a7edf9c6d632c201e2e07c15918331efde5f42c69e67c7048bc0883bd42fb64f

Analysis

max time kernel
135s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13f0689e5e74610a9649152e0bb2c380_NeikiAnalytics.exe
Size

229KB
MD5

13f0689e5e74610a9649152e0bb2c380
SHA1

4afdf0c57d48bbf3a2f1d134213e1e76b16edd62
SHA256

a7edf9c6d632c201e2e07c15918331efde5f42c69e67c7048bc0883bd42fb64f
SHA512

85d339f3ebd8c7e3dae8fa83de900dacb320d291cac05428a294807ab95f4ef6a6d9b0e5586e8eb9404927ed77e3ce8f7146e800525e3700ab5aeb3ec8b6b743
SSDEEP

3072:/odKIR9xI/GLBHDdSfU27jxEZHR3/pvkqrifbdB7dYk1Bx8DpsV6YZOwVTNhCKdo:AhBEM271+HZ/pvkym/89bYEwPhCKvav

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

13f0689e5e74610a9649152e0bb2c380_NeikiAnalytics.exeKkpnlm32.exeKgfoan32.exeNnmopdep.exeKdffocib.exeMajopeii.exeMglack32.exeMpkbebbf.exeNafokcol.exeJigollag.exeKgphpo32.exeLiggbi32.exeMciobn32.exeMncmjfmk.exeJjbako32.exeKkihknfg.exeLcgblncm.exeMpaifalo.exeJpaghf32.exeKdcijcke.exeLgneampk.exeKaqcbi32.exeLklnhlfb.exeMnlfigcc.exeMaaepd32.exeNjljefql.exeNgpjnkpf.exeLdmlpbbj.exeMjqjih32.exeNddkgonp.exeNkjjij32.exeKaemnhla.exeMkpgck32.exeMkepnjng.exeMjjmog32.exeJbocea32.exeKilhgk32.exeKdaldd32.exeLpocjdld.exeLddbqa32.exeMpmokb32.exeNgedij32.exeKmnjhioc.exeMdkhapfj.exeNgcgcjnc.exeNdghmo32.exeNnolfdcn.exeLmqgnhmp.exeNacbfdao.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	13f0689e5e74610a9649152e0bb2c380_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe

Malware Dropper & Backdoor - Berbew 33 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Jbkjjblm.exe	family_berbew
C:\Windows\SysWOW64\Jjbako32.exe	family_berbew
C:\Windows\SysWOW64\Jidbflcj.exe	family_berbew
C:\Windows\SysWOW64\Jbmfoa32.exe	family_berbew
C:\Windows\SysWOW64\Jigollag.exe	family_berbew
C:\Windows\SysWOW64\Jangmibi.exe	family_berbew
C:\Windows\SysWOW64\Jpaghf32.exe	family_berbew
C:\Windows\SysWOW64\Jbocea32.exe	family_berbew
C:\Windows\SysWOW64\Jiikak32.exe	family_berbew
C:\Windows\SysWOW64\Kaqcbi32.exe	family_berbew
C:\Windows\SysWOW64\Kkihknfg.exe	family_berbew
C:\Windows\SysWOW64\Kilhgk32.exe	family_berbew
C:\Windows\SysWOW64\Kdaldd32.exe	family_berbew
C:\Windows\SysWOW64\Kgphpo32.exe	family_berbew
C:\Windows\SysWOW64\Kaemnhla.exe	family_berbew
C:\Windows\SysWOW64\Kdcijcke.exe	family_berbew
C:\Windows\SysWOW64\Kipabjil.exe	family_berbew
C:\Windows\SysWOW64\Kdffocib.exe	family_berbew
C:\Windows\SysWOW64\Kkpnlm32.exe	family_berbew
C:\Windows\SysWOW64\Kmnjhioc.exe	family_berbew
C:\Windows\SysWOW64\Kgfoan32.exe	family_berbew
C:\Windows\SysWOW64\Lmqgnhmp.exe	family_berbew
C:\Windows\SysWOW64\Lpocjdld.exe	family_berbew
C:\Windows\SysWOW64\Lcmofolg.exe	family_berbew
C:\Windows\SysWOW64\Liggbi32.exe	family_berbew
C:\Windows\SysWOW64\Ldmlpbbj.exe	family_berbew
C:\Windows\SysWOW64\Lgkhlnbn.exe	family_berbew
C:\Windows\SysWOW64\Lnepih32.exe	family_berbew
C:\Windows\SysWOW64\Lgneampk.exe	family_berbew
C:\Windows\SysWOW64\Lnhmng32.exe	family_berbew
C:\Windows\SysWOW64\Laciofpa.exe	family_berbew
C:\Windows\SysWOW64\Lklnhlfb.exe	family_berbew
C:\Windows\SysWOW64\Nnmopdep.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Jbkjjblm.exeJjbako32.exeJidbflcj.exeJbmfoa32.exeJigollag.exeJangmibi.exeJpaghf32.exeJbocea32.exeJiikak32.exeKaqcbi32.exeKkihknfg.exeKilhgk32.exeKdaldd32.exeKgphpo32.exeKaemnhla.exeKdcijcke.exeKipabjil.exeKdffocib.exeKkpnlm32.exeKmnjhioc.exeKgfoan32.exeLmqgnhmp.exeLpocjdld.exeLcmofolg.exeLiggbi32.exeLdmlpbbj.exeLgkhlnbn.exeLnepih32.exeLgneampk.exeLnhmng32.exeLaciofpa.exeLklnhlfb.exeLddbqa32.exeLcgblncm.exeMjqjih32.exeMnlfigcc.exeMpkbebbf.exeMciobn32.exeMkpgck32.exeMajopeii.exeMpmokb32.exeMgghhlhq.exeMjeddggd.exeMdkhapfj.exeMcnhmm32.exeMkepnjng.exeMncmjfmk.exeMpaifalo.exeMglack32.exeMjjmog32.exeMaaepd32.exeNkjjij32.exeNjljefql.exeNacbfdao.exeNceonl32.exeNgpjnkpf.exeNafokcol.exeNddkgonp.exeNgcgcjnc.exeNnmopdep.exeNdghmo32.exeNgedij32.exeNnolfdcn.exeNcldnkae.exe

