b5d80d821a40175addfec54b1c854390a49f65fb09ebb312652080b3798a0e8f

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49617c7a12de9f7a259c24567e0a9960_NeikiAnalytics.exe
Size

89KB
MD5

49617c7a12de9f7a259c24567e0a9960
SHA1

da1259a17c5a6f52a317fbd56f73274899ebf610
SHA256

b5d80d821a40175addfec54b1c854390a49f65fb09ebb312652080b3798a0e8f
SHA512

2f802ac43425b0df7f8e2b38c2fce814e690eced7b1199372ec9f754dcf9e8a6e1c3ac05bf82a72852c2be656d56c13208b990f4df47bfbdc544424dcc7876bc
SSDEEP

1536:QRvn3+741TXZMorKDmFTFfuwtxXFy72D7CRQdD68a+VMKKTRVGFtUhQfR1WRaROu:QdjeorKDm9/Tk72HCeEr4MKy3G7UEqMR

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Lilanioo.exeIpckgh32.exeIbagcc32.exeKmgdgjek.exeLpocjdld.exeLijdhiaa.exeNafokcol.exeHccglh32.exeIbjqcd32.exeJdcpcf32.exeKdffocib.exeMcklgm32.exeNdidbn32.exeHfachc32.exeKknafn32.exeKdhbec32.exeNdbnboqb.exeIidipnal.exeKbdmpqcb.exeLcgblncm.exeMkepnjng.exeNddkgonp.exeIjdeiaio.exeKmegbjgn.exeMpdelajl.exeNkjjij32.exeJpjqhgol.exeLgkhlnbn.exeLgneampk.exeMdfofakp.exeNbkhfc32.exeKdopod32.exeNacbfdao.exeNgpjnkpf.exeHmklen32.exeKilhgk32.exeLiggbi32.exeNjogjfoj.exeNgedij32.exeIjkljp32.exeMgekbljc.exeNjacpf32.exeIbmmhdhm.exeKkihknfg.exeLpappc32.exeJibeql32.exeJaljgidl.exeKgfoan32.exeMcbahlip.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nddkgonp.exe

Malware Dropper & Backdoor - Berbew 36 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Himcoo32.exe	family_berbew
C:\Windows\SysWOW64\Hccglh32.exe	family_berbew
C:\Windows\SysWOW64\Hfachc32.exe	family_berbew
C:\Windows\SysWOW64\Hmklen32.exe	family_berbew
C:\Windows\SysWOW64\Hjolnb32.exe	family_berbew
C:\Windows\SysWOW64\Haidklda.exe	family_berbew
C:\Windows\SysWOW64\Ibjqcd32.exe	family_berbew
C:\Windows\SysWOW64\Iidipnal.exe	family_berbew
C:\Windows\SysWOW64\Ibmmhdhm.exe	family_berbew
C:\Windows\SysWOW64\Ijdeiaio.exe	family_berbew
C:\Windows\SysWOW64\Ipqnahgf.exe	family_berbew
C:\Windows\SysWOW64\Ijfboafl.exe	family_berbew
C:\Windows\SysWOW64\Ipckgh32.exe	family_berbew
C:\Windows\SysWOW64\Ibagcc32.exe	family_berbew
C:\Windows\SysWOW64\Ijhodq32.exe	family_berbew
C:\Windows\SysWOW64\Ijkljp32.exe	family_berbew
C:\Windows\SysWOW64\Imihfl32.exe	family_berbew
C:\Windows\SysWOW64\Jdcpcf32.exe	family_berbew
C:\Windows\SysWOW64\Jpjqhgol.exe	family_berbew
C:\Windows\SysWOW64\Jibeql32.exe	family_berbew
C:\Windows\SysWOW64\Jdhine32.exe	family_berbew
C:\Windows\SysWOW64\Jjbako32.exe	family_berbew
C:\Windows\SysWOW64\Jaljgidl.exe	family_berbew
C:\Windows\SysWOW64\Jkdnpo32.exe	family_berbew
C:\Windows\SysWOW64\Jkfkfohj.exe	family_berbew
C:\Windows\SysWOW64\Kmegbjgn.exe	family_berbew
C:\Windows\SysWOW64\Kdopod32.exe	family_berbew
C:\Windows\SysWOW64\Kbapjafe.exe	family_berbew
C:\Windows\SysWOW64\Kkihknfg.exe	family_berbew
C:\Windows\SysWOW64\Kilhgk32.exe	family_berbew
C:\Windows\SysWOW64\Kdaldd32.exe	family_berbew
C:\Windows\SysWOW64\Kmgdgjek.exe	family_berbew
C:\Windows\SysWOW64\Kdffocib.exe	family_berbew
C:\Windows\SysWOW64\Lgkhlnbn.exe	family_berbew
C:\Windows\SysWOW64\Lpfijcfl.exe	family_berbew
C:\Windows\SysWOW64\Ndbnboqb.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Himcoo32.exeHccglh32.exeHfachc32.exeHmklen32.exeHjolnb32.exeHaidklda.exeIbjqcd32.exeIidipnal.exeIbmmhdhm.exeIjdeiaio.exeIpqnahgf.exeIjfboafl.exeIpckgh32.exeIbagcc32.exeIjhodq32.exeIjkljp32.exeImihfl32.exeJdcpcf32.exeJpjqhgol.exeJibeql32.exeJdhine32.exeJjbako32.exeJaljgidl.exeJkdnpo32.exeJkfkfohj.exeKmegbjgn.exeKdopod32.exeKbapjafe.exeKkihknfg.exeKilhgk32.exeKmgdgjek.exeKdaldd32.exeKbdmpqcb.exeKknafn32.exeKdffocib.exeKibnhjgj.exeKdhbec32.exeKgfoan32.exeLpocjdld.exeLiggbi32.exeLpappc32.exeLgkhlnbn.exeLijdhiaa.exeLgneampk.exeLilanioo.exeLpfijcfl.exeLjnnch32.exeLcgblncm.exeLgbnmm32.exeMdfofakp.exeMgekbljc.exeMcklgm32.exeMkbchk32.exeMnapdf32.exeMkepnjng.exeMncmjfmk.exeMdmegp32.exeMjjmog32.exeMpdelajl.exeMcbahlip.exeNkjjij32.exeNacbfdao.exeNdbnboqb.exeNgpjnkpf.exe

