1435e06f4a58c62c491470bccc81a853639e1247f7542d6277f4786d0ccf1f90

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5098651bdb048ec7aed22255ea5e27c0_NeikiAnalytics.exe
Size

128KB
MD5

5098651bdb048ec7aed22255ea5e27c0
SHA1

8a917d2c3a3e5dc6508514d31f9668afe9c47ee4
SHA256

1435e06f4a58c62c491470bccc81a853639e1247f7542d6277f4786d0ccf1f90
SHA512

f506bf4f9d271101f85c3128f5ce779f47c07ed0948675abaa8cde18157bfb36c6b41010bd6f77e1f5b06af75f3589a63f494f26fab0946149ff38ea0b4f2a66
SSDEEP

3072:+9huZIEgqVqZtMhy9rcGD2/BhHmiImXJ2fYdV46nfPyxWhj8NCM/r:KEZ/XqsI9cA4BhHmNEcYj9nhV8NCU

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5098651bdb048ec7aed22255ea5e27c0_NeikiAnalytics.exeLiggbi32.exeNnmopdep.exeMgekbljc.exeNddkgonp.exeLphfpbdi.exeNqiogp32.exeKkihknfg.exeKdcijcke.exeLalcng32.exeKdhbec32.exeNcldnkae.exeLgpagm32.exeMaohkd32.exeNcihikcg.exeLnepih32.exeNacbfdao.exeKgphpo32.exeKkpnlm32.exeLaopdgcg.exeLdohebqh.exeLkiqbl32.exeNjcpee32.exeKacphh32.exeKknafn32.exeKmnjhioc.exeLcgblncm.exeMaaepd32.exeMdmegp32.exeLdmlpbbj.exeMcklgm32.exeNjogjfoj.exeKaqcbi32.exeKdffocib.exeMjhqjg32.exeNqklmpdd.exeKdopod32.exeMamleegg.exeNkjjij32.exeNkncdifl.exeMcbahlip.exeNgpjnkpf.exeKdaldd32.exeNjljefql.exeKgfoan32.exeNbkhfc32.exeLdaeka32.exeMkbchk32.exeMglack32.exeNqfbaq32.exeMnocof32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5098651bdb048ec7aed22255ea5e27c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5098651bdb048ec7aed22255ea5e27c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
behavioral2/memory/992-0-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kaqcbi32.exe	family_berbew
behavioral2/memory/2844-13-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kdopod32.exe	family_berbew
behavioral2/memory/3448-16-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kkihknfg.exe	family_berbew
behavioral2/memory/2936-25-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kacphh32.exe	family_berbew
behavioral2/memory/4580-37-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kdaldd32.exe	family_berbew
behavioral2/memory/2848-41-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kgphpo32.exe	family_berbew
behavioral2/memory/2840-49-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kmjqmi32.exe	family_berbew
behavioral2/memory/3188-57-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kdcijcke.exe	family_berbew
behavioral2/memory/2948-64-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kknafn32.exe	family_berbew
behavioral2/memory/4576-73-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kmlnbi32.exe	family_berbew
behavioral2/memory/3100-81-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kdffocib.exe	family_berbew
behavioral2/memory/3652-89-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kkpnlm32.exe	family_berbew
behavioral2/memory/2448-97-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kmnjhioc.exe	family_berbew
behavioral2/memory/2836-104-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kdhbec32.exe	family_berbew
behavioral2/memory/2260-113-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kgfoan32.exe	family_berbew
behavioral2/memory/2828-121-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lalcng32.exe	family_berbew
behavioral2/memory/3228-129-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Liggbi32.exe	family_berbew
behavioral2/memory/1308-140-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Laopdgcg.exe	family_berbew
behavioral2/memory/232-149-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Ldmlpbbj.exe	family_berbew
behavioral2/memory/2004-153-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lnepih32.exe	family_berbew
behavioral2/memory/496-161-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Ldohebqh.exe	family_berbew
behavioral2/memory/4076-169-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lkiqbl32.exe	family_berbew
behavioral2/memory/3116-176-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Ldaeka32.exe	family_berbew
behavioral2/memory/1612-184-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lgpagm32.exe	family_berbew
behavioral2/memory/4284-193-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lphfpbdi.exe	family_berbew
behavioral2/memory/2488-205-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lcgblncm.exe	family_berbew
behavioral2/memory/2784-213-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mnlfigcc.exe	family_berbew
behavioral2/memory/4628-221-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mgekbljc.exe	family_berbew
behavioral2/memory/3184-225-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mnocof32.exe	family_berbew
behavioral2/memory/4776-232-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mcklgm32.exe	family_berbew
behavioral2/memory/1384-241-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mkbchk32.exe	family_berbew
behavioral2/memory/4340-249-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mamleegg.exe	family_berbew

