79090e7eec8b67b17d5de89c5da4c4578bc68458a8fdd1f8594a6b17140f3db3

Analysis

max time kernel
138s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48b6605ce634bb60ef3807b6b0e6d820_NeikiAnalytics.exe
Size

844KB
MD5

48b6605ce634bb60ef3807b6b0e6d820
SHA1

0d67b852f855fb87dee544c85822b4555bfb2ab9
SHA256

79090e7eec8b67b17d5de89c5da4c4578bc68458a8fdd1f8594a6b17140f3db3
SHA512

9c763e462b1868b13e9eb43c85ce1cb77df0a8305824a303e3fea97a7fa2878c9a5697fb495fc9b54c6735e50fba19a3f1873f5b9b8900b313807793b2218f40
SSDEEP

24576:I+aH5W3Tnbc53cp6p5vihMpQnqrdX72LbY6x46uR/qYglMS:sH5W3TbGBihw+cdX2x46uhqllMS

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Liggbi32.exeLknjmkdo.exeMdiklqhm.exeMjcgohig.exeMpolqa32.exeNceonl32.exeNklfoi32.exeNcldnkae.exeKpmfddnf.exeLnjjdgee.exeLaefdf32.exeLkgdml32.exeLgneampk.exeMajopeii.exeMgghhlhq.exeKcifkp32.exeLmccchkn.exeLdmlpbbj.exeLgkhlnbn.exeNgedij32.exe48b6605ce634bb60ef3807b6b0e6d820_NeikiAnalytics.exeKmgdgjek.exeLpappc32.exeMjjmog32.exeLnhmng32.exeMncmjfmk.exeMglack32.exeMjeddggd.exeNddkgonp.exeKckbqpnj.exeLkiqbl32.exeKkbkamnl.exeLalcng32.exeNgcgcjnc.exeLdohebqh.exeMkepnjng.exeMcbahlip.exeLdkojb32.exeLdaeka32.exeNjogjfoj.exeKgbefoji.exeMcnhmm32.exeJbmfoa32.exeLddbqa32.exeMahbje32.exeMdmegp32.exeMdfofakp.exeMciobn32.exeNjcpee32.exeNqmhbpba.exeLgikfn32.exeLpcmec32.exeLnepih32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	48b6605ce634bb60ef3807b6b0e6d820_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe

Malware Dropper & Backdoor - Berbew 32 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Jbmfoa32.exe	family_berbew
C:\Windows\SysWOW64\Jmbklj32.exe	family_berbew
C:\Windows\SysWOW64\Jpaghf32.exe	family_berbew
C:\Windows\SysWOW64\Kmgdgjek.exe	family_berbew
C:\Windows\SysWOW64\Kgbefoji.exe	family_berbew
C:\Windows\SysWOW64\Kipabjil.exe	family_berbew
C:\Windows\SysWOW64\Kpjjod32.exe	family_berbew
C:\Windows\SysWOW64\Kcifkp32.exe	family_berbew
C:\Windows\SysWOW64\Kckbqpnj.exe	family_berbew
C:\Windows\SysWOW64\Kkbkamnl.exe	family_berbew
C:\Windows\SysWOW64\Lmqgnhmp.exe	family_berbew
C:\Windows\SysWOW64\Ldmlpbbj.exe	family_berbew
C:\Windows\SysWOW64\Lkgdml32.exe	family_berbew
C:\Windows\SysWOW64\Ldohebqh.exe	family_berbew
C:\Windows\SysWOW64\Laefdf32.exe	family_berbew
C:\Windows\SysWOW64\Lnjjdgee.exe	family_berbew
C:\Windows\SysWOW64\Lklnhlfb.exe	family_berbew
C:\Windows\SysWOW64\Lgpagm32.exe	family_berbew
C:\Windows\SysWOW64\Ldaeka32.exe	family_berbew
C:\Windows\SysWOW64\Lnhmng32.exe	family_berbew
C:\Windows\SysWOW64\Lkiqbl32.exe	family_berbew
C:\Windows\SysWOW64\Lgneampk.exe	family_berbew
C:\Windows\SysWOW64\Lpcmec32.exe	family_berbew
C:\Windows\SysWOW64\Lnepih32.exe	family_berbew
C:\Windows\SysWOW64\Lgkhlnbn.exe	family_berbew
C:\Windows\SysWOW64\Lpappc32.exe	family_berbew
C:\Windows\SysWOW64\Lmccchkn.exe	family_berbew
C:\Windows\SysWOW64\Liggbi32.exe	family_berbew
C:\Windows\SysWOW64\Lgikfn32.exe	family_berbew
C:\Windows\SysWOW64\Ldkojb32.exe	family_berbew
C:\Windows\SysWOW64\Lalcng32.exe	family_berbew
C:\Windows\SysWOW64\Kpmfddnf.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Jbmfoa32.exeJmbklj32.exeJpaghf32.exeKmgdgjek.exeKgbefoji.exeKipabjil.exeKpjjod32.exeKcifkp32.exeKpmfddnf.exeKckbqpnj.exeKkbkamnl.exeLmqgnhmp.exeLalcng32.exeLdkojb32.exeLgikfn32.exeLiggbi32.exeLmccchkn.exeLpappc32.exeLdmlpbbj.exeLgkhlnbn.exeLkgdml32.exeLnepih32.exeLpcmec32.exeLdohebqh.exeLgneampk.exeLkiqbl32.exeLnhmng32.exeLdaeka32.exeLgpagm32.exeLklnhlfb.exeLnjjdgee.exeLaefdf32.exeLddbqa32.exeLcgblncm.exeLknjmkdo.exeMnlfigcc.exeMahbje32.exeMdfofakp.exeMciobn32.exeMkpgck32.exeMjcgohig.exeMajopeii.exeMdiklqhm.exeMgghhlhq.exeMjeddggd.exeMamleegg.exeMpolqa32.exeMcnhmm32.exeMkepnjng.exeMncmjfmk.exeMpaifalo.exeMdmegp32.exeMglack32.exeMjjmog32.exeMaaepd32.exeMcbahlip.exeNkjjij32.exeNnhfee32.exeNqfbaq32.exeNceonl32.exeNklfoi32.exeNjogjfoj.exeNafokcol.exeNddkgonp.exe

