7915ddf4ee927b0edad001c8692939048cb3172a23bec2acbb042fa870f4b5e9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21fedd7bb3cdc5638bca756f4087e2f0_NeikiAnalytics.exe
Size

94KB
MD5

21fedd7bb3cdc5638bca756f4087e2f0
SHA1

70225028b3652dfa3ffaec7affd79bcdd037b80f
SHA256

7915ddf4ee927b0edad001c8692939048cb3172a23bec2acbb042fa870f4b5e9
SHA512

0841eefa3b4e2c7273c33c0ffa371ab5b5fd56ab56a7f922e67081d831bb0d68678354baba6321143a5cb97d0a142b63f16eb6f0432454be3faade2c5653be21
SSDEEP

1536:tWOdjkTgFqzGt5F3SKFPfrry+qG7d2jF3CrRQD5yRfRa9HprmRfRZ:tWO0gwzGt5hSKFbr7Aj8eDc5wkpv

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Nnmopdep.exeLalcng32.exeLgbnmm32.exeMamleegg.exeMnfipekh.exeNdbnboqb.exeNkncdifl.exeLmqgnhmp.exeMjcgohig.exeMajopeii.exeNacbfdao.exeNgpjnkpf.exeNggqoj32.exeLaalifad.exeMpkbebbf.exeKkbkamnl.exeLijdhiaa.exeNcihikcg.exeKajfig32.exeMcpebmkb.exeMpdelajl.exeMkbchk32.exeMkgmcjld.exeNjcpee32.exeMpaifalo.exeMgnnhk32.exeLdmlpbbj.exeLpcmec32.exeMnlfigcc.exeLgpagm32.exeLcmofolg.exeMcklgm32.exeLdaeka32.exe21fedd7bb3cdc5638bca756f4087e2f0_NeikiAnalytics.exeKckbqpnj.exeLaopdgcg.exeLkdggmlj.exeNqklmpdd.exeNbkhfc32.exeLgneampk.exeLjnnch32.exeMdfofakp.exeMkepnjng.exeLddbqa32.exeMncmjfmk.exeNqiogp32.exeLiggbi32.exeLilanioo.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	21fedd7bb3cdc5638bca756f4087e2f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
behavioral2/memory/1660-0-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kajfig32.exe	family_berbew
behavioral2/memory/4768-8-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kckbqpnj.exe	family_berbew
C:\Windows\SysWOW64\Kkbkamnl.exe	family_berbew
behavioral2/memory/4624-20-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4832-24-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lmqgnhmp.exe	family_berbew
C:\Windows\SysWOW64\Lalcng32.exe	family_berbew
behavioral2/memory/4292-36-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4524-39-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lcmofolg.exe	family_berbew
behavioral2/memory/1908-52-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/1836-55-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lkdggmlj.exe	family_berbew
C:\Windows\SysWOW64\Liggbi32.exe	family_berbew
behavioral2/memory/1636-64-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Laopdgcg.exe	family_berbew
C:\Windows\SysWOW64\Ldmlpbbj.exe	family_berbew
behavioral2/memory/4856-80-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/2424-72-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lgkhlnbn.exe	family_berbew
behavioral2/memory/4368-88-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lijdhiaa.exe	family_berbew
behavioral2/memory/4584-96-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Laalifad.exe	family_berbew
behavioral2/memory/984-107-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lpcmec32.exe	family_berbew
behavioral2/memory/912-111-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lgneampk.exe	family_berbew
C:\Windows\SysWOW64\Lgneampk.exe	family_berbew
behavioral2/memory/4468-124-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lilanioo.exe	family_berbew
behavioral2/memory/4388-128-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Laciofpa.exe	family_berbew
behavioral2/memory/4736-136-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Ldaeka32.exe	family_berbew
C:\Windows\SysWOW64\Ldaeka32.exe	family_berbew
behavioral2/memory/4892-144-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lgpagm32.exe	family_berbew
behavioral2/memory/3964-152-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/2452-159-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Ljnnch32.exe	family_berbew
C:\Windows\SysWOW64\Laefdf32.exe	family_berbew
behavioral2/memory/3548-172-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lddbqa32.exe	family_berbew
behavioral2/memory/2060-176-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lgbnmm32.exe	family_berbew
behavioral2/memory/2092-183-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mnlfigcc.exe	family_berbew
behavioral2/memory/2564-191-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mpkbebbf.exe	family_berbew
C:\Windows\SysWOW64\Mdfofakp.exe	family_berbew
behavioral2/memory/3552-204-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3300-208-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mkpgck32.exe	family_berbew
behavioral2/memory/3148-216-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mjcgohig.exe	family_berbew
behavioral2/memory/4068-224-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Majopeii.exe	family_berbew
C:\Windows\SysWOW64\Majopeii.exe	family_berbew
behavioral2/memory/4752-232-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Mcklgm32.exe	family_berbew
behavioral2/memory/3668-244-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew

Executes dropped EXE 58 IoCs

Processes:

Kajfig32.exeKckbqpnj.exeKkbkamnl.exeLmqgnhmp.exeLalcng32.exeLcmofolg.exeLkdggmlj.exeLiggbi32.exeLaopdgcg.exeLdmlpbbj.exeLgkhlnbn.exeLijdhiaa.exeLaalifad.exeLpcmec32.exeLgneampk.exeLilanioo.exeLaciofpa.exeLdaeka32.exeLgpagm32.exeLjnnch32.exeLaefdf32.exeLddbqa32.exeLgbnmm32.exeMnlfigcc.exeMpkbebbf.exeMdfofakp.exeMkpgck32.exeMjcgohig.exeMajopeii.exeMcklgm32.exeMkbchk32.exeMamleegg.exeMcnhmm32.exeMkepnjng.exeMncmjfmk.exeMpaifalo.exeMcpebmkb.exeMkgmcjld.exeMnfipekh.exeMpdelajl.exeMgnnhk32.exeNjljefql.exeNacbfdao.exeNdbnboqb.exeNgpjnkpf.exeNklfoi32.exeNafokcol.exeNqiogp32.exeNkncdifl.exeNnmopdep.exeNqklmpdd.exeNcihikcg.exeNgedij32.exeNjcpee32.exeNbkhfc32.exeNdidbn32.exeNggqoj32.exeNkcmohbg.exe

pid	process
4768	Kajfig32.exe
4624	Kckbqpnj.exe
4832	Kkbkamnl.exe
4292	Lmqgnhmp.exe
4524	Lalcng32.exe
1908	Lcmofolg.exe
1836	Lkdggmlj.exe
1636	Liggbi32.exe
2424	Laopdgcg.exe
4856	Ldmlpbbj.exe
4368	Lgkhlnbn.exe
4584	Lijdhiaa.exe
984	Laalifad.exe
912	Lpcmec32.exe
4468	Lgneampk.exe
4388	Lilanioo.exe
4736	Laciofpa.exe
4892	Ldaeka32.exe
3964	Lgpagm32.exe
2452	Ljnnch32.exe
3548	Laefdf32.exe
2060	Lddbqa32.exe
2092	Lgbnmm32.exe
2564	Mnlfigcc.exe
3552	Mpkbebbf.exe
3300	Mdfofakp.exe
3148	Mkpgck32.exe
4068	Mjcgohig.exe
4752	Majopeii.exe
3668	Mcklgm32.exe
644	Mkbchk32.exe
3608	Mamleegg.exe
1376	Mcnhmm32.exe
2232	Mkepnjng.exe
1928	Mncmjfmk.exe
1480	Mpaifalo.exe
3736	Mcpebmkb.exe
4060	Mkgmcjld.exe
4456	Mnfipekh.exe
2332	Mpdelajl.exe
236	Mgnnhk32.exe
4880	Njljefql.exe
3696	Nacbfdao.exe
4408	Ndbnboqb.exe
4652	Ngpjnkpf.exe
4512	Nklfoi32.exe
2392	Nafokcol.exe
1384	Nqiogp32.exe
2088	Nkncdifl.exe
3348	Nnmopdep.exe
4288	Nqklmpdd.exe
1716	Ncihikcg.exe
4800	Ngedij32.exe
1752	Njcpee32.exe
1732	Nbkhfc32.exe
2432	Ndidbn32.exe
2492	Nggqoj32.exe
3432	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

Processes:

Kajfig32.exeLgneampk.exeLjnnch32.exeMkgmcjld.exeNjljefql.exeNacbfdao.exeNdbnboqb.exe21fedd7bb3cdc5638bca756f4087e2f0_NeikiAnalytics.exeNdidbn32.exeLijdhiaa.exeLdaeka32.exeLgpagm32.exeLgbnmm32.exeNgedij32.exeKkbkamnl.exeMcpebmkb.exeMnfipekh.exeNqklmpdd.exeLilanioo.exeLaefdf32.exeMkpgck32.exeMncmjfmk.exeLpcmec32.exeMjcgohig.exeMajopeii.exeMkepnjng.exeLaopdgcg.exeMpdelajl.exeNbkhfc32.exeLkdggmlj.exeLalcng32.exeLaciofpa.exeNqiogp32.exeLddbqa32.exeMcklgm32.exeKckbqpnj.exeMnlfigcc.exeMgnnhk32.exeNjcpee32.exeLgkhlnbn.exeNklfoi32.exeLmqgnhmp.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	21fedd7bb3cdc5638bca756f4087e2f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	21fedd7bb3cdc5638bca756f4087e2f0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Lmqgnhmp.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1780 3432 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
1780	3432	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Lgneampk.exeMkpgck32.exeNacbfdao.exeLpcmec32.exeLdmlpbbj.exeLaalifad.exeMkepnjng.exeMnfipekh.exeMpdelajl.exeLalcng32.exeLaciofpa.exeMamleegg.exeMncmjfmk.exeNjljefql.exeKkbkamnl.exeLgpagm32.exeMnlfigcc.exeMcpebmkb.exeNkncdifl.exeLiggbi32.exeLijdhiaa.exeLdaeka32.exeMjcgohig.exeMkbchk32.exeNcihikcg.exeNjcpee32.exe21fedd7bb3cdc5638bca756f4087e2f0_NeikiAnalytics.exeMpkbebbf.exeMcnhmm32.exeNafokcol.exeLmqgnhmp.exeMkgmcjld.exeLaefdf32.exeLaopdgcg.exeNbkhfc32.exeKckbqpnj.exeLkdggmlj.exeMpaifalo.exeNdidbn32.exeMdfofakp.exeNgpjnkpf.exeLjnnch32.exeNdbnboqb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	21fedd7bb3cdc5638bca756f4087e2f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	21fedd7bb3cdc5638bca756f4087e2f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