Executes dropped EXE 55 IoCs

Processes:

Kaqcbi32.exeKdopod32.exeKkihknfg.exeKacphh32.exeKdaldd32.exeKgphpo32.exeKmjqmi32.exeKdcijcke.exeKknafn32.exeKmlnbi32.exeKdffocib.exeKkpnlm32.exeKmnjhioc.exeKdhbec32.exeKgfoan32.exeLalcng32.exeLiggbi32.exeLaopdgcg.exeLdmlpbbj.exeLnepih32.exeLdohebqh.exeLkiqbl32.exeLdaeka32.exeLgpagm32.exeLphfpbdi.exeLcgblncm.exeMnlfigcc.exeMgekbljc.exeMnocof32.exeMcklgm32.exeMkbchk32.exeMamleegg.exeMjhqjg32.exeMaohkd32.exeMdmegp32.exeMglack32.exeMjjmog32.exeMaaepd32.exeMcbahlip.exeNkjjij32.exeNjljefql.exeNacbfdao.exeNqfbaq32.exeNgpjnkpf.exeNjogjfoj.exeNqiogp32.exeNddkgonp.exeNkncdifl.exeNnmopdep.exeNqklmpdd.exeNcihikcg.exeNjcpee32.exeNbkhfc32.exeNcldnkae.exeNkcmohbg.exe

pid	process
2844	Kaqcbi32.exe
3448	Kdopod32.exe
2936	Kkihknfg.exe
4580	Kacphh32.exe
2848	Kdaldd32.exe
2840	Kgphpo32.exe
3188	Kmjqmi32.exe
2948	Kdcijcke.exe
4576	Kknafn32.exe
3100	Kmlnbi32.exe
3652	Kdffocib.exe
2448	Kkpnlm32.exe
2836	Kmnjhioc.exe
2260	Kdhbec32.exe
2828	Kgfoan32.exe
3228	Lalcng32.exe
1308	Liggbi32.exe
232	Laopdgcg.exe
2004	Ldmlpbbj.exe
496	Lnepih32.exe
4076	Ldohebqh.exe
3116	Lkiqbl32.exe
1612	Ldaeka32.exe
4284	Lgpagm32.exe
2488	Lphfpbdi.exe
2784	Lcgblncm.exe
4628	Mnlfigcc.exe
3184	Mgekbljc.exe
4776	Mnocof32.exe
1384	Mcklgm32.exe
4340	Mkbchk32.exe
1760	Mamleegg.exe
5040	Mjhqjg32.exe
4572	Maohkd32.exe
4280	Mdmegp32.exe
2252	Mglack32.exe
1796	Mjjmog32.exe
2968	Maaepd32.exe
1496	Mcbahlip.exe
3976	Nkjjij32.exe
3112	Njljefql.exe
1040	Nacbfdao.exe
2580	Nqfbaq32.exe
3492	Ngpjnkpf.exe
4184	Njogjfoj.exe
5112	Nqiogp32.exe
2708	Nddkgonp.exe
4088	Nkncdifl.exe
452	Nnmopdep.exe
2416	Nqklmpdd.exe
3340	Ncihikcg.exe
4436	Njcpee32.exe
1236	Nbkhfc32.exe
2020	Ncldnkae.exe
460	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

Processes:

5098651bdb048ec7aed22255ea5e27c0_NeikiAnalytics.exeKmjqmi32.exeKmlnbi32.exeLaopdgcg.exeNkncdifl.exeKgphpo32.exeMnocof32.exeMkbchk32.exeMjhqjg32.exeMdmegp32.exeNqklmpdd.exeKdopod32.exeKdhbec32.exeNacbfdao.exeNcldnkae.exeKkihknfg.exeLkiqbl32.exeMnlfigcc.exeNcihikcg.exeMamleegg.exeMcbahlip.exeNgpjnkpf.exeKaqcbi32.exeLnepih32.exeLcgblncm.exeMaaepd32.exeKkpnlm32.exeLgpagm32.exeKmnjhioc.exeNqfbaq32.exeNqiogp32.exeLdohebqh.exeLphfpbdi.exeMgekbljc.exeMcklgm32.exeNjcpee32.exeMaohkd32.exeMjjmog32.exeNkjjij32.exeNbkhfc32.exeKknafn32.exeKdffocib.exeLalcng32.exeLdmlpbbj.exeNnmopdep.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	5098651bdb048ec7aed22255ea5e27c0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	5098651bdb048ec7aed22255ea5e27c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3700 460 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
3700	460	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Njljefql.exeNjogjfoj.exeKmjqmi32.exeKdcijcke.exeKmnjhioc.exeMglack32.exeLdmlpbbj.exeLdohebqh.exeLgpagm32.exeMnlfigcc.exeKkihknfg.exeKacphh32.exeKgphpo32.exeKkpnlm32.exeMdmegp32.exeNgpjnkpf.exeNcldnkae.exeLaopdgcg.exeLphfpbdi.exeMkbchk32.exeNacbfdao.exeLkiqbl32.exeMjjmog32.exeKdopod32.exeNddkgonp.exeNnmopdep.exeNjcpee32.exeKknafn32.exeLiggbi32.exeMnocof32.exeMamleegg.exe5098651bdb048ec7aed22255ea5e27c0_NeikiAnalytics.exeLalcng32.exeMcbahlip.exeNkjjij32.exeNbkhfc32.exeMcklgm32.exeNkncdifl.exeNqklmpdd.exeKgfoan32.exeNqiogp32.exeNcihikcg.exeMgekbljc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5098651bdb048ec7aed22255ea5e27c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5098651bdb048ec7aed22255ea5e27c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5098651bdb048ec7aed22255ea5e27c0_NeikiAnalytics.exeKaqcbi32.exeKdopod32.exeKkihknfg.exeKacphh32.exeKdaldd32.exeKgphpo32.exeKmjqmi32.exeKdcijcke.exeKknafn32.exeKmlnbi32.exeKdffocib.exeKkpnlm32.exeKmnjhioc.exeKdhbec32.exeKgfoan32.exeLalcng32.exeLiggbi32.exeLaopdgcg.exeLdmlpbbj.exeLnepih32.exeLdohebqh.exe