pid	process
696	Himcoo32.exe
2180	Hccglh32.exe
4660	Hfachc32.exe
2588	Hmklen32.exe
2996	Hjolnb32.exe
2260	Haidklda.exe
336	Ibjqcd32.exe
3728	Iidipnal.exe
3128	Ibmmhdhm.exe
4892	Ijdeiaio.exe
3684	Ipqnahgf.exe
1216	Ijfboafl.exe
4680	Ipckgh32.exe
4308	Ibagcc32.exe
5044	Ijhodq32.exe
4748	Ijkljp32.exe
2536	Imihfl32.exe
2604	Jdcpcf32.exe
3704	Jpjqhgol.exe
2548	Jibeql32.exe
4028	Jdhine32.exe
2540	Jjbako32.exe
4852	Jaljgidl.exe
3388	Jkdnpo32.exe
5108	Jkfkfohj.exe
620	Kmegbjgn.exe
1848	Kdopod32.exe
884	Kbapjafe.exe
4196	Kkihknfg.exe
2888	Kilhgk32.exe
5004	Kmgdgjek.exe
2716	Kdaldd32.exe
1676	Kbdmpqcb.exe
4952	Kknafn32.exe
460	Kdffocib.exe
4020	Kibnhjgj.exe
1152	Kdhbec32.exe
2036	Kgfoan32.exe
3408	Lpocjdld.exe
4312	Liggbi32.exe
232	Lpappc32.exe
1268	Lgkhlnbn.exe
4928	Lijdhiaa.exe
4528	Lgneampk.exe
4040	Lilanioo.exe
816	Lpfijcfl.exe
5008	Ljnnch32.exe
3984	Lcgblncm.exe
4964	Lgbnmm32.exe
3916	Mdfofakp.exe
1356	Mgekbljc.exe
1632	Mcklgm32.exe
1488	Mkbchk32.exe
1036	Mnapdf32.exe
1256	Mkepnjng.exe
2724	Mncmjfmk.exe
1388	Mdmegp32.exe
1240	Mjjmog32.exe
2272	Mpdelajl.exe
1444	Mcbahlip.exe
4752	Nkjjij32.exe
4856	Nacbfdao.exe
3660	Ndbnboqb.exe
4664	Ngpjnkpf.exe

Drops file in System32 directory 64 IoCs

Processes:

Kbdmpqcb.exeMnapdf32.exeMdmegp32.exeNjacpf32.exeJkdnpo32.exeKkihknfg.exeKbapjafe.exeHjolnb32.exeNdghmo32.exeJibeql32.exeIidipnal.exeIpckgh32.exeLpappc32.exeMjjmog32.exeHccglh32.exeMcbahlip.exeNkjjij32.exeNacbfdao.exeNdbnboqb.exeMcklgm32.exeKknafn32.exeKdffocib.exeMkepnjng.exeIjhodq32.exeKmgdgjek.exeNgedij32.exeNbkhfc32.exeJaljgidl.exeKmegbjgn.exeLpocjdld.exeNafokcol.exeLcgblncm.exeKgfoan32.exeKibnhjgj.exeNgcgcjnc.exe49617c7a12de9f7a259c24567e0a9960_NeikiAnalytics.exeKdaldd32.exeKdopod32.exeLilanioo.exeMpdelajl.exeNbhkac32.exeLgkhlnbn.exeMgekbljc.exeNddkgonp.exeJjbako32.exeLgneampk.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jibeql32.exe
File opened for modification	C:\Windows\SysWOW64\Ibmmhdhm.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Qchnlc32.dll	Hccglh32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ibmmhdhm.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ibooqjdb.dll	49617c7a12de9f7a259c24567e0a9960_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Ipckgh32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Himcoo32.exe	49617c7a12de9f7a259c24567e0a9960_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2600 1104 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
2600	1104	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Jaljgidl.exeMdmegp32.exeNjacpf32.exeIidipnal.exeIjdeiaio.exeIpckgh32.exeJibeql32.exeLpappc32.exeMnapdf32.exe49617c7a12de9f7a259c24567e0a9960_NeikiAnalytics.exeIbagcc32.exeJdhine32.exeMdfofakp.exeMgekbljc.exeMjjmog32.exeNkjjij32.exeNdidbn32.exeKmegbjgn.exeLilanioo.exeLjnnch32.exeLcgblncm.exeLpocjdld.exeLgneampk.exeIjfboafl.exeNafokcol.exeKdhbec32.exeLgbnmm32.exeMkepnjng.exeNdghmo32.exeIjhodq32.exeNjogjfoj.exeHaidklda.exeImihfl32.exeMncmjfmk.exeNdbnboqb.exeLpfijcfl.exeLiggbi32.exeMcklgm32.exeNgpjnkpf.exeKmgdgjek.exeLgkhlnbn.exeHmklen32.exeIbmmhdhm.exeKdopod32.exeNjcpee32.exeJkdnpo32.exeKdffocib.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	49617c7a12de9f7a259c24567e0a9960_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	49617c7a12de9f7a259c24567e0a9960_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibooqjdb.dll"	49617c7a12de9f7a259c24567e0a9960_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Ljnnch32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