pid	process
1312	Jbmfoa32.exe
3556	Jmbklj32.exe
2592	Jpaghf32.exe
1912	Kmgdgjek.exe
4148	Kgbefoji.exe
704	Kipabjil.exe
1224	Kpjjod32.exe
3972	Kcifkp32.exe
448	Kpmfddnf.exe
3404	Kckbqpnj.exe
3684	Kkbkamnl.exe
2284	Lmqgnhmp.exe
3224	Lalcng32.exe
5028	Ldkojb32.exe
5068	Lgikfn32.exe
3956	Liggbi32.exe
3668	Lmccchkn.exe
1692	Lpappc32.exe
4112	Ldmlpbbj.exe
4436	Lgkhlnbn.exe
4156	Lkgdml32.exe
3800	Lnepih32.exe
116	Lpcmec32.exe
1696	Ldohebqh.exe
3552	Lgneampk.exe
3128	Lkiqbl32.exe
1572	Lnhmng32.exe
1428	Ldaeka32.exe
1612	Lgpagm32.exe
3748	Lklnhlfb.exe
4640	Lnjjdgee.exe
1384	Laefdf32.exe
4596	Lddbqa32.exe
4512	Lcgblncm.exe
404	Lknjmkdo.exe
3520	Mnlfigcc.exe
3172	Mahbje32.exe
3260	Mdfofakp.exe
4528	Mciobn32.exe
2816	Mkpgck32.exe
4116	Mjcgohig.exe
4092	Majopeii.exe
1672	Mdiklqhm.exe
3188	Mgghhlhq.exe
8	Mjeddggd.exe
2160	Mamleegg.exe
2520	Mpolqa32.exe
1084	Mcnhmm32.exe
4728	Mkepnjng.exe
2996	Mncmjfmk.exe
2684	Mpaifalo.exe
2124	Mdmegp32.exe
4160	Mglack32.exe
4740	Mjjmog32.exe
2368	Maaepd32.exe
3356	Mcbahlip.exe
3492	Nkjjij32.exe
636	Nnhfee32.exe
1228	Nqfbaq32.exe
1008	Nceonl32.exe
4072	Nklfoi32.exe
228	Njogjfoj.exe
3580	Nafokcol.exe
3540	Nddkgonp.exe

Drops file in System32 directory 64 IoCs

Processes:

