3c4a625877578dae97bdf3cd056c060a0aac9f14878c51aaa72ff6d2cb03f9f4

Analysis

max time kernel
129s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fb3fc0a450a50ed260ca28c9615a180_NeikiAnalytics.exe
Size

94KB
MD5

4fb3fc0a450a50ed260ca28c9615a180
SHA1

a61ed7716c4b88db80786b3b1f2a5b5b7422c5e3
SHA256

3c4a625877578dae97bdf3cd056c060a0aac9f14878c51aaa72ff6d2cb03f9f4
SHA512

95273305398f88d41a22fbc7a3f39d84ffac1ab7cb4375a15ff3049c64544123e9223f96166ad6937d99e77300cb61f9b07882499c5287cfb02d34e1cd10b7c0
SSDEEP

1536:Qwv9LDX6Vy45dbG40v/6RR7RR/RR7RR7RRVRRVRRVRRVhNRRRRRRRRRRCjRRvRRT:JF6V9DbRbWgjH6KU90uGimj1ieybvrx

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Mnapdf32.exeKcifkp32.exeLgikfn32.exeLknjmkdo.exeMcklgm32.exeMpolqa32.exeMkepnjng.exeMpaifalo.exeKacphh32.exeKpmfddnf.exeKkbkamnl.exeLaopdgcg.exeKpccnefa.exeNjljefql.exeNacbfdao.exeKmlnbi32.exeNjacpf32.exeNnjbke32.exeNqmhbpba.exeJdmcidam.exe4fb3fc0a450a50ed260ca28c9615a180_NeikiAnalytics.exeJplmmfmi.exeNcldnkae.exeJangmibi.exeKkihknfg.exeLiggbi32.exeMpkbebbf.exeJibeql32.exeJdhine32.exeMkbchk32.exeNklfoi32.exeMcpebmkb.exeNbhkac32.exeJfdida32.exeJfffjqdf.exeKgphpo32.exeNdghmo32.exeNcihikcg.exeLpocjdld.exeMncmjfmk.exeMjcgohig.exeMaaepd32.exeNgcgcjnc.exeJbmfoa32.exeKmegbjgn.exeKdaldd32.exeJaljgidl.exeKbapjafe.exeMcnhmm32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4fb3fc0a450a50ed260ca28c9615a180_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
behavioral2/memory/1124-0-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jfdida32.exe	family_berbew
behavioral2/memory/684-13-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jibeql32.exe	family_berbew
behavioral2/memory/3900-21-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/memory/2748-25-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jplmmfmi.exe	family_berbew
C:\Windows\SysWOW64\Jdhine32.exe	family_berbew
C:\Windows\SysWOW64\Jfffjqdf.exe	family_berbew
behavioral2/memory/4932-41-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral2/memory/4412-37-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jaljgidl.exe	family_berbew
behavioral2/memory/6040-49-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jbmfoa32.exe	family_berbew
behavioral2/memory/5612-57-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jfhbppbc.exe	family_berbew
behavioral2/memory/3464-65-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jangmibi.exe	family_berbew
behavioral2/memory/2052-73-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jdmcidam.exe	family_berbew
behavioral2/memory/1572-81-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Jkfkfohj.exe	family_berbew
behavioral2/memory/1580-89-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kmegbjgn.exe	family_berbew
behavioral2/memory/4560-101-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kpccnefa.exe	family_berbew
behavioral2/memory/484-104-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kbapjafe.exe	family_berbew
behavioral2/memory/3592-114-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kkihknfg.exe	family_berbew
behavioral2/memory/4504-121-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kacphh32.exe	family_berbew
behavioral2/memory/5764-128-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kdaldd32.exe	family_berbew
behavioral2/memory/2764-141-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kgphpo32.exe	family_berbew
behavioral2/memory/5980-145-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kmjqmi32.exe	family_berbew
behavioral2/memory/5548-153-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kphmie32.exe	family_berbew
behavioral2/memory/5688-161-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kgbefoji.exe	family_berbew
behavioral2/memory/1408-169-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kmlnbi32.exe	family_berbew
behavioral2/memory/2340-181-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kpjjod32.exe	family_berbew
behavioral2/memory/2744-185-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kcifkp32.exe	family_berbew
behavioral2/memory/4212-195-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kibnhjgj.exe	family_berbew
behavioral2/memory/1584-200-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kpmfddnf.exe	family_berbew
behavioral2/memory/1960-209-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Kkbkamnl.exe	family_berbew
behavioral2/memory/5944-221-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lmqgnhmp.exe	family_berbew
behavioral2/memory/2300-229-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lpocjdld.exe	family_berbew
behavioral2/memory/5900-236-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Lgikfn32.exe	family_berbew
behavioral2/memory/5260-245-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Liggbi32.exe	family_berbew
behavioral2/memory/5504-254-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Laopdgcg.exe	family_berbew