pid	process
1564	Jbkjjblm.exe
4244	Jjbako32.exe
3556	Jidbflcj.exe
1712	Jbmfoa32.exe
2276	Jigollag.exe
3572	Jangmibi.exe
1624	Jpaghf32.exe
700	Jbocea32.exe
1636	Jiikak32.exe
5064	Kaqcbi32.exe
1792	Kkihknfg.exe
1672	Kilhgk32.exe
2284	Kdaldd32.exe
972	Kgphpo32.exe
4404	Kaemnhla.exe
4544	Kdcijcke.exe
2692	Kipabjil.exe
3196	Kdffocib.exe
4656	Kkpnlm32.exe
2580	Kmnjhioc.exe
116	Kgfoan32.exe
1996	Lmqgnhmp.exe
2756	Lpocjdld.exe
2668	Lcmofolg.exe
1080	Liggbi32.exe
2260	Ldmlpbbj.exe
2272	Lgkhlnbn.exe
3284	Lnepih32.exe
4104	Lgneampk.exe
1832	Lnhmng32.exe
1184	Laciofpa.exe
2592	Lklnhlfb.exe
4196	Lddbqa32.exe
3360	Lcgblncm.exe
4448	Mjqjih32.exe
4004	Mnlfigcc.exe
4664	Mpkbebbf.exe
2188	Mciobn32.exe
4552	Mkpgck32.exe
3168	Majopeii.exe
1608	Mpmokb32.exe
3668	Mgghhlhq.exe
4624	Mjeddggd.exe
816	Mdkhapfj.exe
2016	Mcnhmm32.exe
2376	Mkepnjng.exe
2696	Mncmjfmk.exe
3916	Mpaifalo.exe
3732	Mglack32.exe
4720	Mjjmog32.exe
2368	Maaepd32.exe
4204	Nkjjij32.exe
4200	Njljefql.exe
4492	Nacbfdao.exe
984	Nceonl32.exe
3692	Ngpjnkpf.exe
2996	Nafokcol.exe
4864	Nddkgonp.exe
3204	Ngcgcjnc.exe
3224	Nnmopdep.exe
2000	Ndghmo32.exe
4804	Ngedij32.exe
2396	Nnolfdcn.exe
2124	Ncldnkae.exe

Drops file in System32 directory 64 IoCs

Processes:

Jpaghf32.exeMajopeii.exeMjjmog32.exeNacbfdao.exeJidbflcj.exeKaqcbi32.exeNceonl32.exeNdghmo32.exeNcldnkae.exeJbocea32.exeLmqgnhmp.exeMciobn32.exeMgghhlhq.exeJangmibi.exeLdmlpbbj.exeMjqjih32.exeMnlfigcc.exeLgkhlnbn.exeMglack32.exeMncmjfmk.exeKgfoan32.exeMcnhmm32.exeNgedij32.exeJbkjjblm.exeJbmfoa32.exeKilhgk32.exeLiggbi32.exeMdkhapfj.exeLcmofolg.exeKdaldd32.exeKmnjhioc.exeLnepih32.exeKgphpo32.exeLklnhlfb.exeNgpjnkpf.exeMkepnjng.exe13f0689e5e74610a9649152e0bb2c380_NeikiAnalytics.exeLddbqa32.exeMaaepd32.exeJjbako32.exeKkihknfg.exeLaciofpa.exeKdcijcke.exeLgneampk.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	13f0689e5e74610a9649152e0bb2c380_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2924 5044 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
2924	5044	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Jigollag.exeLpocjdld.exeMcnhmm32.exeKmnjhioc.exeLmqgnhmp.exeMkpgck32.exeMciobn32.exeKilhgk32.exeLcmofolg.exeJiikak32.exeMpaifalo.exeKaqcbi32.exeLgkhlnbn.exeKkihknfg.exeLddbqa32.exeMjeddggd.exeNacbfdao.exeKkpnlm32.exeMjjmog32.exeMglack32.exeKaemnhla.exeMpkbebbf.exeNgedij32.exeKipabjil.exeMaaepd32.exeNgpjnkpf.exeNcldnkae.exeJbocea32.exeLaciofpa.exeJbkjjblm.exeJidbflcj.exeJangmibi.exe13f0689e5e74610a9649152e0bb2c380_NeikiAnalytics.exeJjbako32.exeMajopeii.exeNceonl32.exeNnmopdep.exeNjljefql.exeKgphpo32.exeNgcgcjnc.exeNkjjij32.exeKdffocib.exeLiggbi32.exeLnepih32.exeKgfoan32.exeMncmjfmk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	13f0689e5e74610a9649152e0bb2c380_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	13f0689e5e74610a9649152e0bb2c380_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmnjhioc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

