bbdbbcd4ab837ed004d382a471576847090901afa429420251959cb932faa1a1

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ed68bdc97865f308b726929b0caa440_NeikiAnalytics.exe
Size

143KB
MD5

0ed68bdc97865f308b726929b0caa440
SHA1

7cf86a06d74bcc749cf145be70366f49fe02e39c
SHA256

bbdbbcd4ab837ed004d382a471576847090901afa429420251959cb932faa1a1
SHA512

5a74fdab356338402ca40b7dcea69475156d35f0931331f106e1f6f9754abe9dbf8433e9439707d84006b3b13afb94650b91ed875a8fe3c326f92f30d67f8ecd
SSDEEP

1536:3hbLLDtbhak4bsIM02ELwoUQ5ziJE93isirBUBEVGBtVM2hZV03fca13y:9fVhk9MQLwo3N93bsGfhv0vt3y

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Kgmlkp32.exeMcnhmm32.exeNjljefql.exeKaemnhla.exeKipabjil.exeLilanioo.exe0ed68bdc97865f308b726929b0caa440_NeikiAnalytics.exeLcpllo32.exeLaalifad.exeMnlfigcc.exeNkncdifl.exeJkdnpo32.exeJangmibi.exeKkkdan32.exeMdfofakp.exeKpjjod32.exeKkbkamnl.exeMgidml32.exeKckbqpnj.exeLpappc32.exeMkpgck32.exeNqmhbpba.exeMpdelajl.exeMjjmog32.exeMgghhlhq.exeNcldnkae.exeJfkoeppq.exeLkdggmlj.exeLjnnch32.exeMjeddggd.exeMgnnhk32.exeNkqpjidj.exeJiikak32.exeKbfiep32.exeLphfpbdi.exeMajopeii.exeMaohkd32.exeNklfoi32.exeKbdmpqcb.exeKkpnlm32.exeKdopod32.exeKacphh32.exeNnmopdep.exeNqfbaq32.exeNqiogp32.exeMjhqjg32.exeNcihikcg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0ed68bdc97865f308b726929b0caa440_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0ed68bdc97865f308b726929b0caa440_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
behavioral2/memory/1488-0-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jkdnpo32.exe	family_berbew
behavioral2/memory/1088-11-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jangmibi.exe	family_berbew
behavioral2/memory/2816-16-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jfkoeppq.exe	family_berbew
behavioral2/memory/1284-24-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jiikak32.exe	family_berbew
behavioral2/memory/4244-31-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kdopod32.exe	family_berbew
behavioral2/memory/3968-40-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kgmlkp32.exe	family_berbew
behavioral2/memory/4956-47-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kacphh32.exe	family_berbew
behavioral2/memory/4668-56-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kbdmpqcb.exe	family_berbew
behavioral2/memory/904-68-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kkkdan32.exe	family_berbew
behavioral2/memory/3320-72-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kaemnhla.exe	family_berbew
behavioral2/memory/3504-80-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kbfiep32.exe	family_berbew
behavioral2/memory/3224-88-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kipabjil.exe	family_berbew
behavioral2/memory/3148-95-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kpjjod32.exe	family_berbew
behavioral2/memory/3044-104-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kkpnlm32.exe	family_berbew
behavioral2/memory/2524-112-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kajfig32.exe	family_berbew
C:\Windows\SysWOW64\Kckbqpnj.exe	family_berbew
behavioral2/memory/3564-119-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/memory/1372-128-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kkbkamnl.exe	family_berbew
behavioral2/memory/700-140-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lpocjdld.exe	family_berbew
behavioral2/memory/620-144-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lkdggmlj.exe	family_berbew
behavioral2/memory/1996-152-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lpappc32.exe	family_berbew
behavioral2/memory/1352-164-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lcpllo32.exe	family_berbew
behavioral2/memory/5052-167-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Laalifad.exe	family_berbew
behavioral2/memory/4848-175-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lilanioo.exe	family_berbew
behavioral2/memory/772-184-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lpfijcfl.exe	family_berbew
behavioral2/memory/4528-192-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lcdegnep.exe	family_berbew
behavioral2/memory/3640-204-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Ljnnch32.exe	family_berbew
behavioral2/memory/2332-208-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lphfpbdi.exe	family_berbew
behavioral2/memory/4268-216-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lgbnmm32.exe	family_berbew
behavioral2/memory/860-224-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mnlfigcc.exe	family_berbew
behavioral2/memory/4136-236-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mdfofakp.exe	family_berbew
behavioral2/memory/4348-240-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mkpgck32.exe	family_berbew
behavioral2/memory/1000-252-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Majopeii.exe	family_berbew

Executes dropped EXE 59 IoCs

Processes:

Jkdnpo32.exeJangmibi.exeJfkoeppq.exeJiikak32.exeKdopod32.exeKgmlkp32.exeKacphh32.exeKbdmpqcb.exeKkkdan32.exeKaemnhla.exeKbfiep32.exeKipabjil.exeKpjjod32.exeKkpnlm32.exeKajfig32.exeKckbqpnj.exeKkbkamnl.exeLpocjdld.exeLkdggmlj.exeLpappc32.exeLcpllo32.exeLaalifad.exeLilanioo.exeLpfijcfl.exeLcdegnep.exeLjnnch32.exeLphfpbdi.exeLgbnmm32.exeMnlfigcc.exeMdfofakp.exeMkpgck32.exeMajopeii.exeMgghhlhq.exeMjeddggd.exeMnapdf32.exeMcnhmm32.exeMgidml32.exeMjhqjg32.exeMaohkd32.exeMdmegp32.exeMglack32.exeMjjmog32.exeMpdelajl.exeMgnnhk32.exeNjljefql.exeNqfbaq32.exeNdbnboqb.exeNklfoi32.exeNnjbke32.exeNqiogp32.exeNcgkcl32.exeNkncdifl.exeNnmopdep.exeNqklmpdd.exeNcihikcg.exeNkqpjidj.exeNqmhbpba.exeNcldnkae.exeNkcmohbg.exe

pid	process
1088	Jkdnpo32.exe
2816	Jangmibi.exe
1284	Jfkoeppq.exe
4244	Jiikak32.exe
3968	Kdopod32.exe
4956	Kgmlkp32.exe
4668	Kacphh32.exe
904	Kbdmpqcb.exe
3320	Kkkdan32.exe
3504	Kaemnhla.exe
3224	Kbfiep32.exe
3148	Kipabjil.exe
3044	Kpjjod32.exe
2524	Kkpnlm32.exe
3564	Kajfig32.exe
1372	Kckbqpnj.exe
700	Kkbkamnl.exe
620	Lpocjdld.exe
1996	Lkdggmlj.exe
1352	Lpappc32.exe
5052	Lcpllo32.exe
4848	Laalifad.exe
772	Lilanioo.exe
4528	Lpfijcfl.exe
3640	Lcdegnep.exe
2332	Ljnnch32.exe
4268	Lphfpbdi.exe
860	Lgbnmm32.exe
4136	Mnlfigcc.exe
4348	Mdfofakp.exe
1000	Mkpgck32.exe
1304	Majopeii.exe
1260	Mgghhlhq.exe
4800	Mjeddggd.exe
4656	Mnapdf32.exe
808	Mcnhmm32.exe
4636	Mgidml32.exe
2880	Mjhqjg32.exe
2980	Maohkd32.exe
4028	Mdmegp32.exe
1824	Mglack32.exe
468	Mjjmog32.exe
1704	Mpdelajl.exe
640	Mgnnhk32.exe
2840	Njljefql.exe
2788	Nqfbaq32.exe
2176	Ndbnboqb.exe
1076	Nklfoi32.exe
4536	Nnjbke32.exe
1928	Nqiogp32.exe
2156	Ncgkcl32.exe
3068	Nkncdifl.exe
1724	Nnmopdep.exe
2836	Nqklmpdd.exe
4216	Ncihikcg.exe
692	Nkqpjidj.exe
2464	Nqmhbpba.exe
2528	Ncldnkae.exe
4604	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

Processes:

Jkdnpo32.exeKdopod32.exeKkkdan32.exeKipabjil.exeKpjjod32.exeNqiogp32.exeNkncdifl.exe0ed68bdc97865f308b726929b0caa440_NeikiAnalytics.exeLcpllo32.exeMjeddggd.exeMglack32.exeJiikak32.exeKgmlkp32.exeKaemnhla.exeKbfiep32.exeLilanioo.exeLphfpbdi.exeMgghhlhq.exeMgidml32.exeMdfofakp.exeMjhqjg32.exeNjljefql.exeNcihikcg.exeLgbnmm32.exeMgnnhk32.exeJangmibi.exeKajfig32.exeLkdggmlj.exeLaalifad.exeMkpgck32.exeMdmegp32.exeKkpnlm32.exeLpocjdld.exeMnlfigcc.exeMnapdf32.exeKacphh32.exeLjnnch32.exeKbdmpqcb.exeMcnhmm32.exeNcgkcl32.exeMajopeii.exeNkqpjidj.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	0ed68bdc97865f308b726929b0caa440_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nkqpjidj.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