Nkjjij32.exe48b6605ce634bb60ef3807b6b0e6d820_NeikiAnalytics.exeMdiklqhm.exeMgghhlhq.exeNdghmo32.exeKgbefoji.exeMjcgohig.exeMkepnjng.exeLnjjdgee.exeMjjmog32.exeNgedij32.exeLgikfn32.exeMnlfigcc.exeNbhkac32.exeKmgdgjek.exeKipabjil.exeLgpagm32.exeMcbahlip.exeLdkojb32.exeLmccchkn.exeLklnhlfb.exeMcnhmm32.exeMkpgck32.exeNklfoi32.exeLgkhlnbn.exeLddbqa32.exeMahbje32.exeKcifkp32.exeLpcmec32.exeNgcgcjnc.exeKpmfddnf.exeNafokcol.exeNqmhbpba.exeJbmfoa32.exeLknjmkdo.exeNbkhfc32.exeNcldnkae.exeJpaghf32.exeLalcng32.exeLnhmng32.exeNjacpf32.exeLdmlpbbj.exeLkiqbl32.exeNnhfee32.exeLpappc32.exeMjeddggd.exeLkgdml32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	48b6605ce634bb60ef3807b6b0e6d820_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lnjjdgee.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3736 4084 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
3736	4084	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Kpjjod32.exeLklnhlfb.exeLknjmkdo.exeMglack32.exeNdghmo32.exeLdmlpbbj.exeLaefdf32.exeNbkhfc32.exeKckbqpnj.exeLpappc32.exeMdfofakp.exeNklfoi32.exeNjogjfoj.exeNgcgcjnc.exeJmbklj32.exeLmccchkn.exeMnlfigcc.exeNcldnkae.exeLiggbi32.exeLgkhlnbn.exeLdohebqh.exeJpaghf32.exeLnhmng32.exeMahbje32.exeNddkgonp.exeNqmhbpba.exeKmgdgjek.exeLkgdml32.exeMcbahlip.exeNceonl32.exeMpaifalo.exeJbmfoa32.exeLgneampk.exeLnjjdgee.exeNjacpf32.exeLgikfn32.exeMgghhlhq.exeKgbefoji.exeNkjjij32.exeNnhfee32.exeLalcng32.exeLpcmec32.exeMaaepd32.exeNjcpee32.exeLdkojb32.exeKkbkamnl.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

48b6605ce634bb60ef3807b6b0e6d820_NeikiAnalytics.exeJbmfoa32.exeJmbklj32.exeJpaghf32.exeKmgdgjek.exeKgbefoji.exeKipabjil.exeKpjjod32.exeKcifkp32.exeKpmfddnf.exeKckbqpnj.exeKkbkamnl.exeLmqgnhmp.exeLalcng32.exeLdkojb32.exeLgikfn32.exeLiggbi32.exeLmccchkn.exeLpappc32.exeLdmlpbbj.exeLgkhlnbn.exeLkgdml32.exe