13f0689e5e74610a9649152e0bb2c380_NeikiAnalytics.exeJbkjjblm.exeJjbako32.exeJidbflcj.exeJbmfoa32.exeJigollag.exeJangmibi.exeJpaghf32.exeJbocea32.exeJiikak32.exeKaqcbi32.exeKkihknfg.exeKilhgk32.exeKdaldd32.exeKgphpo32.exeKaemnhla.exeKdcijcke.exeKipabjil.exeKdffocib.exeKkpnlm32.exeKmnjhioc.exeKgfoan32.exe

description	pid	process	target process
PID 60 wrote to memory of 1564	60	13f0689e5e74610a9649152e0bb2c380_NeikiAnalytics.exe	Jbkjjblm.exe
PID 60 wrote to memory of 1564	60	13f0689e5e74610a9649152e0bb2c380_NeikiAnalytics.exe	Jbkjjblm.exe
PID 60 wrote to memory of 1564	60	13f0689e5e74610a9649152e0bb2c380_NeikiAnalytics.exe	Jbkjjblm.exe
PID 1564 wrote to memory of 4244	1564	Jbkjjblm.exe	Jjbako32.exe
PID 1564 wrote to memory of 4244	1564	Jbkjjblm.exe	Jjbako32.exe
PID 1564 wrote to memory of 4244	1564	Jbkjjblm.exe	Jjbako32.exe
PID 4244 wrote to memory of 3556	4244	Jjbako32.exe	Jidbflcj.exe
PID 4244 wrote to memory of 3556	4244	Jjbako32.exe	Jidbflcj.exe
PID 4244 wrote to memory of 3556	4244	Jjbako32.exe	Jidbflcj.exe
PID 3556 wrote to memory of 1712	3556	Jidbflcj.exe	Jbmfoa32.exe
PID 3556 wrote to memory of 1712	3556	Jidbflcj.exe	Jbmfoa32.exe
PID 3556 wrote to memory of 1712	3556	Jidbflcj.exe	Jbmfoa32.exe
PID 1712 wrote to memory of 2276	1712	Jbmfoa32.exe	Jigollag.exe
PID 1712 wrote to memory of 2276	1712	Jbmfoa32.exe	Jigollag.exe
PID 1712 wrote to memory of 2276	1712	Jbmfoa32.exe	Jigollag.exe
PID 2276 wrote to memory of 3572	2276	Jigollag.exe	Jangmibi.exe
PID 2276 wrote to memory of 3572	2276	Jigollag.exe	Jangmibi.exe
PID 2276 wrote to memory of 3572	2276	Jigollag.exe	Jangmibi.exe
PID 3572 wrote to memory of 1624	3572	Jangmibi.exe	Jpaghf32.exe
PID 3572 wrote to memory of 1624	3572	Jangmibi.exe	Jpaghf32.exe
PID 3572 wrote to memory of 1624	3572	Jangmibi.exe	Jpaghf32.exe
PID 1624 wrote to memory of 700	1624	Jpaghf32.exe	Jbocea32.exe
PID 1624 wrote to memory of 700	1624	Jpaghf32.exe	Jbocea32.exe
PID 1624 wrote to memory of 700	1624	Jpaghf32.exe	Jbocea32.exe
PID 700 wrote to memory of 1636	700	Jbocea32.exe	Jiikak32.exe
PID 700 wrote to memory of 1636	700	Jbocea32.exe	Jiikak32.exe
PID 700 wrote to memory of 1636	700	Jbocea32.exe	Jiikak32.exe
PID 1636 wrote to memory of 5064	1636	Jiikak32.exe	Kaqcbi32.exe
PID 1636 wrote to memory of 5064	1636	Jiikak32.exe	Kaqcbi32.exe
PID 1636 wrote to memory of 5064	1636	Jiikak32.exe	Kaqcbi32.exe
PID 5064 wrote to memory of 1792	5064	Kaqcbi32.exe	Kkihknfg.exe
PID 5064 wrote to memory of 1792	5064	Kaqcbi32.exe	Kkihknfg.exe
PID 5064 wrote to memory of 1792	5064	Kaqcbi32.exe	Kkihknfg.exe
PID 1792 wrote to memory of 1672	1792	Kkihknfg.exe	Kilhgk32.exe
PID 1792 wrote to memory of 1672	1792	Kkihknfg.exe	Kilhgk32.exe
PID 1792 wrote to memory of 1672	1792	Kkihknfg.exe	Kilhgk32.exe
PID 1672 wrote to memory of 2284	1672	Kilhgk32.exe	Kdaldd32.exe
PID 1672 wrote to memory of 2284	1672	Kilhgk32.exe	Kdaldd32.exe
PID 1672 wrote to memory of 2284	1672	Kilhgk32.exe	Kdaldd32.exe
PID 2284 wrote to memory of 972	2284	Kdaldd32.exe	Kgphpo32.exe
PID 2284 wrote to memory of 972	2284	Kdaldd32.exe	Kgphpo32.exe
PID 2284 wrote to memory of 972	2284	Kdaldd32.exe	Kgphpo32.exe