description	pid	process	target process
PID 992 wrote to memory of 2844	992	5098651bdb048ec7aed22255ea5e27c0_NeikiAnalytics.exe	Kaqcbi32.exe
PID 992 wrote to memory of 2844	992	5098651bdb048ec7aed22255ea5e27c0_NeikiAnalytics.exe	Kaqcbi32.exe
PID 992 wrote to memory of 2844	992	5098651bdb048ec7aed22255ea5e27c0_NeikiAnalytics.exe	Kaqcbi32.exe
PID 2844 wrote to memory of 3448	2844	Kaqcbi32.exe	Kdopod32.exe
PID 2844 wrote to memory of 3448	2844	Kaqcbi32.exe	Kdopod32.exe
PID 2844 wrote to memory of 3448	2844	Kaqcbi32.exe	Kdopod32.exe
PID 3448 wrote to memory of 2936	3448	Kdopod32.exe	Kkihknfg.exe
PID 3448 wrote to memory of 2936	3448	Kdopod32.exe	Kkihknfg.exe
PID 3448 wrote to memory of 2936	3448	Kdopod32.exe	Kkihknfg.exe
PID 2936 wrote to memory of 4580	2936	Kkihknfg.exe	Kacphh32.exe
PID 2936 wrote to memory of 4580	2936	Kkihknfg.exe	Kacphh32.exe
PID 2936 wrote to memory of 4580	2936	Kkihknfg.exe	Kacphh32.exe
PID 4580 wrote to memory of 2848	4580	Kacphh32.exe	Kdaldd32.exe
PID 4580 wrote to memory of 2848	4580	Kacphh32.exe	Kdaldd32.exe
PID 4580 wrote to memory of 2848	4580	Kacphh32.exe	Kdaldd32.exe
PID 2848 wrote to memory of 2840	2848	Kdaldd32.exe	Kgphpo32.exe
PID 2848 wrote to memory of 2840	2848	Kdaldd32.exe	Kgphpo32.exe
PID 2848 wrote to memory of 2840	2848	Kdaldd32.exe	Kgphpo32.exe
PID 2840 wrote to memory of 3188	2840	Kgphpo32.exe	Kmjqmi32.exe
PID 2840 wrote to memory of 3188	2840	Kgphpo32.exe	Kmjqmi32.exe
PID 2840 wrote to memory of 3188	2840	Kgphpo32.exe	Kmjqmi32.exe
PID 3188 wrote to memory of 2948	3188	Kmjqmi32.exe	Kdcijcke.exe
PID 3188 wrote to memory of 2948	3188	Kmjqmi32.exe	Kdcijcke.exe
PID 3188 wrote to memory of 2948	3188	Kmjqmi32.exe	Kdcijcke.exe
PID 2948 wrote to memory of 4576	2948	Kdcijcke.exe	Kknafn32.exe
PID 2948 wrote to memory of 4576	2948	Kdcijcke.exe	Kknafn32.exe
PID 2948 wrote to memory of 4576	2948	Kdcijcke.exe	Kknafn32.exe
PID 4576 wrote to memory of 3100	4576	Kknafn32.exe	Kmlnbi32.exe
PID 4576 wrote to memory of 3100	4576	Kknafn32.exe	Kmlnbi32.exe
PID 4576 wrote to memory of 3100	4576	Kknafn32.exe	Kmlnbi32.exe
PID 3100 wrote to memory of 3652	3100	Kmlnbi32.exe	Kdffocib.exe
