9b1a732e4665a0345216bb99f745f33843332b6bf9

SHA512
b15e0e5bae8b38d9298413f7b1b0c237814a4b52c8542300805bb592afae5b98ba9b0139fd1ed6afd48a304c0fe7ae7d4dedac083238946d31e5e5609641a87f

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe
Filesize
448KB

MD5
cd58d81f0c8d8ae4af490581cd644775

SHA1
8805756961163c5a4aeb898929ecb5632b0a1eea

SHA256
e6547dc6df6ad5ee36f95f58023e498730f132fcd51eaa96c72a101cc75ba57f

SHA512
a232213badd395e2bd5fd05df4874091e5409202da182afd73ced9553603c7204978518f45b4312cbdd3b8467b7779933ce94a5600f8be12c872f2dd0d51ac8c

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe
Filesize
448KB

MD5
53f2f2cf48f66ae4fc59dacebddcab42

SHA1
e05cb87a9bc377b16c10f062665e0916277036d2

SHA256
388e8d037bb0a0d99ccb06747360881510b627faa228b03de5f3c97829d76481

SHA512
a38ef65f62ce26619379826a800086cc1718675da76be18c0734e8741261d7fe02e0c704a4a708e04ff7804670c0dd17140e700cfb5af0461e20475c8f440bc8

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe
Filesize
448KB

MD5
6e9c5b78448e425130a58f89ef640d4c

SHA1
4e36f87948ff4ea9ce52fef31e3796a18c5580ef

SHA256
dd4d9484b7679d379b1fa9bb038f08c40e416aab8751897dccfa1df7beae356a

SHA512
19906e4d5e7da7095c33b3f3317ff0a20b15f2ac57a946ffde7e5afcc0d6a0e4f169e6a0a42e39d9ceb9830cec27cc7d733c9ca0db8e6b26e82e63571e5fc17c

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe
Filesize
448KB

MD5
eb431f7e4e9024b0f34c72edd4886a48

SHA1
69152f92885719a9efb38e4b915e5a4c5d70d3da

SHA256
689e0d91c735ef9ec3b4886c1d0209d876107f282c3d8bf69e32dea198722fef

SHA512
644883df6728a25e43084e89c6be375f52b02c323ac3e9bf32d672da35836a8c093afdcbf0af3c0ed3be2c2caba29c826ca498e88ccdbef982f736c3b12e1990

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe
Filesize
448KB

MD5
186d08150cf37bbbd74eb668faad9634

SHA1
ca8b11c7dea45b6703113ba94ba22dd76e9ba185

SHA256
b202d90826c1a318e048cdd46f266640040777fdf95b0d92c281c06a3e6e4cb4

SHA512
fa4252a318f6e4ebcaa1ac87fd60f45800c4e84961a5afe21f19a63d110c0530e0e1e6150e3ef23468970c3eebeadc13aa44ea3871b32b7bc72de2d15df8010b

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe
Filesize
448KB

MD5
e78cb181bae5137763d99ab8ec87b644

SHA1
f99b93e6cb2cba22374ab728e481533574568caa

SHA256
7bda1b2131a62220b981fe09fa2d5bad8e1b82c269dcf9571309978c9efa76be

SHA512
4f504ffa38d551cbd45a943848319493f6f7d232e435a60c7b89b5dbb203971a800bfd5b712510972b1b5addae0aa774d865db83ccf366facc01958357da88e9

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe
Filesize
448KB

MD5
824b928ef8777e22b48c8a436f5b59dc

SHA1
06b606f03062ac356ad831b5c441539429003ee3

SHA256
2ea3b555d9c9353f18f114938f5039079af3b70ab0ca5a541ccbc939471975fc

SHA512
133d130c3cab995db165ea6f3e799c4fd443863926d2341c904a4792e200c49b64a463f07b6039964c25af697d40138ad458288a629c5abcec461628151672a6

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe
Filesize
448KB

MD5
96cb30e0dd6121c860a154587a320d15

SHA1
0fce00580e8f592ed74e1754069f8c916ab8e574

SHA256
d7d9bcc29bbd8fdb52237bcf4c1100d2b4f9803a7232b9b676fb13f7e4494dc6

SHA512
7cd985bb76eac3604824f87fb525c62ed719a639be3ac7b601d3a838ab9bc878d6cde0ef3767f31547c6e4ee5d94a4f800e9b9d43fb38f3abc479e55d7238dd2