PID 972 wrote to memory of 4404	972	Kgphpo32.exe	Kaemnhla.exe
PID 972 wrote to memory of 4404	972	Kgphpo32.exe	Kaemnhla.exe
PID 972 wrote to memory of 4404	972	Kgphpo32.exe	Kaemnhla.exe
PID 4404 wrote to memory of 4544	4404	Kaemnhla.exe	Kdcijcke.exe
PID 4404 wrote to memory of 4544	4404	Kaemnhla.exe	Kdcijcke.exe
PID 4404 wrote to memory of 4544	4404	Kaemnhla.exe	Kdcijcke.exe
PID 4544 wrote to memory of 2692	4544	Kdcijcke.exe	Kipabjil.exe
PID 4544 wrote to memory of 2692	4544	Kdcijcke.exe	Kipabjil.exe
PID 4544 wrote to memory of 2692	4544	Kdcijcke.exe	Kipabjil.exe
PID 2692 wrote to memory of 3196	2692	Kipabjil.exe	Kdffocib.exe
PID 2692 wrote to memory of 3196	2692	Kipabjil.exe	Kdffocib.exe
PID 2692 wrote to memory of 3196	2692	Kipabjil.exe	Kdffocib.exe
PID 3196 wrote to memory of 4656	3196	Kdffocib.exe	Kkpnlm32.exe
PID 3196 wrote to memory of 4656	3196	Kdffocib.exe	Kkpnlm32.exe
PID 3196 wrote to memory of 4656	3196	Kdffocib.exe	Kkpnlm32.exe
PID 4656 wrote to memory of 2580	4656	Kkpnlm32.exe	Kmnjhioc.exe
PID 4656 wrote to memory of 2580	4656	Kkpnlm32.exe	Kmnjhioc.exe
PID 4656 wrote to memory of 2580	4656	Kkpnlm32.exe	Kmnjhioc.exe
PID 2580 wrote to memory of 116	2580	Kmnjhioc.exe	Kgfoan32.exe
PID 2580 wrote to memory of 116	2580	Kmnjhioc.exe	Kgfoan32.exe
PID 2580 wrote to memory of 116	2580	Kmnjhioc.exe	Kgfoan32.exe
PID 116 wrote to memory of 1996	116	Kgfoan32.exe	Lmqgnhmp.exe

C:\Users\Admin\AppData\Local\Temp\13f0689e5e74610a9649152e0bb2c380_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\13f0689e5e74610a9649152e0bb2c380_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\SysWOW64\Jbkjjblm.exe
C:\Windows\system32\Jbkjjblm.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\Jjbako32.exe
C:\Windows\system32\Jjbako32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\SysWOW64\Jidbflcj.exe
C:\Windows\system32\Jidbflcj.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\SysWOW64\Jbmfoa32.exe
C:\Windows\system32\Jbmfoa32.exe
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\Jigollag.exe
C:\Windows\system32\Jigollag.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\Jangmibi.exe
C:\Windows\system32\Jangmibi.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\SysWOW64\Jpaghf32.exe
C:\Windows\system32\Jpaghf32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\Jbocea32.exe
C:\Windows\system32\Jbocea32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\SysWOW64\Jiikak32.exe
C:\Windows\system32\Jiikak32.exe
10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\Kaqcbi32.exe
C:\Windows\system32\Kaqcbi32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\Kkihknfg.exe
C:\Windows\system32\Kkihknfg.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\Kilhgk32.exe
C:\Windows\system32\Kilhgk32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\Kdaldd32.exe
C:\Windows\system32\Kdaldd32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\Kdffocib.exe
C:\Windows\system32\Kdffocib.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\Kmnjhioc.exe
C:\Windows\system32\Kmnjhioc.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1996