PID 3100 wrote to memory of 3652	3100	Kmlnbi32.exe	Kdffocib.exe
PID 3100 wrote to memory of 3652	3100	Kmlnbi32.exe	Kdffocib.exe
PID 3652 wrote to memory of 2448	3652	Kdffocib.exe	Kkpnlm32.exe
PID 3652 wrote to memory of 2448	3652	Kdffocib.exe	Kkpnlm32.exe
PID 3652 wrote to memory of 2448	3652	Kdffocib.exe	Kkpnlm32.exe
PID 2448 wrote to memory of 2836	2448	Kkpnlm32.exe	Kmnjhioc.exe
PID 2448 wrote to memory of 2836	2448	Kkpnlm32.exe	Kmnjhioc.exe
PID 2448 wrote to memory of 2836	2448	Kkpnlm32.exe	Kmnjhioc.exe
PID 2836 wrote to memory of 2260	2836	Kmnjhioc.exe	Kdhbec32.exe
PID 2836 wrote to memory of 2260	2836	Kmnjhioc.exe	Kdhbec32.exe
PID 2836 wrote to memory of 2260	2836	Kmnjhioc.exe	Kdhbec32.exe
PID 2260 wrote to memory of 2828	2260	Kdhbec32.exe	Kgfoan32.exe
PID 2260 wrote to memory of 2828	2260	Kdhbec32.exe	Kgfoan32.exe
PID 2260 wrote to memory of 2828	2260	Kdhbec32.exe	Kgfoan32.exe
PID 2828 wrote to memory of 3228	2828	Kgfoan32.exe	Lalcng32.exe
PID 2828 wrote to memory of 3228	2828	Kgfoan32.exe	Lalcng32.exe
PID 2828 wrote to memory of 3228	2828	Kgfoan32.exe	Lalcng32.exe
PID 3228 wrote to memory of 1308	3228	Lalcng32.exe	Liggbi32.exe
PID 3228 wrote to memory of 1308	3228	Lalcng32.exe	Liggbi32.exe
PID 3228 wrote to memory of 1308	3228	Lalcng32.exe	Liggbi32.exe
PID 1308 wrote to memory of 232	1308	Liggbi32.exe	Laopdgcg.exe
PID 1308 wrote to memory of 232	1308	Liggbi32.exe	Laopdgcg.exe
PID 1308 wrote to memory of 232	1308	Liggbi32.exe	Laopdgcg.exe
PID 232 wrote to memory of 2004	232	Laopdgcg.exe	Ldmlpbbj.exe
PID 232 wrote to memory of 2004	232	Laopdgcg.exe	Ldmlpbbj.exe
PID 232 wrote to memory of 2004	232	Laopdgcg.exe	Ldmlpbbj.exe
PID 2004 wrote to memory of 496	2004	Ldmlpbbj.exe	Lnepih32.exe
PID 2004 wrote to memory of 496	2004	Ldmlpbbj.exe	Lnepih32.exe
PID 2004 wrote to memory of 496	2004	Ldmlpbbj.exe	Lnepih32.exe
PID 496 wrote to memory of 4076	496	Lnepih32.exe	Ldohebqh.exe
PID 496 wrote to memory of 4076	496	Lnepih32.exe	Ldohebqh.exe
PID 496 wrote to memory of 4076	496	Lnepih32.exe	Ldohebqh.exe
PID 4076 wrote to memory of 3116	4076	Ldohebqh.exe	Lkiqbl32.exe