Executes dropped EXE 64 IoCs

Processes:

Jfdida32.exeJibeql32.exeJplmmfmi.exeJdhine32.exeJfffjqdf.exeJaljgidl.exeJbmfoa32.exeJfhbppbc.exeJangmibi.exeJdmcidam.exeJkfkfohj.exeKmegbjgn.exeKpccnefa.exeKbapjafe.exeKkihknfg.exeKacphh32.exeKdaldd32.exeKgphpo32.exeKmjqmi32.exeKphmie32.exeKgbefoji.exeKmlnbi32.exeKpjjod32.exeKcifkp32.exeKibnhjgj.exeKpmfddnf.exeKkbkamnl.exeLmqgnhmp.exeLpocjdld.exeLgikfn32.exeLiggbi32.exeLaopdgcg.exeLphfpbdi.exeLcgblncm.exeLknjmkdo.exeMahbje32.exeMpkbebbf.exeMciobn32.exeMjcgohig.exeMpmokb32.exeMcklgm32.exeMkbchk32.exeMnapdf32.exeMpolqa32.exeMcnhmm32.exeMkepnjng.exeMncmjfmk.exeMpaifalo.exeMcpebmkb.exeMkgmcjld.exeMaaepd32.exeMdpalp32.exeNkjjij32.exeNjljefql.exeNacbfdao.exeNceonl32.exeNklfoi32.exeNnjbke32.exeNddkgonp.exeNgcgcjnc.exeNjacpf32.exeNbhkac32.exeNdghmo32.exeNcihikcg.exe

pid	process
684	Jfdida32.exe
3900	Jibeql32.exe
2748	Jplmmfmi.exe
4412	Jdhine32.exe
4932	Jfffjqdf.exe
6040	Jaljgidl.exe
5612	Jbmfoa32.exe
3464	Jfhbppbc.exe
2052	Jangmibi.exe
1572	Jdmcidam.exe
1580	Jkfkfohj.exe
4560	Kmegbjgn.exe
484	Kpccnefa.exe
3592	Kbapjafe.exe
4504	Kkihknfg.exe
5764	Kacphh32.exe
2764	Kdaldd32.exe
5980	Kgphpo32.exe
5548	Kmjqmi32.exe
5688	Kphmie32.exe
1408	Kgbefoji.exe
2340	Kmlnbi32.exe
2744	Kpjjod32.exe
4212	Kcifkp32.exe
1584	Kibnhjgj.exe
1960	Kpmfddnf.exe
5944	Kkbkamnl.exe
2300	Lmqgnhmp.exe
5900	Lpocjdld.exe
5260	Lgikfn32.exe
5504	Liggbi32.exe
1532	Laopdgcg.exe
4076	Lphfpbdi.exe
5364	Lcgblncm.exe
2016	Lknjmkdo.exe
3964	Mahbje32.exe
1800	Mpkbebbf.exe
5608	Mciobn32.exe
2364	Mjcgohig.exe
5008	Mpmokb32.exe
2436	Mcklgm32.exe
3348	Mkbchk32.exe
2224	Mnapdf32.exe
3992	Mpolqa32.exe
496	Mcnhmm32.exe
3680	Mkepnjng.exe
2908	Mncmjfmk.exe
3896	Mpaifalo.exe
2160	Mcpebmkb.exe
3692	Mkgmcjld.exe
3804	Maaepd32.exe
4488	Mdpalp32.exe
3284	Nkjjij32.exe
1576	Njljefql.exe
5116	Nacbfdao.exe
6100	Nceonl32.exe
3104	Nklfoi32.exe
1832	Nnjbke32.exe
488	Nddkgonp.exe
1376	Ngcgcjnc.exe
5076	Njacpf32.exe
4568	Nbhkac32.exe
5320	Ndghmo32.exe
4996	Ncihikcg.exe