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2756

C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2668

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1080

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2260

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2272

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3284

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4104

C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
31⤵
- Executes dropped EXE
PID:1832

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
32⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1184

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2592

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4196

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3360

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4448

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4004

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4664

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2188

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4552

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3168

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1608

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3668

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
44⤵
- Executes dropped EXE
- Modifies registry class
PID:4624

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:816

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2016

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2376

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2696

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3916

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3732

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4720

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2368

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4204

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4200

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4492

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:984

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3692

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2996

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4864

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3204

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3224

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2000

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4804

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2396

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2124

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
66⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 220
67⤵
- Program crash
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5044 -ip 5044
1⤵
PID:2384

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ggpfjejo.dll
Filesize
7KB

MD5
a5bef2e1a7b11ef3c33690e5a1d9e807

SHA1
f3a9e855169087f3a599df77c8c2ff60173f7ce9

SHA256
0e63c8b2352f557d7621508d428e279935cdea66151aa8dfe13d55bdfce71135

SHA512
700bf306cd36dc888cfc0ba9634654c8227345dc1c136e61fce42130fbcc6422195b30d15448acea728f2c52a89f6e55b028fb114e4877c7fd80f8f7f0a54f96

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe
Filesize
229KB

MD5
9b3cc7be527197c6fb4c5a48fda5b2c3

SHA1
ace7bd826ef06da0d29b979c550d44238fb52068

SHA256
19b0c7dbe4c201ab8f432341aa1032786633c785891ec8a469a932d2d2abff33

SHA512
f37354488ebfc622811ca9165a44b7d94d072e53171ccdeedfe1b8f75f5efa6c299b6f5d40ffa95749942f4869edfa5cd250cc0d14bdd79240eedc427909af0c

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe
Filesize
229KB

MD5
8c2ca9823bbc57fbe55a330a26df7e39

SHA1
bd6f97bb0e84660bdb6741432115fdc3ec81a011

SHA256
d228396a1de293014d6fba03c48c1c876a25111116ff209213091a95f9c42c2a

SHA512
47f3e5bf0ddb8fc9c7acc119afd7844ae4f93637fe73239b21e1e1b12ea4a0416b25573094017fab133abe92c352fa89d37f0219aee605d96b20169fa037390e

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe
Filesize
229KB

MD5
3980783edcbfef34be88eb2eb12c5447

SHA1
6d2d611363da9434a7fd920825019d4c5f7ab181

SHA256
087398c33bf9f261c273ed975d6a4a14e8d5b0d8643479fad5d62cad7119f5e0

SHA512
29836fc509919e8145a12a5db7a25eaf5fc89be89b352ed2213ad77fe7838b9fcbb02656c9a1e805468812f38064fccad8ae46da671f31d529070bc377d7d2b8

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe
Filesize
229KB

MD5
4e39e99e857c9ea3a07978fb519843a5

SHA1
d78476e361d4bab3debfcb2349877c77f7bbc351

SHA256
860eb2e2cb846770e3674c3f17ca384d7eadbc9d9c579f6a3103d62b3cbccf0e

SHA512
96489801d68bdbb06896eae37b695982624377a055b8e55ddc91b35765eb1bba91fc3194c71fcc114f774a840ab2d0bdb4ae4e137b81758fc49c7bff3645c90a

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe
Filesize
229KB

MD5
02e903a2aa0e44b0a2dc911e915c7bfd

SHA1
05faca7ca8d5516f80a3edb84424f88348c99b45

SHA256
1f78ca2f303810aef03b5d6831316925fe1ac48d6d42f2774f61ea0035c4e282

SHA512
77d5f248f8c97f1f6f59f1a22c80e6a07b2701052b3fca77f162e618d3fe4148fef33088a75369b2419a8aa2eb155df003b69abab3788433af5982037d4aa5f7

Download Submit
C:\Windows\SysWOW64\Jigollag.exe
Filesize
229KB

MD5
a09429254d2e86b1aed60b08c06be155

SHA1
b8c99b7a428c8224a40c7ec8f20918eb3ae98a4c

SHA256
2ba08489d159c78b59259be83bda9c753ab85c1f7e4a4c88e3af287cd00a9243

SHA512
ce2dc736701b22610d4c31c004802411e1c915553214e9e902a974ce85698f19662b981eaf27f234f2a34202908c4761eb3301a508958b147ff9f2f02ffc8db6

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe
Filesize
229KB

MD5
cde9b453a8c43f45e2a3b7b0204a3e9c

SHA1
e9d851c596e6306cac2aae8a7fcc4700aaa04526

SHA256
becdad20a8074d7800fbc7fd743de4aa2162cdc8ca4db0bb8deef6db091c2fff

SHA512
d0f9a417234417111bc68ac9f1f14f8cdaccdeb4c83fc9aa55980f38e934716048ae21967f1279697c42c0f5a9a63e8e8b8e1da9408c9067916b62d8fab33724