21fedd7bb3cdc5638bca756f4087e2f0_NeikiAnalytics.exeKajfig32.exeKckbqpnj.exeKkbkamnl.exeLmqgnhmp.exeLalcng32.exeLcmofolg.exeLkdggmlj.exeLiggbi32.exeLaopdgcg.exeLdmlpbbj.exeLgkhlnbn.exeLijdhiaa.exeLaalifad.exeLpcmec32.exeLgneampk.exeLilanioo.exeLaciofpa.exeLdaeka32.exeLgpagm32.exeLjnnch32.exeLaefdf32.exe

description	pid	process	target process
PID 1660 wrote to memory of 4768	1660	21fedd7bb3cdc5638bca756f4087e2f0_NeikiAnalytics.exe	Kajfig32.exe
PID 1660 wrote to memory of 4768	1660	21fedd7bb3cdc5638bca756f4087e2f0_NeikiAnalytics.exe	Kajfig32.exe
PID 1660 wrote to memory of 4768	1660	21fedd7bb3cdc5638bca756f4087e2f0_NeikiAnalytics.exe	Kajfig32.exe
PID 4768 wrote to memory of 4624	4768	Kajfig32.exe	Kckbqpnj.exe
PID 4768 wrote to memory of 4624	4768	Kajfig32.exe	Kckbqpnj.exe
PID 4768 wrote to memory of 4624	4768	Kajfig32.exe	Kckbqpnj.exe
PID 4624 wrote to memory of 4832	4624	Kckbqpnj.exe	Kkbkamnl.exe
PID 4624 wrote to memory of 4832	4624	Kckbqpnj.exe	Kkbkamnl.exe
PID 4624 wrote to memory of 4832	4624	Kckbqpnj.exe	Kkbkamnl.exe
PID 4832 wrote to memory of 4292	4832	Kkbkamnl.exe	Lmqgnhmp.exe
PID 4832 wrote to memory of 4292	4832	Kkbkamnl.exe	Lmqgnhmp.exe
PID 4832 wrote to memory of 4292	4832	Kkbkamnl.exe	Lmqgnhmp.exe
PID 4292 wrote to memory of 4524	4292	Lmqgnhmp.exe	Lalcng32.exe
PID 4292 wrote to memory of 4524	4292	Lmqgnhmp.exe	Lalcng32.exe
PID 4292 wrote to memory of 4524	4292	Lmqgnhmp.exe	Lalcng32.exe
PID 4524 wrote to memory of 1908	4524	Lalcng32.exe	Lcmofolg.exe
PID 4524 wrote to memory of 1908	4524	Lalcng32.exe	Lcmofolg.exe
PID 4524 wrote to memory of 1908	4524	Lalcng32.exe	Lcmofolg.exe
PID 1908 wrote to memory of 1836	1908	Lcmofolg.exe	Lkdggmlj.exe
PID 1908 wrote to memory of 1836	1908	Lcmofolg.exe	Lkdggmlj.exe
PID 1908 wrote to memory of 1836	1908	Lcmofolg.exe	Lkdggmlj.exe
PID 1836 wrote to memory of 1636	1836	Lkdggmlj.exe	Liggbi32.exe
PID 1836 wrote to memory of 1636	1836	Lkdggmlj.exe	Liggbi32.exe
PID 1836 wrote to memory of 1636	1836	Lkdggmlj.exe	Liggbi32.exe
PID 1636 wrote to memory of 2424	1636	Liggbi32.exe	Laopdgcg.exe
PID 1636 wrote to memory of 2424	1636	Liggbi32.exe	Laopdgcg.exe
PID 1636 wrote to memory of 2424	1636	Liggbi32.exe	Laopdgcg.exe
PID 2424 wrote to memory of 4856	2424	Laopdgcg.exe	Ldmlpbbj.exe
PID 2424 wrote to memory of 4856	2424	Laopdgcg.exe	Ldmlpbbj.exe
PID 2424 wrote to memory of 4856	2424	Laopdgcg.exe	Ldmlpbbj.exe
PID 4856 wrote to memory of 4368	4856	Ldmlpbbj.exe	Lgkhlnbn.exe
PID 4856 wrote to memory of 4368	4856	Ldmlpbbj.exe	Lgkhlnbn.exe
PID 4856 wrote to memory of 4368	4856	Ldmlpbbj.exe	Lgkhlnbn.exe
PID 4368 wrote to memory of 4584	4368	Lgkhlnbn.exe	Lijdhiaa.exe
PID 4368 wrote to memory of 4584	4368	Lgkhlnbn.exe	Lijdhiaa.exe
PID 4368 wrote to memory of 4584	4368	Lgkhlnbn.exe	Lijdhiaa.exe
PID 4584 wrote to memory of 984	4584	Lijdhiaa.exe	Laalifad.exe
PID 4584 wrote to memory of 984	4584	Lijdhiaa.exe	Laalifad.exe
PID 4584 wrote to memory of 984	4584	Lijdhiaa.exe	Laalifad.exe
PID 984 wrote to memory of 912	984	Laalifad.exe	Lpcmec32.exe
PID 984 wrote to memory of 912	984	Laalifad.exe	Lpcmec32.exe
PID 984 wrote to memory of 912	984	Laalifad.exe	Lpcmec32.exe
PID 912 wrote to memory of 4468	912	Lpcmec32.exe	Lgneampk.exe
PID 912 wrote to memory of 4468	912	Lpcmec32.exe	Lgneampk.exe
PID 912 wrote to memory of 4468	912	Lpcmec32.exe	Lgneampk.exe
PID 4468 wrote to memory of 4388	4468	Lgneampk.exe	Lilanioo.exe
PID 4468 wrote to memory of 4388	4468	Lgneampk.exe	Lilanioo.exe
PID 4468 wrote to memory of 4388	4468	Lgneampk.exe	Lilanioo.exe
PID 4388 wrote to memory of 4736	4388	Lilanioo.exe	Laciofpa.exe
PID 4388 wrote to memory of 4736	4388	Lilanioo.exe	Laciofpa.exe
PID 4388 wrote to memory of 4736	4388	Lilanioo.exe	Laciofpa.exe
PID 4736 wrote to memory of 4892	4736	Laciofpa.exe	Ldaeka32.exe
PID 4736 wrote to memory of 4892	4736	Laciofpa.exe	Ldaeka32.exe
PID 4736 wrote to memory of 4892	4736	Laciofpa.exe	Ldaeka32.exe
PID 4892 wrote to memory of 3964	4892	Ldaeka32.exe	Lgpagm32.exe
PID 4892 wrote to memory of 3964	4892	Ldaeka32.exe	Lgpagm32.exe
PID 4892 wrote to memory of 3964	4892	Ldaeka32.exe	Lgpagm32.exe
PID 3964 wrote to memory of 2452	3964	Lgpagm32.exe	Ljnnch32.exe
PID 3964 wrote to memory of 2452	3964	Lgpagm32.exe	Ljnnch32.exe
PID 3964 wrote to memory of 2452	3964	Lgpagm32.exe	Ljnnch32.exe
PID 2452 wrote to memory of 3548	2452	Ljnnch32.exe	Laefdf32.exe
PID 2452 wrote to memory of 3548	2452	Ljnnch32.exe	Laefdf32.exe
PID 2452 wrote to memory of 3548	2452	Ljnnch32.exe	Laefdf32.exe
PID 3548 wrote to memory of 2060	3548	Laefdf32.exe	Lddbqa32.exe