Drops file in System32 directory 64 IoCs

Processes:

Jkfkfohj.exeKgbefoji.exeMcnhmm32.exeJdmcidam.exeJdhine32.exeJfffjqdf.exeJfdida32.exeNacbfdao.exeKmjqmi32.exeNdghmo32.exeKdaldd32.exeLiggbi32.exeJaljgidl.exeLcgblncm.exeMciobn32.exeJangmibi.exeKgphpo32.exeMpaifalo.exeMkgmcjld.exeNkqpjidj.exeNqmhbpba.exeKphmie32.exeKkihknfg.exeLknjmkdo.exeJibeql32.exeKpccnefa.exeLgikfn32.exeLphfpbdi.exeMnapdf32.exeMaaepd32.exeNkjjij32.exeNjacpf32.exeKpjjod32.exeNceonl32.exeNcihikcg.exeJbmfoa32.exeNjljefql.exeKmlnbi32.exeKibnhjgj.exeKbapjafe.exeNnjbke32.exeKacphh32.exeKpmfddnf.exe4fb3fc0a450a50ed260ca28c9615a180_NeikiAnalytics.exeNklfoi32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jdhine32.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jfdida32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jangmibi.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	4fb3fc0a450a50ed260ca28c9615a180_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mciobn32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4352 5296 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
4352	5296	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Kibnhjgj.exeKpmfddnf.exeLcgblncm.exeMkgmcjld.exeNbhkac32.exe4fb3fc0a450a50ed260ca28c9615a180_NeikiAnalytics.exeJaljgidl.exeKpjjod32.exeLknjmkdo.exeNdghmo32.exeJangmibi.exeJdmcidam.exeJkfkfohj.exeKdaldd32.exeLaopdgcg.exeMpkbebbf.exeKkihknfg.exeKgbefoji.exeNkjjij32.exeJfffjqdf.exeJbmfoa32.exeKmjqmi32.exeLgikfn32.exeMkbchk32.exeKacphh32.exeKgphpo32.exeMahbje32.exeJfhbppbc.exeKcifkp32.exeJdhine32.exeMdpalp32.exeNceonl32.exeNqmhbpba.exeJibeql32.exeMnapdf32.exeMncmjfmk.exeNklfoi32.exeKmegbjgn.exeKmlnbi32.exeNjljefql.exeLphfpbdi.exeNnjbke32.exeNgcgcjnc.exeNkqpjidj.exeMcnhmm32.exeMaaepd32.exeJplmmfmi.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4fb3fc0a450a50ed260ca28c9615a180_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4fb3fc0a450a50ed260ca28c9615a180_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4fb3fc0a450a50ed260ca28c9615a180_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4fb3fc0a450a50ed260ca28c9615a180_NeikiAnalytics.exeJfdida32.exeJibeql32.exeJplmmfmi.exeJdhine32.exeJfffjqdf.exeJaljgidl.exeJbmfoa32.exeJfhbppbc.exeJangmibi.exeJdmcidam.exeJkfkfohj.exeKmegbjgn.exeKpccnefa.exeKbapjafe.exeKkihknfg.exeKacphh32.exeKdaldd32.exeKgphpo32.exeKmjqmi32.exeKphmie32.exeKgbefoji.exe