C:\Users\Admin\AppData\Local\Temp\5098651bdb048ec7aed22255ea5e27c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5098651bdb048ec7aed22255ea5e27c0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\Kaqcbi32.exe
C:\Windows\system32\Kaqcbi32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\Kdopod32.exe
C:\Windows\system32\Kdopod32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3448

C:\Windows\SysWOW64\Kkihknfg.exe
C:\Windows\system32\Kkihknfg.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\SysWOW64\Kdaldd32.exe
C:\Windows\system32\Kdaldd32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\Kmjqmi32.exe
C:\Windows\system32\Kmjqmi32.exe
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\Kknafn32.exe
C:\Windows\system32\Kknafn32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SysWOW64\Kdffocib.exe
C:\Windows\system32\Kdffocib.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\SysWOW64\Kmnjhioc.exe
C:\Windows\system32\Kmnjhioc.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\SysWOW64\Lalcng32.exe
C:\Windows\system32\Lalcng32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:232

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3116

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1612

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4284

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2488

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2784

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4628

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3184

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4776

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1384

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4340

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1760

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5040

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4572

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4280

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2252

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1796

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2968

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1496

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3976

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3112

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1040

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2580

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3492

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4184

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5112

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2708

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4088

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:452

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2416

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3340

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4436

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1236

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2020

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
56⤵
- Executes dropped EXE
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 400
57⤵
- Program crash
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 460 -ip 460
1⤵
PID:3932

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kacphh32.exe
Filesize
128KB

MD5
48122f6b5e0515222acb1c41cd732a0f

SHA1
1dc3d5af15a5761d199fef0bc689a98a96248a78

SHA256
720775d9313f5ac50202c66507e26ee5c443b72be0f3994118060129cd9e9715

SHA512
cfb2b98f692ad6c2f1c5f9efbe0e1410da9c21b0933085da38d5837c11d117bb0a5b607d8a013bd0ae6cce1e596566351ba7d58c98b6fc6d93c1d63cdc94480e

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe
Filesize
128KB

MD5
bd734e70d9b0082c67bf03db1a9561c8

SHA1
0633a77cb4b2b98c9f751a07167e9e9d3da6f464

SHA256
d2b488927a838673ab50117a29e5ca95df217e9f3ede47c8684d950e8b2c2ed6

SHA512
69440122e3c5446db3d3fadd87865c08c0d06de10adab2ba55fef623a25133d6f8b571effeefa921af17b03282b0c38d587b46b850f70ce2d21bae19f622ae2d

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe
Filesize
128KB

MD5
0e40e61e9544a74bb00d9ea8c6eb5118

SHA1
536a869ae7865ad64597589ea1cb7a98fd88a040

SHA256
f43b5dd95a3242721ddd42dda07d4955b68534100182ea059de1e75c7511badb

SHA512
ff4f8031817c2c3470ee2d8204c364e7f4e1d1184f962f17e2976e8b2109c9ef46cac502612607db7f876ee4fcdfb1078da99ca77084e00bf28fbe9c25e6223f

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe
Filesize
128KB

MD5
a7570dcc89cbee658d3f580f2afa1198

SHA1
d3fb8246b3b9266dd276a9579dbb19490664d1e4

SHA256
044f36624b77163e9275cf5c83beffa568f470005be586ab1b8ac554997d9a5c

SHA512
1c881acb720faa4c1efcf796aa698846fab70a5813e34d692f88187cf4f750514354763f9af1ebf842302cd31bcf12ac29e2fcf250ecd3f9f19bbf5234f1c580

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe
Filesize
128KB

MD5
9414499c45fe68fb5e448b40880e9579

SHA1
316d8ec2ce2bf7b32b860d0e116b94b011f0abf4

SHA256
f3f6325772c2b5384e259736b79157db2f35d6a7293b34696f5c9259d2a5d2a5

SHA512
2198f5b92e571befcf96669162661c870fd1b4343982aa1f6182ced8974a768f83f84045e3e1d049ebbaba3fab32c7138f600f27cc5c9b208f452bb0148a1987

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe
Filesize
128KB

MD5
b514b900c1a97ddd41bee3d85176eee0

SHA1
4d166d6154dcae393ddde9f2220d3544c936a055

SHA256
b109902dd33856bca89c4c9ad5a0c7ca14f1abe1b25fd4537f732a4a6c847af7

SHA512
119195c2d41c09c8d2f23df9059d0e49350097a9470e4488d45709f3ea2c5a55862a457a68ec79c41945bf921daec6016c7af1d535cf47bc92006065e9426442

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe
Filesize
128KB

MD5
f9e61ea487223d9e511466e46dc03443

SHA1
cece0f0bcefc618ae1a77dd8ace1ebc4e2d92eee

SHA256
a35d9ccd1d1aa611ab87b286814d326f410337f96434845e6672d7f7f0d6d1f4

SHA512
7403afbe5cdf14ad16232d317ac5abeb1f5e4213d7a1daa6e0fcfd347c400485cffd59f360a15d3c1265e61eb48ff822b8020ac07d3fd5a7d15ea568738a0549

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe
Filesize
128KB

MD5
5148984d7afcafa8e846c54e5f97694a

SHA1
fd17b75b269b3a8dd9165c2e8c4e588d188de993

SHA256
8f2ae6774d741a569a19ab85bb5095f5d3bd374f8d7d7f73182a7bc2ea4972bc

SHA512
8178c40739d57b3f5275b97d96754bf4213eb430d7acfe879d96e11325552e38c912d7c2d344dcd97e805975f6a3d6937e46ebe17812fe2b4e62d9604542b4be

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe
Filesize
128KB

MD5
23e14feee9c64c6a984f3ceee6d04abf

SHA1
02aa7605a058c7c14ad3e790808f5a4a7725e4e1

SHA256
f955b02302c3b9b03f8e43b1234332e840b063db796abfa1382b04a1f28e98c0

SHA512
7d06c354b435bfaad08077db2aa69e2faab14beeb4c8a73c227feb4db5e8cb4d1cbcffff51c8a0f7273fb537c1e57868982bb24162fb0905af353662b29aeb61