description	pid	process	target process
PID 1920 wrote to memory of 1312	1920	48b6605ce634bb60ef3807b6b0e6d820_NeikiAnalytics.exe	Jbmfoa32.exe
PID 1920 wrote to memory of 1312	1920	48b6605ce634bb60ef3807b6b0e6d820_NeikiAnalytics.exe	Jbmfoa32.exe
PID 1920 wrote to memory of 1312	1920	48b6605ce634bb60ef3807b6b0e6d820_NeikiAnalytics.exe	Jbmfoa32.exe
PID 1312 wrote to memory of 3556	1312	Jbmfoa32.exe	Jmbklj32.exe
PID 1312 wrote to memory of 3556	1312	Jbmfoa32.exe	Jmbklj32.exe
PID 1312 wrote to memory of 3556	1312	Jbmfoa32.exe	Jmbklj32.exe
PID 3556 wrote to memory of 2592	3556	Jmbklj32.exe	Jpaghf32.exe
PID 3556 wrote to memory of 2592	3556	Jmbklj32.exe	Jpaghf32.exe
PID 3556 wrote to memory of 2592	3556	Jmbklj32.exe	Jpaghf32.exe
PID 2592 wrote to memory of 1912	2592	Jpaghf32.exe	Kmgdgjek.exe
PID 2592 wrote to memory of 1912	2592	Jpaghf32.exe	Kmgdgjek.exe
PID 2592 wrote to memory of 1912	2592	Jpaghf32.exe	Kmgdgjek.exe
PID 1912 wrote to memory of 4148	1912	Kmgdgjek.exe	Kgbefoji.exe
PID 1912 wrote to memory of 4148	1912	Kmgdgjek.exe	Kgbefoji.exe
PID 1912 wrote to memory of 4148	1912	Kmgdgjek.exe	Kgbefoji.exe
PID 4148 wrote to memory of 704	4148	Kgbefoji.exe	Kipabjil.exe
PID 4148 wrote to memory of 704	4148	Kgbefoji.exe	Kipabjil.exe
PID 4148 wrote to memory of 704	4148	Kgbefoji.exe	Kipabjil.exe
PID 704 wrote to memory of 1224	704	Kipabjil.exe	Kpjjod32.exe
PID 704 wrote to memory of 1224	704	Kipabjil.exe	Kpjjod32.exe
PID 704 wrote to memory of 1224	704	Kipabjil.exe	Kpjjod32.exe
PID 1224 wrote to memory of 3972	1224	Kpjjod32.exe	Kcifkp32.exe
PID 1224 wrote to memory of 3972	1224	Kpjjod32.exe	Kcifkp32.exe
PID 1224 wrote to memory of 3972	1224	Kpjjod32.exe	Kcifkp32.exe
PID 3972 wrote to memory of 448	3972	Kcifkp32.exe	Kpmfddnf.exe
PID 3972 wrote to memory of 448	3972	Kcifkp32.exe	Kpmfddnf.exe
PID 3972 wrote to memory of 448	3972	Kcifkp32.exe	Kpmfddnf.exe
PID 448 wrote to memory of 3404	448	Kpmfddnf.exe	Kckbqpnj.exe
PID 448 wrote to memory of 3404	448	Kpmfddnf.exe	Kckbqpnj.exe
PID 448 wrote to memory of 3404	448	Kpmfddnf.exe	Kckbqpnj.exe
PID 3404 wrote to memory of 3684	3404	Kckbqpnj.exe	Kkbkamnl.exe
PID 3404 wrote to memory of 3684	3404	Kckbqpnj.exe	Kkbkamnl.exe
PID 3404 wrote to memory of 3684	3404	Kckbqpnj.exe	Kkbkamnl.exe
PID 3684 wrote to memory of 2284	3684	Kkbkamnl.exe	Lmqgnhmp.exe
PID 3684 wrote to memory of 2284	3684	Kkbkamnl.exe	Lmqgnhmp.exe
PID 3684 wrote to memory of 2284	3684	Kkbkamnl.exe	Lmqgnhmp.exe
PID 2284 wrote to memory of 3224	2284	Lmqgnhmp.exe	Lalcng32.exe
PID 2284 wrote to memory of 3224	2284	Lmqgnhmp.exe	Lalcng32.exe
PID 2284 wrote to memory of 3224	2284	Lmqgnhmp.exe	Lalcng32.exe
PID 3224 wrote to memory of 5028	3224	Lalcng32.exe	Ldkojb32.exe
PID 3224 wrote to memory of 5028	3224	Lalcng32.exe	Ldkojb32.exe
PID 3224 wrote to memory of 5028	3224	Lalcng32.exe	Ldkojb32.exe
PID 5028 wrote to memory of 5068	5028	Ldkojb32.exe	Lgikfn32.exe
PID 5028 wrote to memory of 5068	5028	Ldkojb32.exe	Lgikfn32.exe
PID 5028 wrote to memory of 5068	5028	Ldkojb32.exe	Lgikfn32.exe
PID 5068 wrote to memory of 3956	5068	Lgikfn32.exe	Liggbi32.exe
PID 5068 wrote to memory of 3956	5068	Lgikfn32.exe	Liggbi32.exe
PID 5068 wrote to memory of 3956	5068	Lgikfn32.exe	Liggbi32.exe
PID 3956 wrote to memory of 3668	3956	Liggbi32.exe	Lmccchkn.exe
PID 3956 wrote to memory of 3668	3956	Liggbi32.exe	Lmccchkn.exe
PID 3956 wrote to memory of 3668	3956	Liggbi32.exe	Lmccchkn.exe
PID 3668 wrote to memory of 1692	3668	Lmccchkn.exe	Lpappc32.exe
PID 3668 wrote to memory of 1692	3668	Lmccchkn.exe	Lpappc32.exe
PID 3668 wrote to memory of 1692	3668	Lmccchkn.exe	Lpappc32.exe
PID 1692 wrote to memory of 4112	1692	Lpappc32.exe	Ldmlpbbj.exe
PID 1692 wrote to memory of 4112	1692	Lpappc32.exe	Ldmlpbbj.exe
PID 1692 wrote to memory of 4112	1692	Lpappc32.exe	Ldmlpbbj.exe
PID 4112 wrote to memory of 4436	4112	Ldmlpbbj.exe	Lgkhlnbn.exe
PID 4112 wrote to memory of 4436	4112	Ldmlpbbj.exe	Lgkhlnbn.exe
PID 4112 wrote to memory of 4436	4112	Ldmlpbbj.exe	Lgkhlnbn.exe
PID 4436 wrote to memory of 4156	4436	Lgkhlnbn.exe	Lkgdml32.exe
PID 4436 wrote to memory of 4156	4436	Lgkhlnbn.exe	Lkgdml32.exe
PID 4436 wrote to memory of 4156	4436	Lgkhlnbn.exe	Lkgdml32.exe
PID 4156 wrote to memory of 3800	4156	Lkgdml32.exe	Lnepih32.exe

C:\Users\Admin\AppData\Local\Temp\48b6605ce634bb60ef3807b6b0e6d820_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\48b6605ce634bb60ef3807b6b0e6d820_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\Jbmfoa32.exe
C:\Windows\system32\Jbmfoa32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\Jmbklj32.exe
C:\Windows\system32\Jmbklj32.exe
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\SysWOW64\Jpaghf32.exe
C:\Windows\system32\Jpaghf32.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\Kmgdgjek.exe
C:\Windows\system32\Kmgdgjek.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\Kpmfddnf.exe
C:\Windows\system32\Kpmfddnf.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\SysWOW64\Kkbkamnl.exe
C:\Windows\system32\Kkbkamnl.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\Lalcng32.exe
C:\Windows\system32\Lalcng32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\SysWOW64\Ldkojb32.exe
C:\Windows\system32\Ldkojb32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3800