C:\Users\Admin\AppData\Local\Temp\21fedd7bb3cdc5638bca756f4087e2f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\21fedd7bb3cdc5638bca756f4087e2f0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\Kkbkamnl.exe
C:\Windows\system32\Kkbkamnl.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\SysWOW64\Lalcng32.exe
C:\Windows\system32\Lalcng32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\Lkdggmlj.exe
C:\Windows\system32\Lkdggmlj.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\Lijdhiaa.exe
C:\Windows\system32\Lijdhiaa.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2060

C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2092

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2564

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3552

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3300

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3148

C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4068

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4752

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3668

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:644

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3608

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
34⤵
- Executes dropped EXE
- Modifies registry class
PID:1376

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2232

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1928

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1480

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3736

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4060

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4456

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2332

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:236

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4880

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3696

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4408

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4652

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4512

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
48⤵
- Executes dropped EXE
- Modifies registry class
PID:2392

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1384

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2088

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3348

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4288

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1716

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4800

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1752

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1732

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2432

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2492

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
59⤵
- Executes dropped EXE
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 412
60⤵
- Program crash
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3432 -ip 3432
1⤵
PID:436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Efhikhod.dll
Filesize
7KB

MD5
194f1d87222faccee1fc999d4bfac7e3

SHA1
94251752ef1b66eda591b399296d43985443e369

SHA256
5f07135b3989869c5dddee21fb760b7c03e211374be85afe0a5498153eee3411

SHA512
4fa5348bf63c404fadefdaa0556e6cc6532f91b0e4a4a59e1f044fad2efa7890557a8b851031d21d7c0fbe1e7b8b01a733b7730143ed00dabeae5af3d51f3714