920 4604 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
920	4604	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Mjjmog32.exeNqfbaq32.exeKbdmpqcb.exeLcpllo32.exeMgghhlhq.exeLaalifad.exeNnjbke32.exeNnmopdep.exeJiikak32.exeKkpnlm32.exeLpappc32.exeLgbnmm32.exeMgnnhk32.exeMjhqjg32.exeMdmegp32.exeNcldnkae.exeJkdnpo32.exeMkpgck32.exeMgidml32.exeMcnhmm32.exe0ed68bdc97865f308b726929b0caa440_NeikiAnalytics.exeJfkoeppq.exeLpocjdld.exeNcgkcl32.exeNkncdifl.exeNkqpjidj.exeLjnnch32.exeMnlfigcc.exeKaemnhla.exeMajopeii.exeKpjjod32.exeMpdelajl.exeKgmlkp32.exeMjeddggd.exeNklfoi32.exeKajfig32.exeLpfijcfl.exeMdfofakp.exeNqklmpdd.exeNqmhbpba.exeKdopod32.exeKckbqpnj.exeLilanioo.exeLcdegnep.exeMaohkd32.exeKkkdan32.exeKbfiep32.exeMglack32.exeNcihikcg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0ed68bdc97865f308b726929b0caa440_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0ed68bdc97865f308b726929b0caa440_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0ed68bdc97865f308b726929b0caa440_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0ed68bdc97865f308b726929b0caa440_NeikiAnalytics.exeJkdnpo32.exeJangmibi.exeJfkoeppq.exeJiikak32.exeKdopod32.exeKgmlkp32.exeKacphh32.exeKbdmpqcb.exeKkkdan32.exeKaemnhla.exeKbfiep32.exeKipabjil.exeKpjjod32.exeKkpnlm32.exeKajfig32.exeKckbqpnj.exeKkbkamnl.exeLpocjdld.exeLkdggmlj.exeLpappc32.exeLcpllo32.exe