C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:116

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1696

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3552

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3128

C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1572

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1428

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1612

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3748

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4640

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1384

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4596

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
35⤵
- Executes dropped EXE
PID:4512

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:404

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3520

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3172

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3260

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4528

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2816

C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4116

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4092

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1672

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3188

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:8

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
47⤵
- Executes dropped EXE
PID:2160

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2520

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1084

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4728

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2996

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
52⤵
- Executes dropped EXE
- Modifies registry class
PID:2684

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2124

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4160

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4740

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
56⤵
- Executes dropped EXE
- Modifies registry class
PID:2368

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3356

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3492

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:636

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
60⤵
- Executes dropped EXE
PID:1228

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1008

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4072

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:228

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3580

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3540

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3740

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
67⤵
- Drops file in System32 directory
- Modifies registry class
PID:780

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
68⤵
- Drops file in System32 directory
PID:4712

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
69⤵
- Drops file in System32 directory
- Modifies registry class
PID:5044

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2516

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3192

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
72⤵
- Drops file in System32 directory
- Modifies registry class
PID:1564

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2020

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4076

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
75⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 412
76⤵
- Program crash
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4084 -ip 4084
1⤵
PID:4624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbmfoa32.exe
Filesize
844KB

MD5
476a47bfe449640df71cfa15176b6c9c

SHA1
a6fbf4d8510e19a3bcb2ad84547e0beb7b8e8ade

SHA256
b66792091e583b5c6ebd9b6ab3ee86b151468d97be7fe79725e809b7f65102f0

SHA512
343c7392809b066103c8e6b51974ca9e4c1c05118990198dcfff126301ebd06e873ece6fef15dd77cc4a9555c20311714a89ebb7ea5cc02528992c451d84d33c

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe
Filesize
844KB

MD5
325e25e19a0327f30383c645b5c866d8

SHA1
480a8df387b2d330c5f86132bb6d88f3fd438421

SHA256
08cd1c0e7b8a8e5f27e5126571c8d7719da31a9a47855d952e9e1d9508f1bdac

SHA512
5cd3ae7d94d5ebd6d95972447fdd27e55931694d65ff7ec19bf5f8c76231105519d463383b15873a1ae88aa3377af3674a51c0ab7c315e2d35c499382f98bffe

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe
Filesize
844KB

MD5
f55f6ae03d05282b65fbff845ac49f0b

SHA1
430b4e3593203fc43beef63658d515d6625929a4

SHA256
028f40ffe5185cb605e30d88bfcfe891af3b9c2017564e08195c45591a3e6f49

SHA512
d6c60f535fd7846fe82a791253ec1b7d77901a369119360658d274a6b2d40be0c23c64fe70a8b8c8615dc6a9ee67e48e3b25fee91ad3fbdc08867ba66f1e878e

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe
Filesize
844KB

MD5
a3bbc86735e115f3a3368498f29e0134

SHA1
c23a81ff681b0938307cfee43598c219ed9edd7f

SHA256
bd002f2ededace64f99b85977b9b50e0adb0c361ccd064467e33457fbda41c3c

SHA512
664bf57e5be8b114d83747c8633085abbe4451434aebdcc0c806b614ae254713152609d11e33463c7e31a0b62b179961a357e3325e5f765dff934a3d1c75ea02

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe
Filesize
844KB

MD5
93123c59be809bca70b12058f0b3d8ff

SHA1
f86a9e8670c92f03dc3085e02357550ee865d044

SHA256
2d64073979ef155dd0bd33b27da08e50709476d5a0a0d21cae53b4fa4cc4d8bf

SHA512
46c031506107748c44387d5d91677fc358c63da8265bd538ebbeaa479c29a461f14f83d41a35bf5f9f989b0fc956f08d262238427da1e3c84dacffa04a1c4f14

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe
Filesize
844KB

MD5
df2d94703d3a80ac36a7410aaf7dff11

SHA1
42e68d82dad2868a354132f3e7d853346244d9f5

SHA256
5c5d6361eba6a954312c69b460bca8eb3f566f4338d0c40ded398b78fdbc4184

SHA512
1d980e7a937b3fceb79f072a1340ea173652189185473f25da00da0ebea2e530448048b310e41fac70668def80011e53883d67e85794141dc2edc89ac295028f

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe
Filesize
844KB

MD5
ac7bbd998bab011c3d96247bf7aa251d

SHA1
a0122729f9ebc4199cdb8f2b40717a39ae9f1885

SHA256
3660266d501ebd727904f0e4d361af514da66c671e481952112d70a8677f30a5

SHA512
d5423ee6f36b1fd6a1cfac352be4b3cb68e21db0d12d33d11ba9edcfd989c5129857b90a2c3e009f41a3437b8baf3268b492c74f7cd2a481ebb7e8ce43a0c0d0