49617c7a12de9f7a259c24567e0a9960_NeikiAnalytics.exeHimcoo32.exeHccglh32.exeHfachc32.exeHmklen32.exeHjolnb32.exeHaidklda.exeIbjqcd32.exeIidipnal.exeIbmmhdhm.exeIjdeiaio.exeIpqnahgf.exeIjfboafl.exeIpckgh32.exeIbagcc32.exeIjhodq32.exeIjkljp32.exeImihfl32.exeJdcpcf32.exeJpjqhgol.exeJibeql32.exeJdhine32.exe

description	pid	process	target process
PID 4088 wrote to memory of 696	4088	49617c7a12de9f7a259c24567e0a9960_NeikiAnalytics.exe	Himcoo32.exe
PID 4088 wrote to memory of 696	4088	49617c7a12de9f7a259c24567e0a9960_NeikiAnalytics.exe	Himcoo32.exe
PID 4088 wrote to memory of 696	4088	49617c7a12de9f7a259c24567e0a9960_NeikiAnalytics.exe	Himcoo32.exe
PID 696 wrote to memory of 2180	696	Himcoo32.exe	Hccglh32.exe
PID 696 wrote to memory of 2180	696	Himcoo32.exe	Hccglh32.exe
PID 696 wrote to memory of 2180	696	Himcoo32.exe	Hccglh32.exe
PID 2180 wrote to memory of 4660	2180	Hccglh32.exe	Hfachc32.exe
PID 2180 wrote to memory of 4660	2180	Hccglh32.exe	Hfachc32.exe
PID 2180 wrote to memory of 4660	2180	Hccglh32.exe	Hfachc32.exe
PID 4660 wrote to memory of 2588	4660	Hfachc32.exe	Hmklen32.exe
PID 4660 wrote to memory of 2588	4660	Hfachc32.exe	Hmklen32.exe
PID 4660 wrote to memory of 2588	4660	Hfachc32.exe	Hmklen32.exe
PID 2588 wrote to memory of 2996	2588	Hmklen32.exe	Hjolnb32.exe
PID 2588 wrote to memory of 2996	2588	Hmklen32.exe	Hjolnb32.exe
PID 2588 wrote to memory of 2996	2588	Hmklen32.exe	Hjolnb32.exe
PID 2996 wrote to memory of 2260	2996	Hjolnb32.exe	Haidklda.exe
PID 2996 wrote to memory of 2260	2996	Hjolnb32.exe	Haidklda.exe
PID 2996 wrote to memory of 2260	2996	Hjolnb32.exe	Haidklda.exe
PID 2260 wrote to memory of 336	2260	Haidklda.exe	Ibjqcd32.exe
PID 2260 wrote to memory of 336	2260	Haidklda.exe	Ibjqcd32.exe
PID 2260 wrote to memory of 336	2260	Haidklda.exe	Ibjqcd32.exe
PID 336 wrote to memory of 3728	336	Ibjqcd32.exe	Iidipnal.exe
PID 336 wrote to memory of 3728	336	Ibjqcd32.exe	Iidipnal.exe
PID 336 wrote to memory of 3728	336	Ibjqcd32.exe	Iidipnal.exe
PID 3728 wrote to memory of 3128	3728	Iidipnal.exe	Ibmmhdhm.exe
PID 3728 wrote to memory of 3128	3728	Iidipnal.exe	Ibmmhdhm.exe
PID 3728 wrote to memory of 3128	3728	Iidipnal.exe	Ibmmhdhm.exe
PID 3128 wrote to memory of 4892	3128	Ibmmhdhm.exe	Ijdeiaio.exe
PID 3128 wrote to memory of 4892	3128	Ibmmhdhm.exe	Ijdeiaio.exe
PID 3128 wrote to memory of 4892	3128	Ibmmhdhm.exe	Ijdeiaio.exe
PID 4892 wrote to memory of 3684	4892	Ijdeiaio.exe	Ipqnahgf.exe
PID 4892 wrote to memory of 3684	4892	Ijdeiaio.exe	Ipqnahgf.exe
PID 4892 wrote to memory of 3684	4892	Ijdeiaio.exe	Ipqnahgf.exe
PID 3684 wrote to memory of 1216	3684	Ipqnahgf.exe	Ijfboafl.exe
PID 3684 wrote to memory of 1216	3684	Ipqnahgf.exe	Ijfboafl.exe
PID 3684 wrote to memory of 1216	3684	Ipqnahgf.exe	Ijfboafl.exe
PID 1216 wrote to memory of 4680	1216	Ijfboafl.exe	Ipckgh32.exe
PID 1216 wrote to memory of 4680	1216	Ijfboafl.exe	Ipckgh32.exe
PID 1216 wrote to memory of 4680	1216	Ijfboafl.exe	Ipckgh32.exe
PID 4680 wrote to memory of 4308	4680	Ipckgh32.exe	Ibagcc32.exe
PID 4680 wrote to memory of 4308	4680	Ipckgh32.exe	Ibagcc32.exe
PID 4680 wrote to memory of 4308	4680	Ipckgh32.exe	Ibagcc32.exe
PID 4308 wrote to memory of 5044	4308	Ibagcc32.exe	Ijhodq32.exe
PID 4308 wrote to memory of 5044	4308	Ibagcc32.exe	Ijhodq32.exe
PID 4308 wrote to memory of 5044	4308	Ibagcc32.exe	Ijhodq32.exe
PID 5044 wrote to memory of 4748	5044	Ijhodq32.exe	Ijkljp32.exe
PID 5044 wrote to memory of 4748	5044	Ijhodq32.exe	Ijkljp32.exe
PID 5044 wrote to memory of 4748	5044	Ijhodq32.exe	Ijkljp32.exe
PID 4748 wrote to memory of 2536	4748	Ijkljp32.exe	Imihfl32.exe
PID 4748 wrote to memory of 2536	4748	Ijkljp32.exe	Imihfl32.exe
PID 4748 wrote to memory of 2536	4748	Ijkljp32.exe	Imihfl32.exe
PID 2536 wrote to memory of 2604	2536	Imihfl32.exe	Jdcpcf32.exe
PID 2536 wrote to memory of 2604	2536	Imihfl32.exe	Jdcpcf32.exe
PID 2536 wrote to memory of 2604	2536	Imihfl32.exe	Jdcpcf32.exe
PID 2604 wrote to memory of 3704	2604	Jdcpcf32.exe	Jpjqhgol.exe
PID 2604 wrote to memory of 3704	2604	Jdcpcf32.exe	Jpjqhgol.exe
PID 2604 wrote to memory of 3704	2604	Jdcpcf32.exe	Jpjqhgol.exe
PID 3704 wrote to memory of 2548	3704	Jpjqhgol.exe	Jibeql32.exe
PID 3704 wrote to memory of 2548	3704	Jpjqhgol.exe	Jibeql32.exe
PID 3704 wrote to memory of 2548	3704	Jpjqhgol.exe	Jibeql32.exe
PID 2548 wrote to memory of 4028	2548	Jibeql32.exe	Jdhine32.exe
PID 2548 wrote to memory of 4028	2548	Jibeql32.exe	Jdhine32.exe
PID 2548 wrote to memory of 4028	2548	Jibeql32.exe	Jdhine32.exe
PID 4028 wrote to memory of 2540	4028	Jdhine32.exe	Jjbako32.exe