description	pid	process	target process
PID 1488 wrote to memory of 1088	1488	0ed68bdc97865f308b726929b0caa440_NeikiAnalytics.exe	Jkdnpo32.exe
PID 1488 wrote to memory of 1088	1488	0ed68bdc97865f308b726929b0caa440_NeikiAnalytics.exe	Jkdnpo32.exe
PID 1488 wrote to memory of 1088	1488	0ed68bdc97865f308b726929b0caa440_NeikiAnalytics.exe	Jkdnpo32.exe
PID 1088 wrote to memory of 2816	1088	Jkdnpo32.exe	Jangmibi.exe
PID 1088 wrote to memory of 2816	1088	Jkdnpo32.exe	Jangmibi.exe
PID 1088 wrote to memory of 2816	1088	Jkdnpo32.exe	Jangmibi.exe
PID 2816 wrote to memory of 1284	2816	Jangmibi.exe	Jfkoeppq.exe
PID 2816 wrote to memory of 1284	2816	Jangmibi.exe	Jfkoeppq.exe
PID 2816 wrote to memory of 1284	2816	Jangmibi.exe	Jfkoeppq.exe
PID 1284 wrote to memory of 4244	1284	Jfkoeppq.exe	Jiikak32.exe
PID 1284 wrote to memory of 4244	1284	Jfkoeppq.exe	Jiikak32.exe
PID 1284 wrote to memory of 4244	1284	Jfkoeppq.exe	Jiikak32.exe
PID 4244 wrote to memory of 3968	4244	Jiikak32.exe	Kdopod32.exe
PID 4244 wrote to memory of 3968	4244	Jiikak32.exe	Kdopod32.exe
PID 4244 wrote to memory of 3968	4244	Jiikak32.exe	Kdopod32.exe
PID 3968 wrote to memory of 4956	3968	Kdopod32.exe	Kgmlkp32.exe
PID 3968 wrote to memory of 4956	3968	Kdopod32.exe	Kgmlkp32.exe
PID 3968 wrote to memory of 4956	3968	Kdopod32.exe	Kgmlkp32.exe
PID 4956 wrote to memory of 4668	4956	Kgmlkp32.exe	Kacphh32.exe
PID 4956 wrote to memory of 4668	4956	Kgmlkp32.exe	Kacphh32.exe
PID 4956 wrote to memory of 4668	4956	Kgmlkp32.exe	Kacphh32.exe
PID 4668 wrote to memory of 904	4668	Kacphh32.exe	Kbdmpqcb.exe
PID 4668 wrote to memory of 904	4668	Kacphh32.exe	Kbdmpqcb.exe
PID 4668 wrote to memory of 904	4668	Kacphh32.exe	Kbdmpqcb.exe
PID 904 wrote to memory of 3320	904	Kbdmpqcb.exe	Kkkdan32.exe
PID 904 wrote to memory of 3320	904	Kbdmpqcb.exe	Kkkdan32.exe
PID 904 wrote to memory of 3320	904	Kbdmpqcb.exe	Kkkdan32.exe
PID 3320 wrote to memory of 3504	3320	Kkkdan32.exe	Kaemnhla.exe
PID 3320 wrote to memory of 3504	3320	Kkkdan32.exe	Kaemnhla.exe
PID 3320 wrote to memory of 3504	3320	Kkkdan32.exe	Kaemnhla.exe
PID 3504 wrote to memory of 3224	3504	Kaemnhla.exe	Kbfiep32.exe
PID 3504 wrote to memory of 3224	3504	Kaemnhla.exe	Kbfiep32.exe
PID 3504 wrote to memory of 3224	3504	Kaemnhla.exe	Kbfiep32.exe
PID 3224 wrote to memory of 3148	3224	Kbfiep32.exe	Kipabjil.exe
PID 3224 wrote to memory of 3148	3224	Kbfiep32.exe	Kipabjil.exe
PID 3224 wrote to memory of 3148	3224	Kbfiep32.exe	Kipabjil.exe
PID 3148 wrote to memory of 3044	3148	Kipabjil.exe	Kpjjod32.exe
PID 3148 wrote to memory of 3044	3148	Kipabjil.exe	Kpjjod32.exe
PID 3148 wrote to memory of 3044	3148	Kipabjil.exe	Kpjjod32.exe
PID 3044 wrote to memory of 2524	3044	Kpjjod32.exe	Kkpnlm32.exe
PID 3044 wrote to memory of 2524	3044	Kpjjod32.exe	Kkpnlm32.exe
PID 3044 wrote to memory of 2524	3044	Kpjjod32.exe	Kkpnlm32.exe
PID 2524 wrote to memory of 3564	2524	Kkpnlm32.exe	Kajfig32.exe
PID 2524 wrote to memory of 3564	2524	Kkpnlm32.exe	Kajfig32.exe
PID 2524 wrote to memory of 3564	2524	Kkpnlm32.exe	Kajfig32.exe
PID 3564 wrote to memory of 1372	3564	Kajfig32.exe	Kckbqpnj.exe
PID 3564 wrote to memory of 1372	3564	Kajfig32.exe	Kckbqpnj.exe
PID 3564 wrote to memory of 1372	3564	Kajfig32.exe	Kckbqpnj.exe
PID 1372 wrote to memory of 700	1372	Kckbqpnj.exe	Kkbkamnl.exe
PID 1372 wrote to memory of 700	1372	Kckbqpnj.exe	Kkbkamnl.exe
PID 1372 wrote to memory of 700	1372	Kckbqpnj.exe	Kkbkamnl.exe
PID 700 wrote to memory of 620	700	Kkbkamnl.exe	Lpocjdld.exe
PID 700 wrote to memory of 620	700	Kkbkamnl.exe	Lpocjdld.exe
PID 700 wrote to memory of 620	700	Kkbkamnl.exe	Lpocjdld.exe
PID 620 wrote to memory of 1996	620	Lpocjdld.exe	Lkdggmlj.exe
PID 620 wrote to memory of 1996	620	Lpocjdld.exe	Lkdggmlj.exe
PID 620 wrote to memory of 1996	620	Lpocjdld.exe	Lkdggmlj.exe
PID 1996 wrote to memory of 1352	1996	Lkdggmlj.exe	Lpappc32.exe
PID 1996 wrote to memory of 1352	1996	Lkdggmlj.exe	Lpappc32.exe
PID 1996 wrote to memory of 1352	1996	Lkdggmlj.exe	Lpappc32.exe
PID 1352 wrote to memory of 5052	1352	Lpappc32.exe	Lcpllo32.exe
PID 1352 wrote to memory of 5052	1352	Lpappc32.exe	Lcpllo32.exe
PID 1352 wrote to memory of 5052	1352	Lpappc32.exe	Lcpllo32.exe
PID 5052 wrote to memory of 4848	5052	Lcpllo32.exe	Laalifad.exe

C:\Users\Admin\AppData\Local\Temp\0ed68bdc97865f308b726929b0caa440_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0ed68bdc97865f308b726929b0caa440_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\Jkdnpo32.exe
C:\Windows\system32\Jkdnpo32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\Jangmibi.exe
C:\Windows\system32\Jangmibi.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\Jfkoeppq.exe
C:\Windows\system32\Jfkoeppq.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\Jiikak32.exe
C:\Windows\system32\Jiikak32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\SysWOW64\Kdopod32.exe
C:\Windows\system32\Kdopod32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\Kgmlkp32.exe
C:\Windows\system32\Kgmlkp32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\Kkkdan32.exe
C:\Windows\system32\Kkkdan32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\SysWOW64\Kbfiep32.exe
C:\Windows\system32\Kbfiep32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\Kkbkamnl.exe
C:\Windows\system32\Kkbkamnl.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\SysWOW64\Lkdggmlj.exe
C:\Windows\system32\Lkdggmlj.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4848