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe
Filesize
229KB

MD5
27b64513452068cbe2b69bb2c4d171a9

SHA1
07e48b5eedd4039955a1ad0b4f1c3e0c2e818ba3

SHA256
b4526d6ad4b3c1b2636c50b3b1f6187742ca381809dbcd98ff012966bac8f4a2

SHA512
38114df00879fa9d1b15cbe4ec248a0b7567634aec1e26602a78f55671eb136b31d70ad00e484937555b9052c06fb53781b2393aa2788c39087f8536f311ec50

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe
Filesize
229KB

MD5
a7be24c7d87ff030a41fec83c44ccb05

SHA1
fecbe78b820b598ec6150aede37eb3a107b1ad62

SHA256
6f65a7a14aa5d02d74f25a5d1fdecacacd93048a063251d38bf805ced886dae0

SHA512
b58db4e7551ada3edde60828f12c425adf35b489b8f98373212defe23ab9980a774d9ed6dfb1bc36c8c6dd8ac87118dc064a72551e785d46d915cf7abff05bcb

Download Submit
C:\Windows\SysWOW64\Kaemnhla.exe
Filesize
229KB

MD5
863d14903aa91e9425095db7c3f3c5f0

SHA1
301b9b91b140aeacd4107a27bd5e2cb6767a037b

SHA256
379c5328c4cf2368727c9d8feaf020577d816b4e14908770493da72d725ad8c3

SHA512
54efdb0df358ede0584ba8971a6f6727106d8a5c21af223f95e03cd20dff4cbc6dc619b6a78c5d3621a612a57d264cf0d9885f603affc617d28fdaf24aa9c56c

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe
Filesize
229KB

MD5
c0e9934de263c7bd8373f6c692601b05

SHA1
a77b4554dea4125af6ffbbeac41f11cf6f44a105

SHA256
99990c8938b4d4820044496fbe8f13ee681372549fa2d267093a1dc0a8780428

SHA512
3b464c4d58139df58270a060b828298d5ef174bd1a1bc80119177139e34a1682d4c9084903c794d8e531c108302c08e2aa633dd2fd94227e84a6f3f62896f8af

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe
Filesize
229KB

MD5
223603182668e6ee09687c2029d11c0f

SHA1
4cfd8158c705d1722a7671fb122e462c1438219c

SHA256
0f7a56d8d9dd595c41b6464c267b30474f34a6e5d4fc400cb1aa8bab7063624d

SHA512
32b3e04cc102b0c406f445d784e000820aba87cc117d96bb73c3d4efee020393fbe49ea48c5426f1e8f80fcf55088d75d622b98692f54f8e15f54c4cc01585dc

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe
Filesize
229KB

MD5
0dda389c0f51115c88802cd6cb697ff8

SHA1
b64ae13590602bf650117c038e0f45d57e9d31b6

SHA256
8b81f0f1fce1faf4e78eefcf952e7a0e201b4990dab90a9e4e7942466b8e2afb

SHA512
94e124fa03f93d3510a2d654ca88e0c41c6d0fb4f3c77716e75b0400b4152cbb110d24e4639e63c959069a61cd8e7b9d812483e9e898af672038c9706081200c

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe
Filesize
229KB

MD5
c9aa645a56727b1cb8f0bd93d9829d13

SHA1
28f1e8084b640694b95a5cb1f3c6dbd8c0d93f78

SHA256
56aa8ba726c9ec7a843f226c627b270c2e588bddf681648ea1acd161b61a8785

SHA512
91fed793040e9b7981d22c8d5cae81a1e5df5cd2f758ad0db7ebeb67a146509e1ff924ea11a113f86813eb5ff31b9e14eb5f62b00791cd391e16295953fe47ab

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe
Filesize
229KB

MD5
d805ffe8c5a11d539ef1418c65b287e2

SHA1
2966a6a2cabf3290fdb3a56fed13e6792c814ca2

SHA256
38461045e1b34283f5448ee52600cad4cd984ecbd6b51d3a317a8e7ad92393a2

SHA512
36d577ac554cb6fd9c48e71240deb8eaf262fdb3a2c8e010c4743d6e874b9d20c1c5e0f3301babbf6e3647f55977a3487e8eabf8d498acf89dffd4e05a71e846

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe
Filesize
229KB

MD5
a42226af8f155cf406451877e546cdb9

SHA1
10d8c6f4f0503c0e1f7a6ba3721c1a70bf1e2425

SHA256
42e79f484d8dba8e834192f053c970b71b38a601410bae43f12993b43f3b2c64

SHA512
d977109be1c096791cc05afa03b9bd6487ff16664b488f9c2b589ce08adcaedcc8f599dbe63d80325921d162b3e595b249007c8b776c40a8ab16a66f32993069