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe
Filesize
94KB

MD5
1eb812200e32104474f1e477c7444e3b

SHA1
4e448f89b45098c4e883d1c7b48cbea7ceaabec4

SHA256
bddca8d876f265757254850ccb870d2492483b413b937f71ec2eccac69674644

SHA512
c6fa523148194a1a15d08e38273ec2fb749914f22dfecd5a13fa8cdfe1114ebd3ba43db853530abc28501ffdd7cd7baf931578efc7174bde0df623871c06d217

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe
Filesize
94KB

MD5
705d7581c71639aaae651e57c2553f0c

SHA1
456a52aafe9e33438364469f4464f50d63c03490

SHA256
a5986ff8fac77896ae3ebe488190eb8516455c6124f488303d808e8df0383044

SHA512
dfa7604f029eb8bb9f378e351e148ba79e761e91169aeb4fef836bf42ce181c8e5efb262fa1a6dfef98c09996f550173b5860423d99c081420ff18fe54ce78ec

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe
Filesize
94KB

MD5
db72ce0229ee28c28cb910e9f1506983

SHA1
27b402362fd9e2920a6a5a611ca18c24fabeada3

SHA256
67a6cf4dbaf7f6d0eaa1ea4d275f0e4034e854e2cde4320e6dec488bb3d2ca43

SHA512
128fd0ebcb6f2104197dd46df562a971020dca362b09c3b25b246753dd7e8f11e0c09a7e360a4f01aa9d73932f8c13992f8447551a91ff2000f4c3c171f93154

Download Submit
C:\Windows\SysWOW64\Laalifad.exe
Filesize
94KB

MD5
579b087e240426ca5358ed50b47fab4c

SHA1
d99746293ebaff1afca18a546ab9d20eaf3cbcfe

SHA256
a0aeeaa393a512ee5c2d1032d35a84e5d00de750a104da6225f1776604a31488

SHA512
edd7a34e91b9d44331b27fa22243c0c695131fe0355e646eecf791f17b5262db650af462775c821b65b5581e84e0749a0279363c96d1c6b2f1d7fde5f6ce6eaa

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe
Filesize
94KB

MD5
85747089e3d6e55b89eb80797b1f4bf3

SHA1
790d2d3491a5abe43d4bb8dacb99b32abff2fde0

SHA256
6334ca9063a1c7c8347ead08800a288edcd4b5b89caa79e963905e7448271383

SHA512
9fb86e274d82008599c17d945ae2e06683023937d2681a01e8788fe27c48d5d875cf2794eaab63922692856d22e6d840b25948d94468a3c6c5cee4f304290263

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe
Filesize
94KB

MD5
c12d113e296819501ff898fab07c9504

SHA1
96794b247503cba81c5453713d3bf8edee8912c3

SHA256
1b1283b144754cefacbad9c70377c2b636a21b005311eccdc91046617cbe43ba

SHA512
e9f84ddc3972c148dc3fd5e92a3d86a742e007a01d53388c598c1a4b493b22d27cf80c360f3c464f722dbf016ff594419d2837de1bc3cf995ee356e7a8726478

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe
Filesize
94KB

MD5
9331e2d9215783e47a9f9cdfb59c403c

SHA1
2a8e950e60267f7498a82c400d63f66e716c1be5

SHA256
552a9f476da31de6641e4040142c6703c5af5d7556fc350e96db1efd795d33ae

SHA512
dd7a18f389afda0050a0b732fddb684076ed8f77c225c1772add7115cd86f75ee9d2e8d25e8d4efee7ca09c2471f92e593db367540c4f26918555f2c48e56c8a

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe
Filesize
94KB

MD5
896f74b9cd1386f0845670b04f37a8f0

SHA1
fa1f0eb82863e882bf463c4700feaca2a7c519b8

SHA256
898cf38717cd4dcd5f94bb372e1de4bb66f6b296c09d522ef20f91bcbaf63a40

SHA512
0059ec20f06e20665804379d30f169cfab320b58f6ab843941d9f08cb1cd42d9d5c749b4cb1213a2c35737bce6906b0c27eed00b88c412e83444132d7cb5b65c

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe
Filesize
94KB

MD5
6f300f28976dd12c06964dec58e2d3cc

SHA1
2031f294aec5e469c563ef80cc3f61fad428ede3

SHA256
e131d7d49e67c05e716ff19566addeb4f223824088df795b5ad6b34362aa1c06

SHA512
b8cf1bca5727fd3ba826d33fbc874cd01a03a557cbe43d6ff9c3557f38ec55414f89412f05939fde97b994d22e3a605fe9ab519c4a2573b29fc83ff6cfc2b641

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe
Filesize
94KB

MD5
94d8014bf82f0ef25508ea983d4585d9

SHA1
bfb08df70e1f5c4f3ce062f1a1e62ae2671132ee

SHA256
9ef7d310ab1cbaace9d8ef82516bff05c0787072be9010e04d8b739593c44335

SHA512
646bdf6b5f36616d4cb9dcf163dc1c098a0010381d647832ef3af37093f73d8c1d1e0928c02245ffc19e5567fde6561c1df63921885559564fd8a2c0b555960e