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:772

C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
25⤵
- Executes dropped EXE
- Modifies registry class
PID:4528

C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
26⤵
- Executes dropped EXE
- Modifies registry class
PID:3640

C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2332

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4268

C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:860

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4136

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4348

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1000

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1304

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1260

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4800

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4656

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:808

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4636

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2880

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2980

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4028

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1824

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:468

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1704

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:640

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2840

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2788

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
48⤵
- Executes dropped EXE
PID:2176

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1076

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
50⤵
- Executes dropped EXE
- Modifies registry class
PID:4536

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1928

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2156

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3068

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1724

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
55⤵
- Executes dropped EXE
- Modifies registry class
PID:2836

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4216

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:692

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2464

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2528

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
60⤵
- Executes dropped EXE
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 408
61⤵
- Program crash
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4604 -ip 4604
1⤵
PID:5068

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jangmibi.exe
Filesize
143KB

MD5
6374c3b3bfb7eb1bcb3f764662c5850b

SHA1
85d11ffbdd5c9bf21be136e652808abc446088ad

SHA256
77bb19d3fc3983ef2019410d62cd9584aaea197c9535a492eaa2a2778c6155db

SHA512
7ef73538251d51f5c8920e696d0e6d85fc5f5c38d269c9016fbb9992b435353af577fc6bd1b941c152214c320a0895014b1387a805cbbe098515026afa2172ad

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe
Filesize
143KB

MD5
4ffa77fe8053572d54d9801962ef92a4

SHA1
7ea72714c5907cab9736323503c6b280ae77fe62

SHA256
84bb9a2435e004c32c72131ec2309b4b538176dd8b1a8936621c1be273647e5d

SHA512
4a9fbb57e45c3e46532288f92d26c3df850ab1d500df5e98a591c81ff6b8ed270d295e06101a074d47fd99360f9f9ff03970907a3c82a0674c2dec0937db7236

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe
Filesize
143KB

MD5
c88591c25c972ecff43c3b730da81667

SHA1
5f2c92cfb6d25faa50ac58483b6133c66d3fc24a

SHA256
a74c308f2dc3f39fcdb7db5dfed607e605f6e5dd82dc8bb9539f6d44529a18cb

SHA512
17b2f965f17bf226bc8d16fe1e406ef34293ade8edf281cdf9aa957bc0e8bf72959029d6d2add0b41cb4380f9bb7629617c5db5c39756d764bea85654af93de2

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe
Filesize
143KB

MD5
3788f9e7b03b4bb68706bf6cc77757ea

SHA1
8c73ff2ee622b1b8daf7796bc8e715ba2863faf9

SHA256
f20b64546e16e0ff50344b86e5aa9082a69db452be188ddbd30ee8d863bc25ae

SHA512
fd8035f664597e5d861f9bd40bd4585f9cdbe13c8efb5aeebd79167f21398f963047051c78d4b7084079ae7d8ba7837bf5a4c892a6e1d8933bc36f50bc024218

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe
Filesize
143KB

MD5
8f8bcf3028e3898ee67b40c435fe275d

SHA1
135c06133fa2430ad156486ae648477d4889e21e

SHA256
fa5a5c8c8912824c46cf4a4b9ea73c181cc7757c8604438ef858386c313ad779

SHA512
b88584688f3a4b6935f09667906aafc7df23536b3c6bd72bd87ca00a6b12dc8eddc45be73977adc246c5732d556d5f888b8aa5692dbbebc0a62088a3b1134770

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe
Filesize
143KB

MD5
367f91f9286813830312bde758b166f5

SHA1
abc695623c04689fbbbc04ae21fcb6522749182a

SHA256
da1c9abddc40edce6bbc305cecbe725b14c4e65457a18927a2a5ea54a77041b7

SHA512
e6181ab28b920c53c1e81b5a664b0e5815f91085cbed98354ce7d5e3c25b2eba62fc008ddff345e81489d7e8a112f0d2afbcc187c13b585ad0f2b32bdd3b7f67

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe
Filesize
143KB

MD5
0d5e006a6ed35bd582651166e619b6d9

SHA1
97b47a5ac7d59efe81c4e1967352cdef9646f851

SHA256
086dc0e5f5153753be8eabc964115a9a23d59a6505dd40bf286a89672a7dfb81

SHA512
fc74dd74ed75a8845eb4d1adaa41fb1784c637027f17326d4fdd86e9afc23ab33d0d95a19c785ed12274ffdf443496e9c69148875d80f6af9c7a07d955ce808b