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe
Filesize
448KB

MD5
25ed9076a79fcca4ea09b0be45371a31

SHA1
8ecbab376f8e8cdc82be6664d9b6b84e28003b7b

SHA256
ed32d928d5f3edb00c13f66d804256a8dafa0060394fee23dc7bbf190293b329

SHA512
86b3782c556e9f67b46131c6c7542c88d359535a751b4e5bec1ca34cb098904d6c145330eb0db3afbc8c93eba7bb95221d906f948c0feefd9da2689192ad8ddb

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe
Filesize
448KB

MD5
84918d05e915dc05bd0bf57ebc5162d3

SHA1
323dbfbb55ce202e1a538c5ded7662fb891b8b96

SHA256
117e26cacd8444776016015658168c8817043d71a1f544e1c0cc6775292b4286

SHA512
e6d537c38d4d04c6450e8f9571641fd749e420ac49ad6808c1d878dcea7a5424433bbb3af5ddf199ecec47ab56f8ce620e0ebd0867913744e9f307eff278ac51

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe
Filesize
448KB

MD5
cf889d53389b5a72eaf492f281beba18

SHA1
3f3993e3eb8e4611b8dc2e28c8d3a92d1ee32069

SHA256
c1a31d208843e8e174bb7d5d7e5e7d9ac236561f483372c2d74ad2a791d5c16f

SHA512
b366ad1430160a33e82ef5299a698e4aeef002d75ebf8fad2b4f0a583fdd6677ce4fbb35dd54383552d282c5873b614e2622c251e2a60c5d6a1a1bb5b77c7830

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe
Filesize
448KB

MD5
7b982fdcbd8bba6b82394208059ce1ce

SHA1
28369609ab341fefeff793794d9e73f332c4bc80

SHA256
657487dd80132287ccbd4dbfb8f769724b1585d9e5abb6b91954d382c680bf2e

SHA512
04d9ea7bb3646609f24a59aad68a4ceb49ab9fe228d83fcaa5ec57827b161c2ba92dc780f2f09de2fd0ec18d412aad4c1c58eb75268c93e3c258f48e298b51a4

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe
Filesize
448KB

MD5
d930e908f57e96437295e2fabd1a27f5

SHA1
f6ace88c8fff7d12365475e6462b86f4fb28dabe

SHA256
5d294e427007785adce3779b85ba13fe906476996419e8d6a151685b195ee9d7

SHA512
c2b9e25c2b15b0d89a3369750df0b7d72f21bf3d08396c257b447b06dc4e97b54d89aca4706471362a28cda322ab8766eab79777fd68d3b2317bc2badbd73f02

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe
Filesize
448KB

MD5
691721a5445b801799b3ecba29fe6970

SHA1
df8725c5a534c3b2a8aaff0f1b28daa7aaea28fb

SHA256
bba0c29e190e5a501ed422a3ee8c8049c26470d6010e3f61fea6d1e9f8f96fb5

SHA512
9af82c69da82ddd786d6ffcadf171768c02066c3f696586e94dab49e7ccf4abaf756c2b7b6ede1e1aa9b2996e3375853e1c0ca07f728a62c9fe05f334483ad91

Download Submit
memory/232-506-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/464-479-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/516-511-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/552-505-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/644-614-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/728-555-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/788-500-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/792-523-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/848-482-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/868-492-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/908-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/936-509-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1036-524-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-518-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1172-516-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1364-550-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1396-469-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1420-473-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1440-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1504-12-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1548-489-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1556-517-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1636-513-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1660-582-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1744-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1784-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1788-519-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1940-507-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2068-553-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2092-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2140-481-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2304-599-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2304-623-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2380-477-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2480-530-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2536-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2548-556-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2672-537-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2676-485-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2708-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2712-567-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2792-538-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2828-486-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2840-545-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2908-547-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3004-543-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3008-515-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3104-525-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3152-493-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3228-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3376-476-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3396-554-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3468-533-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3524-536-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3572-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3576-541-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3712-470-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3736-535-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3772-521-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3844-526-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3932-621-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3940-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3972-494-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3992-549-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4068-471-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4192-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4252-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4280-624-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4280-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4392-475-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4412-483-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4428-608-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4464-510-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4472-491-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4556-488-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4588-534-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4612-522-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4676-578-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4688-539-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4744-474-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-487-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4840-480-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4844-542-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4904-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4912-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4996-501-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5004-527-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-548-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5020-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5024-622-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5028-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5032-546-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5048-512-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5064-503-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5108-540-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download