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe
Filesize
229KB

MD5
c8d007a02247f924b69f1ae0f0f01240

SHA1
aac93bbd40146e7ed0d37a14d3b83de1bc003029

SHA256
aa2c638476cc636208281ba5080acf629323b34678df146298197c9d8e9687ae

SHA512
9b46ce86c4e89f4f9fec7d2dc9e9a3362c019626a002943aa7f0fbe2835d5dda86e3cfd471b165db8176847d24f1e4900f01599390d790e4aabe98d7c378e054

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe
Filesize
229KB

MD5
5d6ee180a01b124636ef74ec533a66b0

SHA1
997f776c52a140db484070dc39d76ab5643a0ca0

SHA256
20387cff9c456e53583b34a078b35b2be9b6e8501aced66027b74478acc2f283

SHA512
e03e473498d8e06ab2b44681dfa4870ddf26cad1250c8e6fb73d86a240c4bdf4f25921d18999006dd7d8ef38027559d93c4a78ebfa0a9be1dd9ad9ef087e6e0a

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe
Filesize
229KB

MD5
e15481cd5828735bb5f790670304aaa8

SHA1
6ac4e91d1a5e3ac833f6517b43e8d31e846c4a44

SHA256
29147c780a13cf8a60410d4782418eb9dd8c18e6ac3348c7aa247dae5546aaee

SHA512
1088e7ae99f6128cc25249488944abc006c6525930c692767c0cd14270beee12187cf9994ba5c42b4b79ce833587da79b2f2e084c0039a38da18637834199d9c

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe
Filesize
229KB

MD5
019f905c6082eed116aad5eb27634dad

SHA1
24607297c273cdea41683c3c9f6170f76e8a7812

SHA256
4a1083ca946f75cc4244d684711341a770106197c112d6baa46d6e1e2451abab

SHA512
b1bc8370ec70a91848787a07e264a1cdd198be5133022e0699c8e6c6f6ee0d2d73691f7349bebef44b67e2084559b95796840671e70aa3f7505ea5b942a0ca65

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe
Filesize
229KB

MD5
e965d8e9f8f03944d066d3b9e0d7f9fe

SHA1
d1e6b090874d2fe9eaa07e2fef51faea02521300

SHA256
94c7ce7bfd42944c32af487bca53e4c49cb78022c42a70813d7f6f5d4cf9a1ed

SHA512
3bef5027c48b6bb70cee3409ed9b81b6e8597e236ae34e95fafb27c5f014aef1df3ad23e33ac7122c141c9e7bc9a809b85fc3e9dfca4554bd7f35face109748e

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe
Filesize
229KB

MD5
285f79449a698e695dd64bd867833f2d

SHA1
2c62852df5009df4cccc2c5ada5429a121999c90

SHA256
08bc04a158ed6ae6ac724579b888113f47ebcd09e9449a60be26407323e56e18

SHA512
5e557faf33b29b6345cc4e845b33d269c4b7a74347bfb2d47709dd53367ca058a9b24980bea06bce0f104105c9d586089bfa89cac30dfc22bc4a793445a0bf1b

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe
Filesize
229KB

MD5
bfa01cada3e55d4ee687f68c353e6fd3

SHA1
c10bccacd7953fd45a0def2f5f331aa3e3054a26

SHA256
170ce636acecd10b2a277769b0b898f7765899050b56e5ea3507919460a3f29c

SHA512
e0f66603c9527c046041e66f9bac46da59042893b4fb58d8f96b411954ef9b8f0a91bfdb3ce368b0a3beff12ab88d3fe963e5fa63a341e581f950b4600b9a066

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe
Filesize
229KB

MD5
3c9b9675f73c6098a1ce5450d84cd0ee

SHA1
c9bf3c2a1cfa684ca53185358b4b43b535bba6e7

SHA256
439e10c3144cee131b189f2cf9a4bed6d2817f777ce4816c9ccb82620bd8d3ce

SHA512
476dfdaf584f4d9f4b90f84ab3a1de019925c947e4bc682993375f81da4ae8f18e531f1423347e4dce85c8284f3c50c8c838bb9ae652245ad60ff9df0b87b0ff

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe
Filesize
229KB

MD5
62676f0a24a1cdb2cd7199907492b1a9

SHA1
360a61bba3ce1ea1a522b3267b6dfd70e1746bae

SHA256
11c3d7de4856fb577cf4d6ccfb67f814d797be58c9fd33f36f8d8d4aa49810a6

SHA512
ca4fdb94a3e1e64811af029c5d134a680d5534f80c7a40b8fbfb20b69f6b33b1cb8547044001f7ac2da9f8f8c923eaca4b740f468294ce271cae7011ccdf7031

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe
Filesize
229KB

MD5
adc4105ca2c7265b31255738d001dce5

SHA1
6461418134c7cfe7047f6700acefb68ca304f056

SHA256
b39c012be396c2f962f8b13dcde54ee202c963ba9930282c7584491a08e31bd7

SHA512
4ec4f05082f5d610834ab552cd9635b0e283f2408a340e998e42ac03a57bb716c0a61ec715d174d07a5b0b7fe58df872f59119be39b5f3f376f54333ebdc739c