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe
Filesize
143KB

MD5
ab972c31a67e0ca09693b60ec00cbbf6

SHA1
dc77744b3d7711d2ec7bc7dff9bcc4a5fafe8996

SHA256
e87b6d37b90525da35a36b10ef5e078620d7073cb011fb5c9198c1555005ce09

SHA512
cbd10b93833e975d63fb8936d4d4ff005be5023d8d2828a64e08b74bbc5aed3610b5a5b9753da71b89110edbcdda6a9a65f1d88374f49a3426b3b9f4575c0c89

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe
Filesize
143KB

MD5
fe522259ba3a0b1c1d98d8f1e59ce044

SHA1
51d54b2ee4a12e157eadf633e2d5ee9f8b1ef9b4

SHA256
7813d342ecc95ca133e2b4c9a96a10de6abaa9329af720de950fffc571189b65

SHA512
634f6dd7c5eab8518637f47d24c5345108b20c6d81efb32ea9e2eb3f58d8516f2eaa93684b35e0a8d32804f77534956e5080b3baa296125ea0de6a72643a68a9

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe
Filesize
143KB

MD5
8b9ed47b385683ea2c07cff0d93943b7

SHA1
646a35d0ac3ff075d09c1d3e255bc50576a3001e

SHA256
5b67ba775f02c79ace0dbbbb5b9540b0824ebe9ae4c6723955d77e5b9a01c37c

SHA512
53b20935f43a2b1adf24088f7f7b3413ca28e66721c224facecfbdca8ed19eeaa131e31f2487fd3469aa8865b1d7734126cd3fbc334f43069ae307581e6ed10e

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe
Filesize
143KB

MD5
12143a019c40066f8761a5270235c797

SHA1
0f4f6eb6a2dca45377848f991c6c1a6fff083188

SHA256
82a8051fa6085bf39fc33c966588a098a664e766086c7f8abe7fbb9a4f985cb5

SHA512
c948b68573843600abfa9b90a42c4beea84da1566570e91886322e3fe7baca1419ec3055e012576b66dbcacd8cc92dc97175a804ef29aeb5f9793db216da1cbd

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe
Filesize
143KB

MD5
a793775fae4744116cc39184d33bada2

SHA1
338433e4480803764601e6a6eba7625f2d80a154

SHA256
360cf468e96056bf98bf52e8539e2e55eefa0580e431099a543e319e1a4a7c41

SHA512
aee93b4a3feb5f9c3e89be6dd892335ee7d151b9f55d4612f8089c01eae616be2b6eaaa202a30bda2e748e0a0a2c82fe861fc4d3fc7173e45720f8445edd3803

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe
Filesize
143KB

MD5
7dd6d90441c9da28d93ca5218f93038e

SHA1
e560e99569d0969ef4d89a07d7331013030e555b

SHA256
ee85396e98ae170548238a4621ce71180c62e2a50bd23c4fe50a33ad416483d2

SHA512
4522cc20dc6752991424f2685afa4052a5b0392e12c23ae48feaaea54960964a31f4870fc9ab1e45685ebac059197e2cbbe58a002776bb4c74839fc181c5275c

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe
Filesize
143KB

MD5
ac7771dc907b92b89faff338c374c040

SHA1
112ada77e23de95da67aa6d5c84d3d87fa57bfa1

SHA256
65847e0e990c43c7f482ae0ed961b0242da727d57c8c1f7c1e6a6c6e7a76997a

SHA512
24a78be0ce7313d7727df99658322be6a7166026e5533ee00435cfcf82af6ab3d74cf7a2100fe71b6c74ba968f94478819aaf89659282d503d515e3accb4aa50

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe
Filesize
143KB

MD5
f8c69841573cc02bedee236d68897ef3

SHA1
ee0096088aa5c48ccd91c00f995773584d6dbf19

SHA256
c464e4016dab8831dafac1339619b8a72977a9858ca0164050179580f2efb1a7

SHA512
97dfabc1ae9f8d92662d2dd4d1ec3f6e4850947d45c63b0137289cc37de40ff90f1d353e78962e01324658f95f7a367bba67f7428b9fdb95d4bb6ed3c6303864

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe
Filesize
143KB

MD5
10e3296463d0ee7468858823b33b3336

SHA1
7478ca72ce0dc0ba5e3e77ee82324c5e7ce83e52

SHA256
735993c511a6a1c1f4a573b9b73805c5af957b73a4dfd75f148be0f029083f50

SHA512
0a5d366dedc01517b51af7a8f55265baefeac76c825456c00cb4e480cdd5d574c4c28a279be2761a2d2c7a1ab8c95793f7ce14fc6d34cb424a3d08fd01cee5c3