C:\Users\Admin\AppData\Local\Temp\49617c7a12de9f7a259c24567e0a9960_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\49617c7a12de9f7a259c24567e0a9960_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\Himcoo32.exe
C:\Windows\system32\Himcoo32.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\SysWOW64\Hccglh32.exe
C:\Windows\system32\Hccglh32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\Hfachc32.exe
C:\Windows\system32\Hfachc32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\SysWOW64\Hmklen32.exe
C:\Windows\system32\Hmklen32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\Hjolnb32.exe
C:\Windows\system32\Hjolnb32.exe
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\Haidklda.exe
C:\Windows\system32\Haidklda.exe
7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\Ibjqcd32.exe
C:\Windows\system32\Ibjqcd32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\Iidipnal.exe
C:\Windows\system32\Iidipnal.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\SysWOW64\Ibmmhdhm.exe
C:\Windows\system32\Ibmmhdhm.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SysWOW64\Ijdeiaio.exe
C:\Windows\system32\Ijdeiaio.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\Ipqnahgf.exe
C:\Windows\system32\Ipqnahgf.exe
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\SysWOW64\Ijfboafl.exe
C:\Windows\system32\Ijfboafl.exe
13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\Ipckgh32.exe
C:\Windows\system32\Ipckgh32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\SysWOW64\Ibagcc32.exe
C:\Windows\system32\Ibagcc32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\SysWOW64\Ijhodq32.exe
C:\Windows\system32\Ijhodq32.exe
16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\Ijkljp32.exe
C:\Windows\system32\Ijkljp32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\SysWOW64\Imihfl32.exe
C:\Windows\system32\Imihfl32.exe
18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\Jdcpcf32.exe
C:\Windows\system32\Jdcpcf32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\Jpjqhgol.exe
C:\Windows\system32\Jpjqhgol.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\SysWOW64\Jibeql32.exe
C:\Windows\system32\Jibeql32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\Jdhine32.exe
C:\Windows\system32\Jdhine32.exe
22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\SysWOW64\Jjbako32.exe
C:\Windows\system32\Jjbako32.exe
23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2540

C:\Windows\SysWOW64\Jaljgidl.exe
C:\Windows\system32\Jaljgidl.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4852

C:\Windows\SysWOW64\Jkdnpo32.exe
C:\Windows\system32\Jkdnpo32.exe
25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3388

C:\Windows\SysWOW64\Jkfkfohj.exe
C:\Windows\system32\Jkfkfohj.exe
26⤵
- Executes dropped EXE
PID:5108

C:\Windows\SysWOW64\Kmegbjgn.exe
C:\Windows\system32\Kmegbjgn.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:620

C:\Windows\SysWOW64\Kdopod32.exe
C:\Windows\system32\Kdopod32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1848

C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:884

C:\Windows\SysWOW64\Kkihknfg.exe
C:\Windows\system32\Kkihknfg.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4196

C:\Windows\SysWOW64\Kilhgk32.exe
C:\Windows\system32\Kilhgk32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2888

C:\Windows\SysWOW64\Kmgdgjek.exe
C:\Windows\system32\Kmgdgjek.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5004