description	pid	process	target process
PID 1124 wrote to memory of 684	1124	4fb3fc0a450a50ed260ca28c9615a180_NeikiAnalytics.exe	Jfdida32.exe
PID 1124 wrote to memory of 684	1124	4fb3fc0a450a50ed260ca28c9615a180_NeikiAnalytics.exe	Jfdida32.exe
PID 1124 wrote to memory of 684	1124	4fb3fc0a450a50ed260ca28c9615a180_NeikiAnalytics.exe	Jfdida32.exe
PID 684 wrote to memory of 3900	684	Jfdida32.exe	Jibeql32.exe
PID 684 wrote to memory of 3900	684	Jfdida32.exe	Jibeql32.exe
PID 684 wrote to memory of 3900	684	Jfdida32.exe	Jibeql32.exe
PID 3900 wrote to memory of 2748	3900	Jibeql32.exe	Jplmmfmi.exe
PID 3900 wrote to memory of 2748	3900	Jibeql32.exe	Jplmmfmi.exe
PID 3900 wrote to memory of 2748	3900	Jibeql32.exe	Jplmmfmi.exe
PID 2748 wrote to memory of 4412	2748	Jplmmfmi.exe	Jdhine32.exe
PID 2748 wrote to memory of 4412	2748	Jplmmfmi.exe	Jdhine32.exe
PID 2748 wrote to memory of 4412	2748	Jplmmfmi.exe	Jdhine32.exe
PID 4412 wrote to memory of 4932	4412	Jdhine32.exe	Jfffjqdf.exe
PID 4412 wrote to memory of 4932	4412	Jdhine32.exe	Jfffjqdf.exe
PID 4412 wrote to memory of 4932	4412	Jdhine32.exe	Jfffjqdf.exe
PID 4932 wrote to memory of 6040	4932	Jfffjqdf.exe	Jaljgidl.exe
PID 4932 wrote to memory of 6040	4932	Jfffjqdf.exe	Jaljgidl.exe
PID 4932 wrote to memory of 6040	4932	Jfffjqdf.exe	Jaljgidl.exe
PID 6040 wrote to memory of 5612	6040	Jaljgidl.exe	Jbmfoa32.exe
PID 6040 wrote to memory of 5612	6040	Jaljgidl.exe	Jbmfoa32.exe
PID 6040 wrote to memory of 5612	6040	Jaljgidl.exe	Jbmfoa32.exe
PID 5612 wrote to memory of 3464	5612	Jbmfoa32.exe	Jfhbppbc.exe
PID 5612 wrote to memory of 3464	5612	Jbmfoa32.exe	Jfhbppbc.exe
PID 5612 wrote to memory of 3464	5612	Jbmfoa32.exe	Jfhbppbc.exe
PID 3464 wrote to memory of 2052	3464	Jfhbppbc.exe	Jangmibi.exe
PID 3464 wrote to memory of 2052	3464	Jfhbppbc.exe	Jangmibi.exe
PID 3464 wrote to memory of 2052	3464	Jfhbppbc.exe	Jangmibi.exe
PID 2052 wrote to memory of 1572	2052	Jangmibi.exe	Jdmcidam.exe
PID 2052 wrote to memory of 1572	2052	Jangmibi.exe	Jdmcidam.exe
PID 2052 wrote to memory of 1572	2052	Jangmibi.exe	Jdmcidam.exe
PID 1572 wrote to memory of 1580	1572	Jdmcidam.exe	Jkfkfohj.exe
PID 1572 wrote to memory of 1580	1572	Jdmcidam.exe	Jkfkfohj.exe
PID 1572 wrote to memory of 1580	1572	Jdmcidam.exe	Jkfkfohj.exe
PID 1580 wrote to memory of 4560	1580	Jkfkfohj.exe	Kmegbjgn.exe
PID 1580 wrote to memory of 4560	1580	Jkfkfohj.exe	Kmegbjgn.exe
PID 1580 wrote to memory of 4560	1580	Jkfkfohj.exe	Kmegbjgn.exe
PID 4560 wrote to memory of 484	4560	Kmegbjgn.exe	Kpccnefa.exe
PID 4560 wrote to memory of 484	4560	Kmegbjgn.exe	Kpccnefa.exe
PID 4560 wrote to memory of 484	4560	Kmegbjgn.exe	Kpccnefa.exe
PID 484 wrote to memory of 3592	484	Kpccnefa.exe	Kbapjafe.exe
PID 484 wrote to memory of 3592	484	Kpccnefa.exe	Kbapjafe.exe
PID 484 wrote to memory of 3592	484	Kpccnefa.exe	Kbapjafe.exe
PID 3592 wrote to memory of 4504	3592	Kbapjafe.exe	Kkihknfg.exe
PID 3592 wrote to memory of 4504	3592	Kbapjafe.exe	Kkihknfg.exe
PID 3592 wrote to memory of 4504	3592	Kbapjafe.exe	Kkihknfg.exe
PID 4504 wrote to memory of 5764	4504	Kkihknfg.exe	Kacphh32.exe
PID 4504 wrote to memory of 5764	4504	Kkihknfg.exe	Kacphh32.exe
PID 4504 wrote to memory of 5764	4504	Kkihknfg.exe	Kacphh32.exe
PID 5764 wrote to memory of 2764	5764	Kacphh32.exe	Kdaldd32.exe
PID 5764 wrote to memory of 2764	5764	Kacphh32.exe	Kdaldd32.exe
PID 5764 wrote to memory of 2764	5764	Kacphh32.exe	Kdaldd32.exe
PID 2764 wrote to memory of 5980	2764	Kdaldd32.exe	Kgphpo32.exe
PID 2764 wrote to memory of 5980	2764	Kdaldd32.exe	Kgphpo32.exe
PID 2764 wrote to memory of 5980	2764	Kdaldd32.exe	Kgphpo32.exe
PID 5980 wrote to memory of 5548	5980	Kgphpo32.exe	Kmjqmi32.exe
PID 5980 wrote to memory of 5548	5980	Kgphpo32.exe	Kmjqmi32.exe
PID 5980 wrote to memory of 5548	5980	Kgphpo32.exe	Kmjqmi32.exe
PID 5548 wrote to memory of 5688	5548	Kmjqmi32.exe	Kphmie32.exe
PID 5548 wrote to memory of 5688	5548	Kmjqmi32.exe	Kphmie32.exe
PID 5548 wrote to memory of 5688	5548	Kmjqmi32.exe	Kphmie32.exe
PID 5688 wrote to memory of 1408	5688	Kphmie32.exe	Kgbefoji.exe
PID 5688 wrote to memory of 1408	5688	Kphmie32.exe	Kgbefoji.exe
PID 5688 wrote to memory of 1408	5688	Kphmie32.exe	Kgbefoji.exe
PID 1408 wrote to memory of 2340	1408	Kgbefoji.exe	Kmlnbi32.exe