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe
Filesize
844KB

MD5
5262045c6c92cadefa72914e3fcd9dc2

SHA1
21badc647ef0aa47548807375c8d356f78cddce9

SHA256
83e0a7e97f5fc008ff1a05d7561eadcfe2234b88f5289eb4bc2a1b24502c4e11

SHA512
8d0786680239056a5db4fe5749a4a9bdfc50f1428897b858914b9841ef3217e82d626d58fa33d9a7ff4093c206daeae31014363199014ba32376e878ee91a337

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe
Filesize
844KB

MD5
2818449bb59bb8ad1a08fe5db950ea7d

SHA1
24f18caf16b6bc9294e86175139e7efcc24cb5d4

SHA256
0ae296cc81b67bdcd1924a10b53d8271204a60b41755f57c798f49b982c4e860

SHA512
29d9c28e079cad09708d50d483d00cda6d942d576d391bb0d953e9c2e31fefefaa853b66619569963963e9f22a6440fd9c013a228b3ed4c537b99cb8a8143566

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe
Filesize
844KB

MD5
0f63a8628980467e5c58bc969a24b3f3

SHA1
788e7cc1120b5fbcc9b23726fb32333128f91525

SHA256
b042cb044b82c6b198377e0cfa55b2da53a2fbc20f01d44428c0a1f3e097c14b

SHA512
7490a6fb2ca8693ffcda240c8f170debcc8689e3a4f419b027e79f938a4d802af78c397acfb92a5a3798c4f7829b15179abf13d40918b723db18f943680ca052

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe
Filesize
844KB

MD5
ced09af013a5e5da7cba59d9c47c6e7f

SHA1
f24e74b894d9d465d50de3f08f72d252f1f90ef9

SHA256
c1e3a0e1dc3c1052d43720142d8ee4a62053aa8496291c8e96a4b6cdf8b20abf

SHA512
c465e62aed53ae72b8ac7f754811bcc30c91c599794a3ef39cf5bf7202d21abc4d7c12dbcea66d399634e80e49dd68c1aac66beeb5e29d21c9f18ff1e1d67aa8

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe
Filesize
844KB

MD5
1c0c1118ee26a9a28f3ca630097e9286

SHA1
19fe76f6bb558fc0e11915ea9e84ffd1e51ea639

SHA256
7db65b46c287e054500ccc63ca3aea276b56221f7121027ba9f7cf114c0e59d3

SHA512
ce245388876532750ae34c0c12566fc720020933024e57362e6c4e8078b60b24293f1c17e1c0dc7cfc988376192035de841c7c1ac5ae99d22dc7db76ceac55a6

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe
Filesize
844KB

MD5
a36752fb88a49c3003b097ad7c76d3a1

SHA1
3347dbad19b97de5c83eea91aaf94a390dd65c04

SHA256
e28bf7f8f998fb085f31c6df87b68113a37efe168dce532a6ffe7919cff3e76f

SHA512
c4ea24ed677e5bdc90792ac03adfec86465d597b608449af26c282b501ae85fefd04e7101d0cc6f381b7feda3e83e59bf013394b75ea5edbd84efac7bf6ab126

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe
Filesize
844KB

MD5
eef04fe11ea947ae3305897f6c04c3a6

SHA1
b0f609e2037e97a77a6d1d66e40c40daafbf701b

SHA256
d2f68e0fbca4fe549bca262b3935ffadb847ee38ac47379daa1c99aed4668f69

SHA512
f491752bdeb7a4129baa58d7e14b938313973743d7ecb5196af729034051e519b9b3aa3ed8ffc519f8535286b9ebbf77d18cbc81bd42b8acac1691a724d72f75

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe
Filesize
844KB

MD5
646f1a9979890f76825b5887e45ca618

SHA1
64198f84e982a6df4dd8bceca8ae5e4b74a733b4

SHA256
03857f6e8f06dc517d7a6f4efac9da0900a1fdbb5ebaeb28edcbc9fca3b95adb

SHA512
c3b6d933d92fb073383dc942d22c6eb5df92e201938d5b6e381dd5df4ef6ee33243627be2ecd3b53cfd27c2004b50bc512e317347c9381513498f9760b2c9320

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe
Filesize
844KB

MD5
826181e1bb22fe99385531bdadc3a9ff

SHA1
6dd4aeec95df216f579d8c22995fea987e803efa

SHA256
af104eb631b41cf3933217e6449b5fcd0702908003b99e4560eda21752e0029b

SHA512
e65ec13c1b739b2afe2fd22a9f4984cfaf12735d70759ec1e028915da5d413c553691122b9004af6e280df42b1aa80f8e12b688206cb03af77d95a825f307983

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe
Filesize
844KB

MD5
1add64d39072b88c21a8eebccf5bded3

SHA1
5d09a7b7a8efa27967d8b6e531c9ca1610cec248

SHA256
ec83936751f6ad13066b8e1f5787275b24fba7f76baa56982c927c7fbf4ce068

SHA512
5aab99d4a08cc38ec51fcde3ad8ccc975aa6cc9f81b9772cc88b7a8981a0f4cba625d415d37b41a7d527b9f16a5510164d97c6c75c71e19146c4e3184984b845