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe
Filesize
229KB

MD5
5b0131586581e87e6ea9019efd96c3f1

SHA1
b6e0eccde1a15330a3fc85907d60eaa808009d82

SHA256
ed87be7a17db30c3dad53c021db282691263e800e5f490f098274aed26351593

SHA512
b38ed9c8aac7ec46da15cf18a6426010907f44425d9a1446b8292dfd9cda8935ac87a08ff0d05c3d42b35fbc90695a60ad681d02a7618e4d43da8371dffcc8b1

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe
Filesize
229KB

MD5
e1f0903dcf1c28a278d482ccff0fbb72

SHA1
3410d4f2f8afd4659ca08eb2f0f6236533daa288

SHA256
4463aa4af7e613d06eb2193b30cae7ea29ecf606c5231743c3c88ec437182486

SHA512
76fdf53ec9088e4cec70fec3490cfe3dd805629c9aee51049d4fa28996cbdeace5309a9c8688b32c88d897fbf9aac6b61956b90340bc0eefd6cb1d8addd5cbe6

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe
Filesize
229KB

MD5
1c97683a4dbfec3c34ebf5d0a3a8fd65

SHA1
185acba6e164da17631fe9e1616465294e174ad4

SHA256
cf73ca7dcb47874ccd5cd42cba71a6bf273c8a6d56d6058cabe98ecab1b97f50

SHA512
32cae509661aac27b1d9941e47e9e45db8dbcc8be41bc41111b8066ab40241b684bb24cf2af740b33bf2eacf9e9440a9e5049949ce6f127034d521cf9882baaf

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe
Filesize
229KB

MD5
1b9bb1ad51ad496211cb99e8e9db8909

SHA1
991bb9601114cbd6574fb88acaec3498a5f7d70c

SHA256
b295cb2864ffd38c64ba54bb06efca7e9212cc6106b78bfbcd9c35105ce53c3b

SHA512
476935c1417e614871eb3904ebfca335853326a7d5f6ec29889c3ce77ec61ba97c4545bfeece3573501032d600d9390ee10a1f612920f94e54df28112293c8d9

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe
Filesize
229KB

MD5
07bab57497d3a8336fbf165c9d5528ef

SHA1
c02199151379a0f5ec2629081bf921e7a0976b27

SHA256
3ca03dbdf5eae3d56fff2dfae66925e096db625e53304acb18d285060b5954e8

SHA512
4e4c2e67dd9d8fcb9d9e75dfee81f76eec3b6a4db0055fa08af5675f41344009ddc856553a51c43e77ada96c2bd12f50076f36e23e039948d706c30517f74319

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe
Filesize
229KB

MD5
0f42955fd46a0f2b941b35450b432f59

SHA1
f2e2714fd9283f89464a708ba147a2396c3304e4

SHA256
41703e454c443c49fa26847900e5664194e1f67b5376e9900f83251f61b80316

SHA512
7f4e2c5104f48b17c1f0304bf35f228f641008fd4a9dbde1a77ded9c30c3d7c87f76472b1178fa31256c24c7cc2c7078edb7456fb72805224145df2388546a60

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe
Filesize
229KB

MD5
7a72cdabf98f3a5183384aaced973cf1

SHA1
36aeab4157159d5f8ee5cefff974237388ace95c

SHA256
db0ebf510cd1dfc7fe67cf994e768c1b5235e0487967535105850feab30c9c2b

SHA512
b34a990654a36103ecacd66d2481b5985c03175fcb3f7a51ced7da3547409c8d16faf2d6b80b4b702568b974a9392b5c827846e5007aa51110af9c7001a6bab3

Download Submit
memory/60-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/116-479-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/116-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/700-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/816-332-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/972-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/984-399-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1080-476-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1080-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1184-252-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1564-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1608-314-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1624-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1636-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1672-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1712-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1792-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1832-244-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1996-180-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1996-478-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2000-456-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2000-433-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2016-338-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2124-452-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2188-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2188-471-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2260-212-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2272-220-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2276-44-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2284-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2368-464-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2368-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2376-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2376-467-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2396-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2396-457-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2580-480-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2580-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2592-475-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2592-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2668-477-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2668-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2692-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2692-483-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-350-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2756-188-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2996-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2996-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3168-469-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3168-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3196-482-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3196-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3204-459-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3204-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3224-458-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3224-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3284-229-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3360-474-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3360-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3556-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3572-52-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3668-320-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3692-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3692-461-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3732-465-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3732-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3916-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3916-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4004-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4004-473-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4104-243-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4196-266-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4200-386-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4204-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4204-463-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4244-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4404-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4448-278-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4492-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4492-462-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4544-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4544-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4552-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4552-470-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4624-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4624-468-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4656-481-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4656-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4664-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4664-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4720-369-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4804-455-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4804-439-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4864-416-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5044-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5064-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download