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe
Filesize
94KB

MD5
63c01bd27e3c0b7ae1644c012e1607ce

SHA1
c760970eeb1dab6520836186c08655e8063b7137

SHA256
21bed8ea02307d031c3d92aa16bfc98f039f0e7f3dbf533b88d5c224ce8763b2

SHA512
48cc33baa25fe93dad535a892236ca5be25902433aef2ef2e50f1c0df76cc572daf4d4f3699bbc41c705e69da827c1bdb865534e137241c96b8b2ed7fc733d77

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe
Filesize
94KB

MD5
7809eb2988d58a7cc596d3f1afc61119

SHA1
fd42ef9efa64f8086f2f6fcfd488953824c8b0b4

SHA256
24c6d94328398e3b90893ad810ea5a5591dfa25f688532c889f5bddcc9abbb04

SHA512
e35f04c112eb60e37d45de6234c13748e4e4d119482fc8a258c4d5dac2b9da4e37af1d9a4a32a3bf3483d29917b8c602214e461da625fd0f4ed2967f48f21b31

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe
Filesize
94KB

MD5
121d3150e32ca71ade0dd9a1d8574faf

SHA1
62271c5c9076f944dadd4b76ee7014eab0e433d5

SHA256
8baf0b795cd72e8db1645bf0195adabff8f78040c19aed0b8fe3435ca1ebf97b

SHA512
ff3d6cfc70956d75b915ed44a352f79f27dbfc80614962cad085a430086e58d0abf233b1d16f47f7f636fdb450b07d8b2e9727f2214d256bcfdf856a020ae043

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe
Filesize
94KB

MD5
a1951901fb14d16de79f9c5b272b69e3

SHA1
b9de7c1a667a212f30259a63d3fb2c4605b92f33

SHA256
e10f81b2149f5bee3aab9e4564ba54cc00d84e09003eedb8d7e321ec192c1cc6

SHA512
09d0c22f60296e85932b78357f3343e178eaad8c4c98045b54d9002b96545dc1e5dd2e1ba80b2dc9510f9cf5d16b5e19a69d08cc19cce0814cecd58627bfa46c

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe
Filesize
94KB

MD5
386868d8524232ae5be830eac505a0d4

SHA1
9b0a95a3192784e6aac93501de60b5e97654c285

SHA256
08c6bb1dd2a7421e5f0a73273218bda1e8f0e3f44d499c0958a216f4041d2a8e

SHA512
7a4aa8d2c48d0aa3d38d925e605c4fb67fd4c70b7ea34c46e1d3f256f35efdce116d8b686ecd2768bc3279a9dcd6b657ae4fd15f987d10c7a8524847544b8a25

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe
Filesize
94KB

MD5
2513016941952a4d34e217681e20aa4e

SHA1
410c6f2a9dd875c468288979aeb36135afbbfea6

SHA256
c82043c922e81dafd6a9bcb78d49d1dc9de38e6706b6c2779c5ff02a117022a5

SHA512
210ee277af3afc4f899147606a8d94ed9d0cd560235598e484576eb5c1299253d1698f27f7d6950b8bc65675f23e56d662fa65c95e8f67c7c57bcbd9d3ea1451

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe
Filesize
94KB

MD5
2d918bf399286d935d3c7fc368245cdb

SHA1
e9a6714097feb25d9663467c86d64e1c2415d7f9

SHA256
636a3f4acc309de15892c5e7314271ca2bf2c53f094f0e79104f0705057db42f

SHA512
04d9dd8e8bfd51775f05bfe8cd21fe3b5c6aad56549aa315db32e47ef1180a41ecbdb8cff2713a9898b024d0be95120d818b60dc8891c92f91a5c0dd537a4bfa

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe
Filesize
94KB

MD5
72f48b60fa999a246c020c6756492e3a

SHA1
a920b451ca55d32f6dcfc23b7415a3074c6c9230

SHA256
7dc5e349ec4dce43aaa9822f83b27c73cb97ff6b5b69aa3375b7b397f9ccb309

SHA512
814809e1f0fb07e879ea56c491553d6d963992e18610cb2907581b6a41680cc3e081d8d26de5fd7b58971899b712c41716309c0598d6e8e53bbf3d0ea1bb8ea0

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe
Filesize
94KB

MD5
8954876b6277641fcf99f63a59fc4c47

SHA1
6a0541d7483620c54d2e70585883a799a4fb4a4b

SHA256
c123992f11751e78060d9fee4abbbc1c7920a53ae0e673e071d422787e0c38bf

SHA512
9dfdc4fd7cae0915e35e673ee19ee4a38510d5a98e5b4c4522f817b843c0d3ee36310427e38c50b2e8e2186dade990c29f4f2badb34405971694288c59eda2c0