C:\Windows\SysWOW64\Kdaldd32.exe
C:\Windows\system32\Kdaldd32.exe
33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2716

C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1676

C:\Windows\SysWOW64\Kknafn32.exe
C:\Windows\system32\Kknafn32.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4952

C:\Windows\SysWOW64\Kdffocib.exe
C:\Windows\system32\Kdffocib.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:460

C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4020

C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1152

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2036

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3408

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4312

C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:232

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1268

C:\Windows\SysWOW64\Lijdhiaa.exe
C:\Windows\system32\Lijdhiaa.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4928

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4528

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4040

C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
47⤵
- Executes dropped EXE
- Modifies registry class
PID:816

C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
48⤵
- Executes dropped EXE
- Modifies registry class
PID:5008

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3984

C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
50⤵
- Executes dropped EXE
- Modifies registry class
PID:4964

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3916

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1356

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1632

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
54⤵
- Executes dropped EXE
PID:1488

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1036

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1256

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
57⤵
- Executes dropped EXE
- Modifies registry class
PID:2724

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1388

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1240

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2272

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1444

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4752

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4856

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3660

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4664

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3580

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4776

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1000

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
69⤵
- Drops file in System32 directory
PID:2472

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4540

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
71⤵
- Drops file in System32 directory
PID:3472

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
72⤵
- Drops file in System32 directory
- Modifies registry class
PID:876

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:888

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
74⤵
- Modifies registry class
PID:2108

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4932

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2308

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
77⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 420
78⤵
- Program crash
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1104 -ip 1104
1⤵
PID:3880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Haidklda.exe
Filesize
89KB

MD5
84f2420eefd94272aed8552fea85da45

SHA1
fdb4186aa7800f6af16fc7d45f8c8b063ed85053

SHA256
5032f59295f5d59fd449207c152a2786b8602f464d4b30916bd85243acdd87b1

SHA512
e56afed26fbc4d5de44dc376dde8a3688f9043bcd75c5e12e018453d310815735c48f99e286aa9b779011846919d9ab7ea12e9dbb4f22e38fd30e01457bfabd3

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe
Filesize
89KB

MD5
f68dd869eda202b1b153820955d2d47b

SHA1
719f0187fb83cb43e34817064820d93d1045c3b4

SHA256
954be3391d472e6ae26ec984adab37a49d741f3c24fbbe00a1bfbce2fcc4078b

SHA512
f80f272c0d0b466a77685e07f4ab053321c8e48075cc3a5e0283f8bdc9640e2551bf90289f84416436f8556affe95b780d3a59847cbd4ea5adec7a03c71fc16d

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe
Filesize
89KB

MD5
0df1031e46090f71eb772f3a6c9cac3d

SHA1
6bb947641c6bbaae9b46022ad55196661aa92089

SHA256
d71ec918d4c3e82becd9ef629abd619a9024822522b0a4cf2f3005b7d75bb816

SHA512
2e6215b022e9811260715b6babeb4a59943f12c328578cbbfc1fc1bcd90cae955532b8aead1399bc1edff3fd9ed9460b17fe544b2cfac631f6bf0bbfb73b1ad1

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe
Filesize
89KB

MD5
213021912ffc63e0634e1bcab15d33ee

SHA1
e1aaf4b0e6cc89748474a0917b40ea89bc278c64

SHA256
0375879485e0c40ce0014099d733ce0f49dd15bd77ceae3c473abaaef04e5d00

SHA512
99fdb268f10543accf889e0be83075bc61f5ba2d25bb8d0baad067155cf710f7060b65cc20e177e884a860c4ebf787d4411d3d82711c5300a35494b0ceb4d28c

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe
Filesize
89KB

MD5
55ecd5e30d00d632edde209c5a17e278

SHA1
3f7efd10e494b2f3a533413635de203d31ac7017

SHA256
675fd9910b55b142229bd589e486364a10d60db347b5bb17bc9ca9ac0d3edf3c

SHA512
01d36e4383659a58bbac02318213b821f07a67d539aacc8e04f192a685e47828328faec1ab95d53ff8780c710abb36c2d148d8d207f7514df2b279f93b62210b

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe
Filesize
89KB

MD5
ac7ea0f8bb7bd4bb7e86b3f23e8f9019

SHA1
5e3a046a87d6a03cc33f409bbfc885e6a1462a34

SHA256
84206503ad00bdc102bdd314c5bfb019652ecb8f5c3a9b92054d2d502562385e

SHA512
7e12e11491d8f153a59a42ae54e74fc039a1879d901fd0779ef4aa6a04c27596d5edaeb8147af576dffa88c8b32d6feb7046cb9856f23aea64ed450876aab237

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe
Filesize
89KB

MD5
e57219054cc8f7a315cf18260b464b1b

SHA1
a80ec41f93bc011cbc6e30314ec9bd56591ff4f7

SHA256
e69f1b1598231a22eb17bb95a4399c31eae4fae47abb34aa4d79f53348b7a248

SHA512
1d7766df9364ba225393e7b9a607a4c4b173f33083a0f39a2a97ea26a41f5c2f0bf0dace06805f875315fed84561291074ee50945263fcc684899c36b65513e8

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe
Filesize
89KB

MD5
41867c3e68bbb326f719eb762a62873d

SHA1
164d81104699982000132078066b4e7c5f04fd8b

SHA256
2aa22ccdc70130cf8a51b3fc95697842bfb5fa6493b08ee872e26877be10a364

SHA512
1aa96606a9c1a294e995df7848395f9b641ceb2063f1ec8f1f7c255717ae108b09ab31da3dc94375a539791521a336cc11cfe8b612ad4c7add3a338bb7f978c9