C:\Users\Admin\AppData\Local\Temp\4fb3fc0a450a50ed260ca28c9615a180_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4fb3fc0a450a50ed260ca28c9615a180_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\Jfdida32.exe
C:\Windows\system32\Jfdida32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\Jibeql32.exe
C:\Windows\system32\Jibeql32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\Jplmmfmi.exe
C:\Windows\system32\Jplmmfmi.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\Jdhine32.exe
C:\Windows\system32\Jdhine32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\SysWOW64\Jfffjqdf.exe
C:\Windows\system32\Jfffjqdf.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SysWOW64\Jaljgidl.exe
C:\Windows\system32\Jaljgidl.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:6040

C:\Windows\SysWOW64\Jbmfoa32.exe
C:\Windows\system32\Jbmfoa32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5612

C:\Windows\SysWOW64\Jfhbppbc.exe
C:\Windows\system32\Jfhbppbc.exe
9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\SysWOW64\Jangmibi.exe
C:\Windows\system32\Jangmibi.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SysWOW64\Jdmcidam.exe
C:\Windows\system32\Jdmcidam.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\Jkfkfohj.exe
C:\Windows\system32\Jkfkfohj.exe
12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\Kmegbjgn.exe
C:\Windows\system32\Kmegbjgn.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\SysWOW64\Kpccnefa.exe
C:\Windows\system32\Kpccnefa.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\Kkihknfg.exe
C:\Windows\system32\Kkihknfg.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5764

C:\Windows\SysWOW64\Kdaldd32.exe
C:\Windows\system32\Kdaldd32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5980

C:\Windows\SysWOW64\Kmjqmi32.exe
C:\Windows\system32\Kmjqmi32.exe
20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5548

C:\Windows\SysWOW64\Kphmie32.exe
C:\Windows\system32\Kphmie32.exe
21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5688