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe
Filesize
128KB

MD5
3d79c31ecd9ef1172fd57077f55eb55f

SHA1
b8ebad5d84a04aaa117ede3b848c9d501efd1717

SHA256
9396a9a81e81d564b29be191dc66ef334a7843f70867f59ac1db80ad8e623bca

SHA512
b3834ad56c5400f72ac3449f6d73aa7a669640de0166cfd5baff5c87e0bc97e7b5529140fb7353224b174a5e2378744a286e98ddd49476f167f2eb1c7f8ae14d

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe
Filesize
128KB

MD5
1f1871805b72133534228d1b30e6472f

SHA1
b3cfa7310674a715fa8a5ea0754bf5a699e6a9e2

SHA256
a0a6f42b0490c031b44de20c1e60c5f01169a0e38a2f301079b3c8b92dff2bf6

SHA512
d8b79e3a424db1db6b561cc66271bd1d30ce3f0272bb6e74213be6fd7e72e11903d66dc244afb475459ed02d7d53bec2a7d1aaa89d85be7c09f0b7d35a1f709a

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe
Filesize
128KB

MD5
e9cd8393bba28d06a3c9ac31b7c2fc7c

SHA1
c79c4d99db32fde4cff128892be81ffed92c0d7a

SHA256
fb2fd9cf952c37d129487d643a1d183b2a6cc02e0952046d15dbb18d0c668038

SHA512
f129dd7c173354d871def0278c1354402241657be71f39ba38b361db1847b9b73887f204544a6c9958f58a8a3479442055dedef7270628516eaae759e3aa7ff4

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe
Filesize
128KB

MD5
c185999a25be399066d3ca308e856d32

SHA1
0946440cc2f072dc254e1a629412cc36de232a80

SHA256
70afee1d425ef09be7da98773a36f71e65109b42ed1a36fe535679dff3ce9100

SHA512
c1c753afa0012172eb6e6b187c00af3f7e5ecd6ae8a5d633a79413d95ea5999b64f4e156b1a637dff96f799459ea539fcc76ead70f2d68166dad30c87401d971

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe
Filesize
128KB

MD5
9150af168f7b27ad419652645bee2354

SHA1
f88e33d15c1a62b8bc508a742c6a18767d47c4e2

SHA256
5b894d5850ef4c7bf77953dfc4ae4d0e945c2f2d03d5e3f053c454365721f25d

SHA512
9aaf96cc619a6e4850d340db12a0ae5fe767253648142096669dc51cda32527661ccef2baf350c2ef60ec853ac0d55b6341d81f358033a4a34a40e640598de50

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe
Filesize
128KB

MD5
a67d651bb2c6521e75bf17ba72b79bd8

SHA1
e0dae33cdd6e8781c7b1e3a6e2598dbfd43b0b10

SHA256
45cc85059aaa89723372f8b767775f5936f96d57bcc70741d60158308274b7db

SHA512
3c60ac5cae795d6116de82b0d41fb214111466796a1cc51f4d1e9c879ca5ed89028b4c3692eff7496858412ac53a94e37fe0837552e383c9d9a7f3c2d8c0bec6

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe
Filesize
128KB

MD5
c910fc801dd4ae2eb58c88adb425d724

SHA1
f9f68cfd21ccd236a26dbe117192aba1d5db24b6

SHA256
0ea1b6e2046242ed5b921c505397100d175bf6ecfb1ff47f57173cf3ef655b87

SHA512
58c225237e18824c3f92298554048472e85792097b3ea7757e99b1c422cf8a1918334acc67b971bdbc6cdea9ad618d754e5d50f6732bc5e9e49df1853e61b937

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe
Filesize
128KB

MD5
0f9606f30a8bcb117b458044213aa224

SHA1
6a275f127ef06965d4639b21a5c3e985a320c738

SHA256
3c0725e32d8fc4c1b0eab9e8ee6e5aee4d09d463b8427ff047a241a8b46c3a8b

SHA512
d6f1bfcafd4512bdc4a43c83b305746921cdac4511c7c07276f576522561b69ab9235da88908124c65fd1380a73e2333e218b47c6370cbf506e0e03f4599ae9b

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe
Filesize
128KB

MD5
d7c0f943f9ee546b8edc8e871c2e231b

SHA1
de17d58ebc2e3c21f985d45a413b48fac779b56f

SHA256
2a74c0cd41014edd358a1cc0be1b66c6a880886d6315c1e19009c817c9ef7007

SHA512
c6be072993aef85264bb2b85b041440921f6dd9480a0efcb1af53c67ab5d627bbabf6c700a43bcbf74a2888fb9277f81ee47d4f5c1a6c20ca4aa975ce91f56fc