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe
Filesize
844KB

MD5
87ec2c81d51eacc96a3563941c306108

SHA1
050744a8ba1be9a3212114a12074fc7c0f263c7a

SHA256
0d7ee30804a8cd8277c02347c2f03c625226a9b5735b3a69e578ac75d355bfb1

SHA512
7109ca8b910e7045e1f5872a711870880792801e5f637b39156833a1acf3aba99bc6215219a5c27efe5b77335ad2aeecad065160c04c9884e0ecd73c366f1f5a

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe
Filesize
844KB

MD5
de820997a6dba14bdaed2c082ea8d0d9

SHA1
6fe758f8757ea583d37e1309876129434d66ff3c

SHA256
7769976869843193edeedcf077330b97a36a8d098917d20263112af9a5c01ee0

SHA512
01f3d2b2fa87fffc799f2a834b2bacb87eeff2b93a804b83a8f856d73b352dae5e2e26f79542de19f1ab2b60e658c01e7496e2d9ca9872bdc497ea2c3ede91e9

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe
Filesize
844KB

MD5
d7af194d3b0da2fdd97645c5285efab1

SHA1
ec600903ba5a5048052c36a9035a70d5238b4295

SHA256
717a9d59d97d106d7e1f67748c436acb1a86f099473d0f7a319b513a44ba6ba0

SHA512
24bd7751a0ffb99a43fdbb7ae9c88922db96ce14ef2ceee4aa03ad18959603919d76e6a36a5c066045954f22a8ac454acd2fabc0949c3fa2a78f479bee470eed

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe
Filesize
844KB

MD5
c8c932dd3185e782cafc6cbb4b0138fa

SHA1
1317fea8d571991a9ecbdfa40396154a3cff8ff8

SHA256
8e3e30a1b3c6b3b567c68ee7f275509ae5969c6e826f9477cf636eb297dc9536

SHA512
304a7fd5b7b9c335ff80da061d1ffb182f1f5736efbf59cf155f729669a1d8b634bdb003e2bccfb4227669deea5aef21e3ff615d3a00952df9c119f2bf14043d

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe
Filesize
844KB

MD5
09b40d6fac16d3ab87cd10d6785dc0cb

SHA1
46b7d5c2a815e8a6a2dea04b14e57965eb1e7818

SHA256
9a9e2ea50adfa75a8d2ef6a796e622d00d7104cc0f9bccd8f8fcb6f5f8445cd5

SHA512
ce347357f3cb5a34a542bc3c293ed66e2c28b9cef2b06c62c1dbfd2806446f8e49eb1387d686d4e6f98e9a289492425cc0eff14d4b3edd4c75f8b9a5636ed53a

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe
Filesize
844KB

MD5
cacea6eb8d09ec393042e658d9037373

SHA1
70a2512b1fd2f05c16ae1d793d11c1ed0a857598

SHA256
e5cf06696f772498b347dadbc17138e02869289e0ec082239e5be34e11cf6bb0

SHA512
30762535cd9f97a181bff8a6bac175900c3b9f2993a780dbe286663abcee4d3a15ded8f286207b068efede678f25cda826163128f2e147c99c8a8b9cefb01824

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe
Filesize
844KB

MD5
25765212d611b475932b7f55908079dd

SHA1
b09870f535276ed91fddc55ecfcf0331e2825e7d

SHA256
10a6d57c0e3631aab7eb0538ea356a63ace910d631420519d346fd6309dcf4b0

SHA512
21cdae60f3d662dbe54c4d576d479b7950515b497e0f9ad89ef073ddd1b62033a2bcd5ef5073d8bc9aa89116c12164f5b93906ed22bb28222c00b55628b87f2a

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe
Filesize
844KB

MD5
78172d6c61b70fbbee9889302e660b7a

SHA1
03c40e41a041c5fff3e60e5a4056a6f8d9dd6e75

SHA256
3014b61a05f1c51c3db815d3acb553e80a6aa6e1efdd49a1509e74a67a3e4bcf

SHA512
d467fc6b13c125bcf4f36f2ff19d77397b88f87375274990226ed7fcc27519c2d6ae18fe13f1f762d6f12f991ffb2c4d739c0e0deb98ce6079b6846f592777ab

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe
Filesize
844KB

MD5
3fb4edae5c844c3876954296c79941f9

SHA1
28d9d2d787ca602a5a8e6782c5e10062ef9a720f

SHA256
2fedcff8906efc1a58d96e133ddbb9f95c4a87db29b9109b720f39a0a79d76e6

SHA512
28851fe23d691a58e0d555f05cc051cf1257b4888afb7476c1fa97aef996f27b78571f06bb7b0022396e07f3877c2b423831719d2c95595325e761807a3211f0