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe
Filesize
94KB

MD5
81c37035567f108b8d53b7b4d6ffd5b6

SHA1
6932539d08d9865b85434c808adf8e5e1809c26b

SHA256
74116bebcb02cc3859dfcbed74634af7a579fcc255f2e3a66151cb618b86f3de

SHA512
4989cd7a357a36a6e7c66f88458e943e91729eb9d18e9720d527c0a6e71dc4d793614828aff2cbbd8216e5abd174d3740db3d8e40bc3de5e00d809816fde357d

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe
Filesize
94KB

MD5
b595c4c7aef6cfc631c19b40c5f288c2

SHA1
26cf48152ab02b2b5c7462ebce8e7df15e3df9da

SHA256
4d405e604bce2cf3576bb3e9aa7f703594711db7b36acc45b7a3385ef2071793

SHA512
9357fa1bce416797af170a69dfe0bab6407920cff3ff34158f14ccece2924aa8c340de0cd54c9d9805ed5523ae900f3b7b31664ae23264b5f1618d493643bbb0

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe
Filesize
94KB

MD5
a0bdec7a42726323fb3c0b7ee09fa643

SHA1
57a740714e90c78e71ae674ddceb15787b4b2390

SHA256
69fb35a911e200928f5d7de587b30573a55b8a244a0376363a2755aa72bab45d

SHA512
65f329be5b41205accc343d2d2a0722886feeab1c8af06104d4c41313f64ee0d09178cd1dd035ae1f7fe394d98c08106ef9496abff44bbf628ad2ef123e3428c

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe
Filesize
94KB

MD5
133bbb0bc4be08214ff5c01a00aa3022

SHA1
51e334fd8b008f78d7308dde7f72c4f90959add3

SHA256
86916c311750c159e7055a1a5ba4ea6bee41a7acfc4548fea560c085b5493c45

SHA512
f612225197762f291f0a811a7fd3cf2a481041ff351966a9c4f6d0e1d2452f3b24e56d6d426b8af2389c3f89c8e80f4101384024baf62d4dabebbc3624fdc4ad

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe
Filesize
94KB

MD5
b93b915d19b4e0a30c631f2309e6f46a

SHA1
cf85b36b7c1059304184eb32cd0025a0790c0609

SHA256
47622f688325bfb5fe4b19ebe04e3e6a152a57b8fa4f89198a860e388dbe4e5e

SHA512
21f985cf8804a0ebb9b6eaed555496b0f526f1baaf744f84c2689397ff8ab150b2d1826dbc9c8de2a95028cff53be12a02fcc6ec7f57bca31fdf92ac9b92afff

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe
Filesize
94KB

MD5
9de508cf8f637f1fcc2015d41b94952e

SHA1
3ae40b992b94fa56e8e80588ede4ed6bd6a22265

SHA256
2e02904dd333f4ec83610df471b5e5216f68ece54c049da90c117ec20e0ac8f5

SHA512
0008f42db530de413913d33bdee24c036031eb642af410b1572bb4c60db8ab4f6debd0395ec83c31d67f9c7654ad1325d6061ad387fa24990a9b8a188c9f3e07

Download Submit
C:\Windows\SysWOW64\Majopeii.exe
Filesize
94KB

MD5
619d89d1b5d3480227f9e14398409987

SHA1
0bf38b0fd55f8ae664459f56893516f22c24cf82

SHA256
4d9786ba7ef49bbea2cf32bdeb1c3f77a8bcc127765e2bf5b9c3dc16e991fbfd

SHA512
7ca1673057badfcc9afc5d5d2d77b208ae05b32241bd6ac51ee14a413f7b771cbb22371c0d184a8321c37891e80c98f9e5c12be083098f9b9b65ccd2c2f7514f

Download Submit
C:\Windows\SysWOW64\Majopeii.exe
Filesize
94KB

MD5
40d85dbf97d65ca928c73aac88339948

SHA1
6c45eae017f47a44e18aa1b9db459439eea2a66f

SHA256
5a51f16ff64b7a5196a8d44a2102e1b58684867d5de11f1af4fefc16962e6c3d

SHA512
9de89f2ac847967d60900adfaba8c8e389aeda2debc565a9e60aeb4a49aa3da4b244c92bbe11ba4a5317833ac3325cd80df93763c2ebad1158375526e28c740d

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe
Filesize
94KB

MD5
8e76d1e96f27f1f2c3e78d27bb5429c0

SHA1
80312e3ab608aaef8a91027108a73fceac3c4ba4

SHA256
cac9507193f32f290b7353d09ae41a27dd3325298777ab1b3abfa561b57cd6ef

SHA512
29d2271cead2d06798b2b017a0ef88538eb5a69660c9c239bf576f5f70e0d1c1ae3e788bfac13d6e4b93c62f6ae276c19d310c2b9d0e7ea40ecb8e0cf9e75fd6

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe
Filesize
94KB

MD5
3eac36211ee07a654f47c10f5b1892bf

SHA1
73d14c7b8229fddee7afb2f170bf0de00a3dc5fe

SHA256
c055482ef664ec50f22fedf9626fc5c56605cd785dd51d67ce0c16e0333f5b02

SHA512
a546b4172f2970f529910a87285711c23ae23e5adc28fa3f5a75fa82413960536298efd20010fb8c1067142b6cd5303a568f011c3e8f016039f19e130b78a676