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe
Filesize
128KB

MD5
8ba223c1e4d2693e79d6623948b3e007

SHA1
2b130f5edfedd67f4622322bd7d07b8b983db817

SHA256
dcc988b0ef584d6feacf8086ea9a161b122a4d22e9283263b2556489dc44a652

SHA512
3e7f903287c50fc6a45fae57cab5015ec4e6d0364835d8d8ff724ee2d80d1dd549b3173ae932ba620e6053b045c0671da4b10223788b2287e575a142f81c3ad1

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe
Filesize
128KB

MD5
2a6e6e9f0498c9246b6256610b3cb254

SHA1
79c21d4fc8383ac278bd00e3bf66c2c17246c2d9

SHA256
22cec26d3ca7425d63e3da08ec3736ea8418462685a839867379cf44661567d8

SHA512
d6f091f9e9fc6735e0a246132a5cbb8cc702b0faea5e2c7be2774145d5a71cab167d0436b5d93388b78911991c8e711159e262ddee2f1d7a63d70689a9320355

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe
Filesize
128KB

MD5
e38c35a294b13c66b96ef817fef2b1ee

SHA1
21914c73848c38a71bce29a17694e3d69e4140e5

SHA256
2edc2fe91623b545941cf7860d1d3c6ada6b6df4c332ca73ca6327ad2374768d

SHA512
7d48e66084e52804f681dd7df797109c103a26aa9f2f49e58c0bd911a7a92d2327d27607a9d8a0f3c01cc5cc37324013c2871e652e8f9dc865753b7bd3fc07cb

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe
Filesize
128KB

MD5
c4494f35f0b2ab9ee21daa6256516cba

SHA1
2ac37c94daad1e2dcaac05a8c2ff7cbda39781c4

SHA256
081bf49bd37eec9fe17bc35bcffea2edf744f01d86355af72b3617b3d918e374

SHA512
41b8ae37fa339e034b1879cc4d3179cf5619eade2405543dc05f2caea631ed0f10b9864ff4d981846df41174fb465766321b2432fde75a1e51899c4e6c29a634

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe
Filesize
128KB

MD5
abcd6624b6fcb581a33e9b9859588c61

SHA1
dd7bb72172f78c8f69815619618eb4fa402f072e

SHA256
aa0a82b7b7b4407a92812484f55e291e7aea1ae28f0ffcfcac330ce9d73cc673

SHA512
1f8490b5e73ddc311db30f734c761514e366e6d31f197d78e5274fcf706982393f638dddfae5b8378e302af07a82d572fd80bc98409c96e616a6d610d3bab765

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe
Filesize
128KB

MD5
c643e8bdd2858cd6739bc4ad364295a3

SHA1
00405ae51531f8d6d4859335dc50947135914345

SHA256
657e7f550c3a8da1ee708b24475979762869a102624570d711afc8da86bd3ecd

SHA512
16800e6dce5844bc735bad254e651bfdfaa9794454f901a209be5930ed2cf9f6920d02ea989a1d55a3d8ad2c0e43f63851a45f4ad019fd8698f2555252954eb5

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe
Filesize
128KB

MD5
5bedf124d4cc8ef271a45cdf18c1448d

SHA1
1042e82fd47f0826e225c7bc0e9fb089b8d09bf6

SHA256
490317a6c467be618f6670e390fab40a7973c9d4ce0ac46718b0b0c6de217fdd

SHA512
4d14a6ce61a5c45969862cd19cf5786089c866a0ddf3bbd230fa7c63dbdafd5082967f010134864c69f49fc01915e3b7aa38d67c5fde7fa1381b412fb2de95ea

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe
Filesize
128KB

MD5
7b7f4630f41dd1865aa2a850b0f534d3

SHA1
28da6b1962919e64f0a68bd0195f43dfa528e2a5

SHA256
629109c284f66612e0f12b6191de300a59cf82cb56606fe3f60c0b67f3e6bc4e

SHA512
6ef53d63e17774de962ef103abe2be9428ae6c8b4977894bea1946658dfb1a2db2dba290d015855012974c6f9a095e380bd64987d4a6a4b6c51802e5c3f75214

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe
Filesize
128KB

MD5
58d9243ca8f14b98b6a162f61f06d3c8

SHA1
f3acedab25f3b0ae22417f19388d17f266f1aa0d

SHA256
50960087dda2416b0b4b5e3bf6fdf828c236225f77e51767aff04846dde101d0

SHA512
679264a619d223f972c590185d2df10b0a40ef4bd746ed120674501772a816e459731cbb13ea5a409702d09363dade0ea13da6dbf1fdc4f7666452c078c22be7