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe
Filesize
89KB

MD5
c989b9a2016ada04b40ee1992896e9ca

SHA1
1eba1807631a60203bdb99e81152ef385b0fa08a

SHA256
ccdf4499bb40917f633456076d9b27e616065cc0db7856c753e1e6284c3cc3db

SHA512
585addcc8e3cefa1a14cd82a2ffd7f8dd76eaea7a4981d494e1ccb7e52f72099faa6ea707db147734e99739d4a7edb98dcc77c17d59c4b01080b4734cc7f0dc7

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe
Filesize
89KB

MD5
a092ff0da59323d5397f084154a0e1cb

SHA1
545d079d0bbae7a4c5cbe6bd7eb974fa35e400ad

SHA256
867f660abfe924e63f93cbe027d29034a499d44c729d184475747f7b8dd4b090

SHA512
e12f1d17142433ee76f3c48cc3a680a0b49b1fc2d81a5d50ca935447a40d80f835ce15716e46f79ec381efed78af9fb7130646bf9e9efd6f383a09fcf6c8b5f8

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe
Filesize
89KB

MD5
911b7bc53caafcc3e93503bd3045980e

SHA1
76f39122467f7d320e7ed812da21ac7f2207bd05

SHA256
920e8cf554a81207be20107e6b8ff987dfbee5885bea15c24c03d8110e33779e

SHA512
0061be4363d5a92f43553c577d60ba62598e6b1a984df9bd5ebf2b100367ef31a9238378504a24b3f55cb08cbebf85c669827638482cee4e6a797158348c0853

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe
Filesize
89KB

MD5
571624250caff6d8efe8fd211808b6b1

SHA1
a37b5586b1e4f20693c3ff752a749d80813893dc

SHA256
6a8c0a9cdb679ccc96bd120101c8b7c2e2b79fb62e284ed0dc39567d86bfdf5e

SHA512
5aac7e96f781891e2c6c79bfd106055aead43a93e54be7ffc1cfb6106fb8a3d70b3df98bc638c59cd9b3e0b68b0a834a5969e5f77d15ca7abc667599ae7bd9f8

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe
Filesize
89KB

MD5
7d19f33eb46397cdd163c665d6747c8b

SHA1
d8d010c4c6bdfd98a3ea98b40bcf7bc6cf26a8a0

SHA256
de1ca1d4516c67b03377ef899075b133ca102db6ab56e1dd3419a64ab0a07665

SHA512
6e92a38df0d7c5822e7702da7530df6007dc4f007df4549ebad9930970cf8e0270295d373785443340d235438b21abefcc28add01ca8a21ec03d8d67e84aa60b

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe
Filesize
89KB

MD5
94665ee87a3c69347785f33249691101

SHA1
b6265ee7d1cc02724af49863e005d9e108b69db5

SHA256
07cf9ba74a4cd2a9eeed7e0d66c5cc000531262b1c38aed66308fa629f9b3085

SHA512
577811fa0b008c369aa8bdfea4fece2eee07d080f2d3e2e1efa53769029ca903a340cca4ee48fd0363d5f0300ae7e044ea4ac2d38d9a54d672bf454cc0c032a3

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe
Filesize
89KB

MD5
231f8ec146538328a40b8ad397f3f493

SHA1
592203419d969415c07400068e6db05c4a5992fb

SHA256
97ba3afb8116a4144679d740ada95f30eeac274457a3fb8c645a4f6a7a4ef877

SHA512
afe43be2bb2e8880dc5e99622d5e32f6ca5e7154fcc75132bd7f411f11a8895378fccc8b7ef6b93bc13bcc14f8a5c443a499041cb21e33b266e8376d88629332

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe
Filesize
89KB

MD5
f2c511b8bd44e519614b4b7f24c75db4

SHA1
3cef2482bafb80191cc1b5b97c0d46b71e006296

SHA256
1655515e20bab22f49ecf286eca781c1d7989761447ae158db618087d55ce81c

SHA512
d37ac4a18285e3b9c8ed805288d5e8345e1fdc0adb08c213837809a7b15dea8a95b3c2221c14dc063becf1db8f94842c54b473507014e7e6643a208ac31148d9

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe
Filesize
89KB

MD5
843153cbd7d60e67823b936ab3f8bae8

SHA1
05b26102bca387f83bf921689abfa350801c30c5

SHA256
32a04f75cbb34e12d1639611f0a6b5f8a45817ba52e9ad6b4194721463daf08d

SHA512
6e13a1bbe737685379244ce8fa9e140fa64645fb93f29a29491c02f3f6113ed280498849a6596a9d9e180dd81c1fbae8a553971b2f1d4c4be86b30627dd1b404

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe
Filesize
89KB

MD5
1170c6627492ca8b45d8431eabe247d4

SHA1
9665dd416ae80548fd1bd392e8bf47adaa7ac2b3

SHA256
1ae14de5fac22c5958f8a5edf61c43514c00283cae57bd9643f18a6973ab1a3e

SHA512
744ab30d68175d03b94e7d6784845c54522d740e3dc3ef1e1c1d05b52f410a5cb0c266adf5fe1e27c569f1736efe116076b76d6fe8f3d2dc8eb37fe6d22a85d1