C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2340

C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2744

C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4212

C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
26⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1584

C:\Windows\SysWOW64\Kpmfddnf.exe
C:\Windows\system32\Kpmfddnf.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1960

C:\Windows\SysWOW64\Kkbkamnl.exe
C:\Windows\system32\Kkbkamnl.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5944

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
29⤵
- Executes dropped EXE
PID:2300

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5900

C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5260

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5504

C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1532

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4076

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5364

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2016

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
37⤵
- Executes dropped EXE
- Modifies registry class
PID:3964

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1800

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5608

C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2364

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
41⤵
- Executes dropped EXE
PID:5008

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2436

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3348

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2224

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3992

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:496

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3680

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2908

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3896

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2160

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3692

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3804

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
53⤵
- Executes dropped EXE
- Modifies registry class
PID:4488

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3284

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1576

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5116

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:6100

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3104

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1832

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
60⤵
- Executes dropped EXE
PID:488

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1376

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5076

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4568

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5320

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4996

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
66⤵
- Drops file in System32 directory
- Modifies registry class
PID:5488

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
67⤵
PID:3884

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5576

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1872

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
70⤵
PID:5296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5296 -s 400
71⤵
- Program crash
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5296 -ip 5296
1⤵
PID:4968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jaljgidl.exe
Filesize
94KB

MD5
409bb7897a67540212380027f90776cf

SHA1
87ca3628a2ee6052ee0a344dd0e20f22e8dc5674

SHA256
2c7edfb35ed52b63a6cba8e18f0eba1c6998421663b555a8302dae1b491d59d4

SHA512
6bea249bf8436c6bff8fcdad02a80ec99317b1633d5a3cb7555067729b37a625c9f809fdbac16fe5d8704aceef3256a7214f97e9f9bd6c6cfa6066b141953e00

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe
Filesize
94KB

MD5
d84b3fbe9e010f82225e29220756f7a1

SHA1
667073cf68a805a403062be2bb3fc14101b6e716

SHA256
6f47ac981a91e4edae4c7bfd16c3601f79f333a5548eb53caf274171750fe26a

SHA512
44a19fdb64a5e593137c6d9a8d476a4ac56d04b0eef4f84e3707ef4bf8f8fa3aff48e645127a5ca93156c362289d0de4364d55b8cd4c01bebffc3a0a1d3ca099

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe
Filesize
94KB

MD5
d07be521183906681f6e15e5a3db68ee

SHA1
666ec161fa26abf2c3c7f5e06af84c2b61814b60

SHA256
789983e271ea530eb097f8d4d5deb963161bce8fe21649d91b00999f836202d5

SHA512
6f8d5b540c15b10a2e1c7dc64dee8f184f6b17c1277b8ec200e3777921cbe8b41ecb61318f3cd46a8c21273ae179c3decfc55d52f2f1a02a217b1b7e69093272

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe
Filesize
94KB

MD5
c6b05ad9fe68ca37baa60c11d91f44d9

SHA1
5b640b889dfd8a2fbcf7eda813f380698653b4f0

SHA256
812d917fc86328f0a9d785c1ba9ecd5d97ab9dcd209d6dd03db0bf4556e80ba9

SHA512
0e78a29a8960dd115418d28802ee9cdd40c6e7a9bf0e13787a347ed57233d0d28fabbfa5c3c4f2d305e3825ab923a98620277e259acb8f0590bb3e9e242868d3

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe
Filesize
94KB

MD5
1ea8f8c10873676f63a2c494f6393f15

SHA1
c163b8659f6886381690588a2f0c4a85491beef8

SHA256
45c87dddcce33e652409a37630476bf035830049dc8838625d38a98b4a48ffdf

SHA512
8a075f7b4a709eb085348446f3e08d6faaab74833f99a9d3ef9ef8e3625a0c7dc396ad882f39f5e329d4914744f59f350c3e7f6ec4ae8143b6668ca0ce04d3fc