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe
Filesize
143KB

MD5
ce605c468b0e929b9a4a8012327c912e

SHA1
de6f29043753deae0ed776a1973dd73c6a9f22b1

SHA256
081f91d1c64a56ea1b790e9eeea99aa362f4b3720a41f9e630fa50fee4ebbce9

SHA512
03e0432bc48651b5259a5def2567bd201628c47d75f447512580806326acb6e68cb3a28029bdf7e1d98d2c89a301698d5380505b8e8315455847668e74e82f0f

Download Submit
C:\Windows\SysWOW64\Laalifad.exe
Filesize
143KB

MD5
2ecedec726a41b4a669db40637d07c97

SHA1
76831d1a7df0220dd604f62524b89c6a22bdfaef

SHA256
6228491b8e1ebb8887ca50aac8f81640c397ece69de4d975d2aa188dc4ab8e40

SHA512
6086fc78018be091d9cab1f4741a30aef499dc0444041cf07e1d4ea6daa35df2599b2d62050e326819f270e3dd3dd57b2b57f86e7b6160a05a13c569f9c7eea7

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe
Filesize
143KB

MD5
84a838f012ff231691e67d0f0972eb9d

SHA1
51dde4ed8ebd4fb7f6b024dc95cdd83892a5496d

SHA256
9f570edce1a28e759875ab4fc55537b2efb513f367aa52cf276f38590c3d6dbd

SHA512
5a5db0e22ee2f05e48fc19019707015f48c9b319f9494b08853f132cad5411c9bbee21f1aef0d04486ccf7a2916fc6b84808b9817bf7e6fe8a9a19c85cfcb835

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe
Filesize
143KB

MD5
0f9e45a26198543f88f64803bceaa651

SHA1
3f81f0c102523ae4a3a61358245091efc0cbcff5

SHA256
18118a137532f00cfd15bcbd11172b2916968088f82f5bae9d92af5dc8b92471

SHA512
f362f0a90e2cb1d39e8b9a08558c888e4afa8fa43afcd5f3d55da93a55d15ccfe395b71afb8c75c47f252be6ca82c92d8b96f65df4e38b01de1a12d533b0b0a3

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe
Filesize
143KB

MD5
721e7c2ba0dcfb3aac29c307a32557fc

SHA1
def07929f60c6d6a6915dd1782e70942d1080d4c

SHA256
f92a7b827814e1731d14a1633bbf8e5f270b44a0df1f4a48f17b7107bcc1db5b

SHA512
cfe15507c7cc48e589ca63a82396ef7fd82733b808f21c418fd7aad95eb5397eb9af3592906de360e77cecf08936795feabd66175502a0c900ad0637cbd9a046

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe
Filesize
143KB

MD5
8b8b57965b93aad9e5668d557f86db33

SHA1
43e1ad3dd4a998b779174b887ce2cb4c87ca04bb

SHA256
bd1341ab59447a6f1916c2de780a256c490a181521bb0e9ac03063edeb2ffde5

SHA512
a3e3edf6ede9ee6101063e81bd00096009ed308251d3cdb0a9801bca5e5048255450d0d7995ed2b11543e23c2698b4eecb3f70de5969bd27a77adef9fae911f2

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe
Filesize
143KB

MD5
39a0df9ccd1b9a455510461d1896d14d

SHA1
9d821b1b8a94f92c6336e631a6f8dde6e861eb84

SHA256
addefe1fa042b0f36fc5c399d55fbcfd5026d38b436c202f4e77ff93cd969d6d

SHA512
3b0042d3716177602984af3865fa52d6065163bbb80a9bc7f7c56ce101063fb4f5db4c35d87ef0ea0e55b255daba5459494f51052b0124f606c2864c9a3c0763

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe
Filesize
143KB

MD5
3b052ddc8a6a3a9b9b72b73a4f787641

SHA1
2c83cc7f3b7c1f95802cb641f473b528ce1c42a9

SHA256
0898896bdd2d53028dcca7ae304d4706a8c33554d385b3c3b0b500046fd5227e

SHA512
4cbdcd20849b62a1f0c88681ebe01c87198fa4a115e91898ffa7fc21cdccd0afedb1ce3ef86ad0bdd003e8b1b0c155bad592be2bbb6d252da6a17384009a468d

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe
Filesize
143KB

MD5
62bf55ee18034141536e372dc4aa466c

SHA1
26216acd9f614ac297c94478567e74206569ac14

SHA256
5175c7f8d31314798cccd53ea96afa322ff6d8cd88861277dc5af08ee893831b

SHA512
4da5b13ed5ae66f4bcd536fd5149fddbe65270a1f710d1afc4f4f236524a2590ed2cdc1e3d93a898d50fc0c15fbdf6b81872d106febe03a6cc99df3afdbe527e