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe
Filesize
89KB

MD5
33a41fc7f0bb633a9bee42784d786a0a

SHA1
e5f1b3e52d507eaf12b0933e5735d0d49ab5680e

SHA256
b57d4a3d1e10c655968d8c91b3cc0e3026aa739deb7a8edb7b60faf293852ebe

SHA512
5c759cdde85ad371f30540e9ea10ffae25a567488e0913a588b28aeb4d6feb614b6d3729bd998348c5b77b1d32d3b2dfff75e3892a2b6770c582d19d42930123

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe
Filesize
89KB

MD5
79b7910d532f424b870f811a98d3a338

SHA1
f05f97c011fa09a66b62cee44d138b350df967bc

SHA256
b3da1485cebd23871be92d5b919e475db621d90417c4d1c70995c66446efef67

SHA512
da2ecdf4b4643669e4d99e75208ee0960a58715b5a815da9249a479d9545d32fc7dec9d5346fc7a55e0d98c57bd2214862a8b8e8e488cfb09870be8da559f922

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe
Filesize
89KB

MD5
ef5dae878bcb672bcada19ecf83e8c54

SHA1
bdb0b858f18843842445bccdd02abcaa080e058d

SHA256
c968f67ed0b962a115821e94f10652a3387691446cadddd504eaa4f0ce409641

SHA512
4e96844e27a996e655445b0ca7677b7897247c278bb94694c8316b31340a5f8372c9fdcfd69ca5a381fb85b5596a39edfb177700b46434a95ee26e8234643a48

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe
Filesize
89KB

MD5
f397c2d8424ea1edd3a5dbf947dea4aa

SHA1
32564c017d399ae085e1ee38843692faebbcde1e

SHA256
2be7b3fc282ac5f14a187341acb88289e94c41d00882b6b5ad990d94bf1bce9c

SHA512
ff0a79420082d4dc1b27e5a5be6b589e6315e6c6ce13c901dc079077a930f8f92624b20ebe944c04678b8bb9ce74badc87826addb33cde807f310c870fb7dc2f

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe
Filesize
89KB

MD5
33cbee1332a8ddf171b3396b35bb7b57

SHA1
c7d8913b8e35731ada29ccf3e759b15923874efd

SHA256
d23e8e71562ed74f96f1db5ca340e2f19da9a409a5dfd06ca2168c2b7d30be29

SHA512
14fb976d6d8ba99cc653f172fbeadb14e0fc2a5fe0bf8bc5338833658c4a0f50f227d0ac41c45481362b2454838c7c215eaaf27e4eaa7c7e4406c8a26a706b72

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe
Filesize
89KB

MD5
9862795e727d8fa368af5f849c496187

SHA1
462732635cb2115ea546f3e06a955c3d09dbccdf

SHA256
0fe98a6f1967d861616391a0262e6593e52cdf33f8b029aac410d4b44d98d964

SHA512
07a74a2f2830e73e75cb83b246941a3633ffb3f0dff4ba6482672c7d8eed5e1a75ad074a04e17511bb964108d339150a7a8ee23882ea0f18866ab3b2c0577010

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe
Filesize
89KB

MD5
b843919c4aba58da79c9c305df0986f6

SHA1
9a59f88d5b6ef99aaf7e854d0376750d0bb3285c

SHA256
6f1469ae04c45cfa93f29c4fda4b7269fdd4937eb5eca59ed68f4f73199807ce

SHA512
bf78d30ddf4f9dc62930271049d6bf15ecd67f6928f341e75a21c47dc44954a7469e343ea1141c4e3eb1efc820548419d87b5fe8933597ebdfc9c01dd85e2217

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe
Filesize
89KB

MD5
1c5daeed25af302ae781aa2ea7e0da6a

SHA1
0b29daa02a1bf74f43ad86a8a45fe736fd0e0027

SHA256
cb9a5d10aca64934e1ae45c5066bc1fc102a29cfb4945050abb3b82973fb94d9

SHA512
122b2c20f08e5acd8cc2a021faeadf21047d4e1facf1548c532e4d680dcdf31b2c78fa347c7afc5dd293269e1218f15040b33ec2a0a2ad8782a709edad1cf326

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe
Filesize
89KB

MD5
506b774918391f26e72d1cb9336caf31

SHA1
695eed1277d6b7051920c56c2638b954755277a9

SHA256
afa82ac428defb43673099070125e417c98598b187e120a82af7ecc463b99cf9

SHA512
e4660b51540fd85511c41c32e97a0d19590049d7cfdaeeaea430093953813dcc78b976ff65ed8648cf7edd2ce9b67ed96f0db1acc13e43b54461106f30911524

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe
Filesize
89KB

MD5
483e19122fa50dcdc92d50dcee4768fb

SHA1
18896d0886830fef2c70418412283ebd5bcbb05f

SHA256
5116c22dd91da161c8691595f6eee2d22f2d6a5072dccb0ea362f3c8c8dcc250

SHA512
ad7d85fe623ef1cbbe831a39099d94591f2ec1569f7839f2dbbcb2ee279fdfff55773c86797819e3af6e90da5000171f507d1009b28eaceb0b3c4a5496089556

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe
Filesize
89KB

MD5
941f526701e585c08c5428bdad1de05a

SHA1
f54831ee0341598126913e948be4995cdc3eb1d1

SHA256
fb0ea97ff53c093b38334f72e0a7ce2d5b37f56ecd51b0d44d461fe5b02fa41b

SHA512
e3c347fa5aa14f5ef98de4820ae79136b1f6afffb06b068aab46cd509989f53b734a0a500d73eed33f4c519755c982622de5bd163c9f665541894faf7108cb99