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe
Filesize
94KB

MD5
0c8d618ba5ec7d3eab07b187be26e053

SHA1
ce08516a7ed98cb020957a3f4102ac4994dcc109

SHA256
5192406fe40dff6af22543f311b12b90b248993195898f0a5ef6caf7836771c9

SHA512
31366043284412154bd3d04a4c3b4b1fa7c589232142c29a7c8ffd48a681888c3ccce4fe178963663d43cb44878aaf35925804f85b7bc9d2f1a9a56d8e535f61

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe
Filesize
94KB

MD5
3f5529ec5bf2ce9e488959e321b551be

SHA1
64018116b5826855c673582b5d6afb65dffc97d5

SHA256
9c83752e2b0d82c67f5009bc1f19e62236ff92be95eb3100daa5711dfa919811

SHA512
910bdf59c9f08944776eb6416900b150e62d286a4c9591abe6eebfd116586e54d62e5a3be8dcb578766fcd3c1aec98bffec022c562b720af6f5107d0bc2c197a

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe
Filesize
94KB

MD5
e1f2613294b363ee52e046ab0a16059c

SHA1
b3c0fa709d281936f5a85147e98a9647cf4c42a6

SHA256
c5bf3b6ec5612df7841cd2f366317c748f626f2a77f18ade3ef49fe32f9a6587

SHA512
d4675e613a27785e78651ddc8d12d5777ffa34eace752c7eb3ff58ce46e2cbe3ef6b9885712a57e14b646ca1e56822261beb7c047f1d672088f0319069475d95

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe
Filesize
94KB

MD5
670b1a6c2bf1d7ede0cfabeff113d1fe

SHA1
402263a42c07ec0ecc8ed0d64995b7b4982a4dbc

SHA256
3077b307a8f27c6a8d0264e5158840523e2249b496593e654090697500105c96

SHA512
7c32f244277336d755bba3e394d50240dc9610031dede8700a45890755bcca3e5abc815ff7a8cee4d703fc88d8eac310589163a5d62325b5f5cc61ee82d79ff6

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe
Filesize
94KB

MD5
4be2b60b5eafaafa63ef038b177ceb4f

SHA1
5141b075f0151a8971d57b84591d24754fa071b1

SHA256
bb0e9762665d6d5f4425be3ab5cdd57b31dd78e590f498e7f46e520d69083827

SHA512
2ef7d607ee08f4015c1234b70c61a54394627800d8cd1676fc7d87e93ede65b6c8d2a6465747d6e1a603f46f84772bfc7f4ac42b466cee014d503d4ca2febe01

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe
Filesize
94KB

MD5
1a64c44e0506416b11f295e9145b11fb

SHA1
daaf0f4aa868ad11ab77b4e0e3bf66a857e29acf

SHA256
959d0d8cf4a89bac71a26dadb7426fc50708efef2a1773001bf8cad0dd414b1b

SHA512
82106868620f3a7548a33e3ec84cc2c4212664d42ad2c9261124f17583e316aca4b0859a87412037bb5aaa24d74ae9a24b118095102b93f676d9578c9477cf63

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe
Filesize
94KB

MD5
efc9e4ef3a03137a805ee0a8b0af0ef2

SHA1
3b930fc5bc0aed89cb626d6862346b491dd7f5a5

SHA256
c9a640af9e40d13e80b329182e508d5c7cbd12c009c552f05eb2dd265315c28d

SHA512
8861bcbb771671e3d908dad87bc08b22409ceb9f01c00ae9292269a5b68aad36ea6678c88650c45f7cae81c06acb32bd99e6eb631c4edb6561769fe3b3cf2f28

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe
Filesize
94KB

MD5
64f54fd4fb521f88a728bef9ca690cb3

SHA1
008d417efdb1ef5f3ceb64a5dfc989803fb71929

SHA256
ed755013335fd2f361f42381173f9ee6b5f309e58c44d0ae9441591a362dab23

SHA512
9cf89259531ad2503b9afd0869919a2f75fd052a680a696c018916401a5706b827a49acf965754b7964d29273ca642e86e8e4217c1e1129107c96c36ea947e35