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe
Filesize
128KB

MD5
a634541a53fa0be29ce56f020f3e0a80

SHA1
f2ee9974d304730e25b5b882383a7379387ff468

SHA256
283d0e2164b1fad6623dacdf8347127c57155d82874de2ed8c76c6125659308b

SHA512
da69fa2aec4fc6f83cfeae50c4173d2c982ce7dab5162f959c2c234e4153e784e1a24de4e03681f7cf71b1ad7ed84933d80bac0e945480e15114eb2de812c19c

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe
Filesize
128KB

MD5
7b85e19b2fdf72c6237c5e1188a689e8

SHA1
6ede7172183955e8adfc9b406856e9a73c36639d

SHA256
c2a653f09a7185873a5cdaf2baf0c10030e4fd9bfbed4d7064cfc66511f9b244

SHA512
b320b1df7aa268d74c4edc63f88038a498d260a4375fc35fb315e0700001242bf6f8551fe32a424583a3285c002c745ed34f5d6065f194b7c686d8a73161e46b

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe
Filesize
128KB

MD5
c48229169b3f271e6cf940ee813e34c4

SHA1
f61e54eb5aa7082a9bf662081db971e8e3195802

SHA256
2e2845de92e666ad1054fbcd89024d3c2bfb03357e14efdc9e333d0d7d58eb41

SHA512
9710ac1171224cd7f98fcab6155ccbbe6eb3ff0371a0634dc830b5cbeb7b6fdfc73bd18ee89a1dd2d2be6695a0def47ec1521f6ad663948d4e10475a21d18c03

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe
Filesize
128KB

MD5
43970b3b07e93cb51b576240dcd328f2

SHA1
e98b6cc39feb8491b2a943e96152746397f49b0b

SHA256
b152ec5808dacb8547d50faf1a01664e011e2ef62a2d5e0e7302b200d81419be

SHA512
b1525880340d4f26745b0f68400b9c8d2fba42d916f3fd02735b921d770063cf8d3053900952889e964cffbbfaef320c181f5b12f806cdf5d1d123d960a32bc8

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe
Filesize
128KB

MD5
cb01b9db5e5658aec5ef494ef4853580

SHA1
65420adba38b30ea9cd5c045e0d0d6d48fc83e46

SHA256
4a0899eaeea06f5261509a0511a7f7e24def9509013d17aef9345cdd048b1128

SHA512
77010c5b704ba4628789848ac3ba2306cca60fc67271410075653da5083533c1bcd3ac57e7bd87434deba9523105ade569a4918ac82865b8d7a37cd379f37509

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe
Filesize
128KB

MD5
176d9022fe00409d46deabc9c39dfcf3

SHA1
76f5caf6a6975c325f31b685f447377d664493d3

SHA256
fd1b71eee1386340a012b6b3bdc5ff11527174b6f48d6ce60e2197c86294a4db

SHA512
f00ac59bd4f6359e9dce035ebe41bb913e5c19325b34768a87a980a5566b78986b64ee049c2a846f2aed433951e39ee38f033bc741b766725c601798f5fd2754

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe
Filesize
128KB

MD5
50fa080a57f20fc9f0671aaf9582d2c2

SHA1
0f9c1225ec14429de62af0696b8566c282b99d4b

SHA256
a299fa3c2d7bd3f9b4f2bb51310795f00255f5303eabfd078f9ef6e46727bf49

SHA512
e8630067eb8e9f8d203452f8055dd60a25337e606c8509a728e9d2a4e732d525a1635a86d98e67c3ef1e180c715113e390c57b2f8a4e6315c32ee53c42c0a87a

Download Submit
memory/232-149-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/452-363-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/460-396-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/460-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/496-421-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/496-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/992-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/992-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1040-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1236-397-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1236-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1308-423-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1308-140-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1384-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1384-414-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1496-407-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1496-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1612-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1612-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1760-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1760-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1796-408-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1796-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-422-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2020-398-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2020-392-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2252-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2252-409-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-426-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2416-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2416-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2448-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2448-428-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2488-205-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2708-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2708-402-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2784-213-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2828-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2828-425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2836-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2836-427-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2840-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2840-434-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2844-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2848-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2936-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2948-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2948-432-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2968-297-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3100-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3100-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3112-405-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3112-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3116-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3116-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3184-416-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3184-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3188-433-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3188-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3228-129-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3228-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3340-375-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3448-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3492-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3492-403-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3652-429-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3652-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3976-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3976-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4076-420-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4076-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4088-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4088-401-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4184-339-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4280-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4280-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4284-193-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4284-417-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4340-249-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4340-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4436-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4436-399-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4572-273-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4572-411-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4576-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4576-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4580-37-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4628-221-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4776-415-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4776-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5040-267-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5112-345-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5112-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download