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe
Filesize
844KB

MD5
63ffb9e06478fdec7584f799359f97f9

SHA1
ef4bf81a54ff4f33d607587ce070b6df0d32d322

SHA256
b5f9141bab3ba9480a470d0b2ae32e9c171dac0a0ff087111649a97d0738cd7a

SHA512
bad55717f6b9d16fff0eda0072a6f4593777c97934ca50004c49d96e06c1d284f43419888d2dffa3efc84aee2675a478d5e8682d4edfaee47bbad72173ae3d5f

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe
Filesize
844KB

MD5
32917a6934a87c37b0832b7157e6dd4e

SHA1
50b9e339e61604e3fadcc68eceb0bb3ad80c60d9

SHA256
b177ca8c38bf8625db055add630c5428d5226af50722d654867aed3c6a655d18

SHA512
d9196100144484847f7018896a7cd3108d713de077bb8d7d78d1dcbfc4198220779073ee15ebc91bc44802bd3c2b399a6c5d86301c41d80ffce148282003e328

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe
Filesize
844KB

MD5
37c94c86a8ba1454b1cc7ebdaef0d7d2

SHA1
3b799ff41ce227a6a0054a01c748bebc5594c3e0

SHA256
0741192d43ded070e45f2f0a8a4a3c16c303eb90479e05e5583b32c63362e423

SHA512
195ceedaa5dddaf9aeed090da58dfc3ed149dd2fb151c4a4a4af122e716e5146597c355446f845a37eea6a6a30e19dff07ca57511e31680030f11cba25590396

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe
Filesize
844KB

MD5
3ab84175cc188b41f80805b01e488c0b

SHA1
d4a3c9b509896d65c16a51f000d677b868b5f1ad

SHA256
a438928baf7ca0cbcd0bc961b64add3dc6d2419fe240a0954dc513c5ab097940

SHA512
73edb1a001ae0a8468ffe9810733207a12ddc8cb9b67da85b4b93a04030aca5c63d58efde4b0e49400a52fc3c9ed7bc89cce209428632bc7200b3449b9dd1780

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe
Filesize
844KB

MD5
99e528e8f2a11e4a9672268493bb1a48

SHA1
924fa2dc8e75cb061f52ac014bd743250837d40e

SHA256
14edb1ce9bac4e05ccfa20c92fa39e60f5a39b50736fc0794c6829b5df98d99e

SHA512
a5ecc577f9ca23f4ceeee5dde71e0308e304bf5a43efa515f7e53b31b6afd0bef1579c3933706062cc1c212ad26c1fff52b807d669d6f828c2ac9b622dc1f441

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe
Filesize
844KB

MD5
6dd1be7423037a81ce30a06778ec2cec

SHA1
8ee75f47333d9094240da5058685f3f060142d21

SHA256
ea280463a11c3e1b9c05b810461beea4a9d3a01500e28c79c71a3816c03bdb30

SHA512
5ef9e4d8bfcefacb1790b822858e861c729573c2fbc31aff2f42f25067ebdfa19391d9f1e2c4ac503ac85e6a74e18c792abd0201ee0edc403b7b5a95ba03a84c

Download Submit
C:\Windows\SysWOW64\Milgab32.dll
Filesize
7KB

MD5
1946936c1491f28d10ca26a458d6a025

SHA1
de152ae6c4c760bb86ea10dc06c508579c9a02e1

SHA256
956b18b82b32500d95ff5b7aedd35d1e4ca5fbf7437f29b2cc4eff5656fbdaea

SHA512
89e29aad2fcd4bd71e0e935d7c8fe01fbe28c7c1082624ec6af186c64cd663de24fc528276104b85fffe3b2074a665bdbcd16377b07bc9b91f5725c0c31091c4

Download Submit
memory/8-474-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/116-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/228-457-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/404-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/448-76-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/636-461-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/704-510-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/704-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/780-453-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1008-459-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1084-471-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1224-60-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1228-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1312-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1312-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1384-487-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1428-491-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1564-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1572-492-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1612-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1672-476-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1692-501-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1696-495-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1912-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1912-511-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1920-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1920-515-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2020-447-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2124-467-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2160-473-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2284-507-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2368-464-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2516-450-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2520-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2592-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2592-512-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2684-468-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2816-479-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2996-469-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3128-493-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3172-482-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3188-475-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3192-449-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3224-506-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3260-481-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3356-463-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3404-84-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3492-462-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3520-483-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3540-455-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3552-494-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3556-513-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3556-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3580-456-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3668-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3684-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3740-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3748-489-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3800-497-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3956-503-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3972-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3972-509-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4072-458-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4076-446-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4084-445-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4092-477-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4112-500-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4116-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4148-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4156-498-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4160-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4436-499-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4512-485-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4528-480-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4596-486-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4640-488-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4712-452-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4728-470-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4740-465-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5028-505-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5044-451-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5068-504-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download