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe
Filesize
94KB

MD5
660185ee0c787195c1a2364ab831fa81

SHA1
c29fa6fa9e78a5e7efa0aacee9c5060205cfb6be

SHA256
5185d1a8800df10772781df07217c49b4555f9c8439cfbad330f2d52ac804d4c

SHA512
0a2a9022615a21e1c6971783a4e49fa19d38c958cf57543b5911cee79be718725df502bf9537c7895d8353a3b66a4e13fb5818917792b4fb4df6c05a9d7f27ee

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe
Filesize
94KB

MD5
28a5a591ddfe471a5fc857e6d97d9c61

SHA1
23150e36aaa56de940766b363dc75273e1d70742

SHA256
ea252c1e4b2bb4f976003970e18f74d6b16350eb933f92d5dd9cc597f3d62e5c

SHA512
4930e8509874ecc7fd3e68fb27fcb357d66c1693b1431ab19750e896b8aa830b1ad85e5ec0facf4b9f1e994050ceef40e68937dfbbd865cb617479f9f60d475c

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe
Filesize
94KB

MD5
dacc87d3a0f730dc3b21065c5986970d

SHA1
013991a87ef54fc5a94d2217a131d97ea43026ef

SHA256
5898ad4f8b4e083f762ea990410e6ced39702500bc83c2950de72bc6c77e3f2c

SHA512
3b3f5ee9ef0b180b12fa6dcaa23106dbb746ddb2c898343425e0d703b7e6342d12a4f8d000a9b90022974640ad828d18cd783ccc5e5fceebb98fc88e466eba35

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe
Filesize
94KB

MD5
e11f829ab8fa4ebaee3310b77797d7da

SHA1
40b8674fcf9963370d6c751f0b948c23346ef575

SHA256
f5c12bb5eee11170a40c007caf7449106722bce7f73106246f1f3655c43cbad1

SHA512
e373ba3f43a220361e6bcb1019050b999cfa2860846250b2cf5f71c89edc49f1af1147df4f4141f52160bab740174c145c9697d1ed5a261334024c4e27032171

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe
Filesize
94KB

MD5
7383faedf2d52565d0782c2fe7fbe5c3

SHA1
1e07622400e381190a6983a1e2aebbd31b61d61a

SHA256
69d85ad97f61ccacaf42bcae17200c8c6883ad13933b44854c028274c57e704b

SHA512
1a5ec8f38f6a8d698a112221283512548142f049b912438603194ebe7d8f54b5e2c649d8c511a701ad4ff05f361ce97cdd9fdb63bc5a60cd5e08f52532b8cb37

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe
Filesize
94KB

MD5
086eff4d4880e98effe071945536d2d9

SHA1
f56b293041d1d9babdc35ef54a0590c91616cdf9

SHA256
ea6b0a63fa3d7eddf22db01b8703868aa3ff3e3fe38161209f8645b0a212817f

SHA512
936508e45267b8c991d9c88b32a7104ef20f112291d4f4fafa45b6079ce20ce2fb986f684986309cacf9acb042248af07464629f8e876a8df89ea3283f73ffd5

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe
Filesize
94KB

MD5
42f101c3834574eaf3ced1e40ba6ebf6

SHA1
949c99adb99282caca0b21adf82311b08fa97a5d

SHA256
1fe98eab8a8debd8540974d29a3b549d68d557ef1d0be8407634b766c1d37681

SHA512
14e82a85a50df88a4bc5a5d723e20ea5bc95d541fe616dee1fc18354db7742695d5a0beea1f77d04f76a6573947cc1e2470ac242ff2edb79c72a90a92eb2b5a7

Download Submit
memory/236-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/236-422-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/644-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/644-429-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/912-443-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/912-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/984-444-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/984-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1376-427-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1376-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1384-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1384-420-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1480-425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1480-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1636-449-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1636-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1660-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1716-417-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1716-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1732-399-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1752-392-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1836-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1908-52-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1928-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1928-426-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2060-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2060-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-363-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2232-272-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2332-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2332-423-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2392-351-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2424-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2424-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2432-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2432-415-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-438-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2492-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2492-414-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2564-435-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2564-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3148-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3148-433-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3300-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3300-434-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3348-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3348-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3432-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3432-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3548-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3552-204-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3608-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3608-428-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3668-244-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3668-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3696-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3736-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3964-439-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3964-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4060-296-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4068-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4068-432-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4288-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4288-373-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4292-36-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4368-446-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4368-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4388-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4388-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4408-332-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4456-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4456-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4468-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4512-345-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4524-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4584-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4584-445-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4624-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4652-339-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4736-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4736-441-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4752-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4752-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4768-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4800-416-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4800-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4832-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4856-447-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4856-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4880-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4880-421-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4892-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4892-440-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download