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe
Filesize
89KB

MD5
73cd1a5e68ebfbf6ef8553e41b2abadd

SHA1
156f5e3a7fb66165fc06eb3b5afc898a8e0eb071

SHA256
05174ea7728d7547fac0b2d36d3a9e60906c81bdeb13b62c0eab690e1246a630

SHA512
3d97d0b8848124f907db81fab802a2aa93cd399d9260ca0f9c4900a1d90aec0ae197c21abb0e6e24e564e4ca552a7e3dc41f45daa7e62d5052570eeadb93233e

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe
Filesize
89KB

MD5
0f2163ae6c975b585556effcaa66cbe7

SHA1
13b1b8f389781d272636916c983e1745d3c1ad07

SHA256
936274029bbcad210fc746dad29d4ffc108d51caa0156b290a8e11f8e9a18f30

SHA512
51d2c1181628c67486c686a5bb7cdfc8b5471865aa162101b19360b018ca71b20b9a44056b1bbe4248dda105874619a4d09e93567db63aced1b66f5d0bcee658

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe
Filesize
89KB

MD5
c86765c13f757983d9bc2892c25a75ef

SHA1
e5997c049c3fc25a162fb174e37d41c905e13bad

SHA256
a4fdae9808a6b9622adfa2d4c0669f204b840cace757f19d9a9a819be1073a2d

SHA512
437d219e41b029ab66f585d26badd6aac8ae1ddf70cd39d11f6e1fb3f17a12fd3193349f990f53143b198706b4b61db05f156e8274fa8e5e389e32ba00956bb2

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe
Filesize
89KB

MD5
97087c0587d892349c46dd7d9b459c50

SHA1
29f0a9a62ae1ccf6641f8008b64f8d3a294e5c49

SHA256
1c10f251cc1407292f807109a7bfa9dff68ec2cc8cacbe74706bf5abe3d009d1

SHA512
1906682982c756055861cb37a9dd4c6d90516f60ddcdca7e87cc847bcfdccc1f83200d8b04289b84edc17f0a3ac70cade788266f491f30ebed3b8e919ec3bd91

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe
Filesize
89KB

MD5
5766e20dc4c3ae731674c61d448095d6

SHA1
bca6f8536450699db39e54584e1f8cd99bbd9535

SHA256
cb719804bcd655902aa6c374a5aa5da3c624649bd2b3159acca549cc3f6f2a80

SHA512
96eff25edea6044d302cd881f9caeaf98078536dddbad0b923db190db7ac7119ee0cc8ac368fabd8d2e5196315230b0f40f91b0c80343fad568b43572832ffbb

Download Submit
C:\Windows\SysWOW64\Lkbhbe32.dll
Filesize
7KB

MD5
7f0b2ad69fca11c1e69b72d006c4ab92

SHA1
3184b6930fdf3a8902e0bc2497175643dfa9b0db

SHA256
d6e90bd4ab9e4bb54abf9eac8e0b3d9adc7fc04c1657ab0aa6061abc0ce4c5bb

SHA512
efff58ab877c153e114c020e6f566066fc5090057c938df43382301c7a43f8a3b6a5b86a99b494176c1d2fc7410a26777409138bd491bc7b4916d67d371f9194

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe
Filesize
89KB

MD5
7d2b5a21f12b57c13586fccd4388ddc3

SHA1
6c793dc3fbf0522cacf737c85121b130f71b7f99

SHA256
1d8fe1f4c36f338a4f3c26b0ad34c3f764321a8061a4084ea1fe2c8ae70fd25c

SHA512
16e4f7d42abd50b1026c4e364f9336af4b828eecc676595967c7f9c677f494902f35b8524e12490ac9da0513515e4ac06689ff07bfa64f5bb4ce4007928ac2c6

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe
Filesize
89KB

MD5
873ed602c3c03e06c723801ca7c970d6

SHA1
628a71798c873f0a5e4e31ca14ac0f7c9a94f6bf

SHA256
8a35998dc24ab3c550e2b225e74cad2d38cd0d948bd1514ef447c2afcc99c895

SHA512
ea1489be930f754dc0e39ef4f144052d5bfb2c7649a061793004f8a9048969effc26294d87cfcb1bb22f5825227d77dac1755c8c4eb5bee1172437cdbecdf723

Download Submit
memory/232-401-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/232-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/336-141-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/336-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/460-361-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/460-295-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/620-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/620-321-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/696-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/696-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/816-369-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/816-438-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/884-245-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1036-422-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1152-313-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1216-99-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1216-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1240-453-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1256-429-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1268-345-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1356-402-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1388-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-415-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1632-408-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1676-347-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1676-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1848-244-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2036-319-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2180-97-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2180-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2260-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2260-132-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2536-243-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2536-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2540-193-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-169-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-281-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2588-115-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2588-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2604-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2604-260-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-277-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-344-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2724-440-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2888-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2996-123-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2996-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3128-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3128-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3388-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3388-205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3408-387-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3408-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3684-177-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3684-90-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3704-275-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3704-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3728-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3728-150-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3916-395-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3984-381-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3984-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4020-302-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4020-368-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4028-288-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4028-178-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4040-428-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4040-362-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4088-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4088-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4196-261-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4308-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4308-204-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4312-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4312-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4528-355-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4528-421-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4660-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4680-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4680-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4748-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4748-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4852-197-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4852-301-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4892-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4892-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4928-348-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4928-414-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4952-289-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4952-354-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4964-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5004-276-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5008-379-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5044-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5044-218-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5108-219-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download