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe
Filesize
143KB

MD5
c463da72207028d2f0295f3b10785e37

SHA1
20ad83db847568c7d36be2c994e676f28cba5eca

SHA256
5565f0e877e5455344c953fa0004ba1ce1067c2e9681e0a48de0d3aec153487b

SHA512
75c045ca644421573bfec982366db4ea14d5fc61b3504f758fd6f1f8390a169972750162e91aee43b25a0400536b3c8c96ef2dcdc7bc74edd392e96c9f6d27b9

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe
Filesize
143KB

MD5
2bd7c9073c105c4919437341d7f46e58

SHA1
1705e10689e929880c6385a5e7d50e4e4a101287

SHA256
dc939b18c05246a7e6743f5cb7ebb5ec14ae0a5e62cb8a5bd87836e4721f14d3

SHA512
c0e52316c6019792837f61ab6323728d7625121f7ca3c228d6d47d3b39a2b0ca561fd204fd4e45c496a7fdc766f553bf9eb787316376c0f308e18a9d3e818f01

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe
Filesize
143KB

MD5
7b139a91661ca5f3dcb5b64f97520b44

SHA1
8f91df8faf10eb851d92c4b8e28fb402ae1f0d22

SHA256
c18cc002b1ebbc5ad2888b529c0288e55959be43adecabcefbd63993055d0ff7

SHA512
b167d21c8ab642abe199e8211d4ef1adf578fad9b2e8152557d05c25f78acc7f164f2cec6b903f4cbfbb59122116b298f70701b9234286b0260757f7f9b441cd

Download Submit
C:\Windows\SysWOW64\Majopeii.exe
Filesize
143KB

MD5
acacd30fcd3fdf51439c23205bfee101

SHA1
d3aa6be09bc041dfb70b0725f3e05dd78a37243e

SHA256
deea826861a07e98477f575ff3bbaeb947ee68f07c666d174ad1be5c77748292

SHA512
facebbb3a2cd235edf6178b1d06a5db13471fd056424f665823cc8ccac279c94420a9dd4b6089ba0efc31773946a2a094ab14b45f8337bbebbccceecb52f824d

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe
Filesize
143KB

MD5
9ee303c3146828357efba7113b9e107d

SHA1
f16595ca47eed6a77374634d2d64bf798de76459

SHA256
47df959314972aa839b44e85de7a40da496b85876c1c249216ed158643f38665

SHA512
4482e9d4437cc65fd3fdfa1dcb0fec3791d9198d38ec0c24ed52d2ec26ce96bfc91af5c648dbf1e11225c062e8196a48d4aa3d27ad6a648a529674ccecdfdcbf

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe
Filesize
143KB

MD5
a22743393b7bbec18ae71188a1129984

SHA1
76747b4878059ca0f1580e75f3ead24873d8052c

SHA256
bb871d3010801c69e2d0d6aaab648fb4ea3462e2621fd9934c390db875812689

SHA512
de14aeed2793e263bd5875e1b6f70bc1d4fdff026fe969a6075e44c6e1eab99de12832b748842d6eb277b79e8cc380234f0ba31ad62a61c8d116d4f9f154bbd7

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe
Filesize
143KB

MD5
b71587ad45959a29e52ca6d43603b694

SHA1
749b17aab1924af80f15849da5d11459a4d154e5

SHA256
b368c4a06bdef0fb6d8fa463bb9ea26c30747976a09f102b18b7b40c56e1cb63

SHA512
db4d9cea4c4135ef7155227dd6e939d36af8ee21716ce65d890ec8b1e160a580963d47d74280d887d1346d344171ade71c4ba75a8fe598b4614065efdd067e5a

Download Submit
memory/468-433-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/468-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/620-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/620-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/692-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/692-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/700-140-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/700-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/772-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/772-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/808-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/808-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/860-440-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/860-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/904-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1000-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1076-428-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1076-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1088-11-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1260-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1284-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1304-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1304-438-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1352-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1372-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1372-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1704-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1704-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1724-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1724-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1824-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1824-434-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1996-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1996-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2176-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2176-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2332-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2332-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2464-421-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2464-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-452-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2788-344-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2816-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-392-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3044-453-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3044-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3148-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3148-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3224-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3320-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3504-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3564-451-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3564-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3968-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4028-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4136-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4216-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4216-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4244-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4268-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4268-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4348-439-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4348-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4528-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4528-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-427-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4604-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4604-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-435-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4656-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4656-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4668-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4848-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4848-445-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4956-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-446-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download