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe
Filesize
94KB

MD5
44c1bf551527b44c36fcbff7d612e960

SHA1
215bb86e1d8c244f0d95f1d8c711bbc90edc9913

SHA256
9c3fa2c3caf10fdf9ea1558ba25e5f5a093cfaeadacaf406001e8ef32fd07aaa

SHA512
a750ec2d0f334d3f72cee1cef30e9f30719841349c5757f0548e0a4589c8c56c676f9964b74765bd4f297e3ba7841985e388a2de62880ffd651d9ffb14726d12

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe
Filesize
94KB

MD5
f320db85af86cab634bafdbe39d27cfb

SHA1
6f670c1f323c5cf7bfa988fca270485ae25f4c0a

SHA256
0dacab098ab0e865c06592d044cb38f9cee7853e77e0b4bd625cd1dc1f9fee29

SHA512
5fb719edbc7214b8f7c86a2430f32b4a6909e3a1d0246cdf09bff771d6ad38524e0b25bd1199300c638b07b71b55da4e5cf9be83b4aeb786e8fbb80278bad787

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe
Filesize
94KB

MD5
e2d8e582c1bc2d5c4b348c9f2548700e

SHA1
b9aa41b7352f617571eb482a46b256cf6d448035

SHA256
a39e1c3281e4a7cf8b37dd122be7bddcb0a075db509c4512ce150dced9695f04

SHA512
5759cb44d2069dd609f9ff14d487b907b679b8024101bb4fb34dfccc758f5989c1dd12b67e2bdc6a95fd91129ee84c0e67c4af298957f7b634d5094d89aa8957

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe
Filesize
94KB

MD5
783e6f524cc4f224f234096226e539f9

SHA1
76a252a211a5da9355913e6f24a2763e11f446fa

SHA256
852419c4bec82906240c662f5131e3460e1890a1045aa2e7308a19946e3aaf99

SHA512
da643d292fc71d31aacdad91b88f0c55d22aadbf04b2e6468c75c339fa7fd9a6b3bff6b16bac71af78c413b08bd65e3560466ddc2cda98cb2e476a41296acc9f

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe
Filesize
94KB

MD5
4a2d465aad685db21f88a572a6daee8e

SHA1
1d7b7901c35f51993e930794fec81a94773bf950

SHA256
702dab836b4121fdb6a7d733707b2aaa50c08d0d0acfb4feb4ffcd3c68abef70

SHA512
c87aa34f20107e238030a1d89704eab50a45572c53e7b2a1c413dd206d1f18d4fca405c7d736a339c03ed34edaed77b2a06256945422fcb954d269169a0e49a9

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe
Filesize
94KB

MD5
5d7f0713ad54aa72dbd68b647a0da2c2

SHA1
33f9fa32c8f4bb9965f30fb56800d57ef10bc5b6

SHA256
c4b6a7b5f9cec05616d5619e12dde4610390d0f4260e046173f8d148b2a5f92c

SHA512
daa43062dc55dd801c8c09056f372f5748ecb434927f158c3e40ffbda5eeac320e869d39f3ea232bdd18825be431208456ad740bd00b31cb16377c0fbb271a02

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe
Filesize
94KB

MD5
d2ac597127d11433b6cc470a4400d378

SHA1
74b180c51296f0e9555c71458421802be2246ecd

SHA256
146dd604c7b1f13add4653f4e669ed434300a28f7898fc60d87a276f5d4b7544

SHA512
d220feece76a98e99a086d68ab7ba05ee0c863c99e962d876f52538127aa34af4c260c41c2daa9def1e179133accd2e9f992459168b88f93f0ba21370d731bbd

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe
Filesize
94KB

MD5
8ce352d613551f7fa4f232b356cc73e1

SHA1
59e10365c923027474454d2c849d508dc1b9532a

SHA256
12b5cf0bb9ba6d0fa446b59fbf61ecb0da5978ad3d5764c12a69313398036bcb

SHA512
3b5eaf9fabb49cc9af4fd6fd37ace72184b79affb079c18e4a2931f67cc8db57ed71ab4e18dd7fd724ec0e3e5dc5bd8f07f789ed2f93e220e17a13977d4ee602

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe
Filesize
94KB

MD5
f4510010a4a05fb63bcda4a3f596c619

SHA1
c4ca3566b23d8aeba4c6c71ccc5a3e545109023e

SHA256
bb95f0b1612f2056bc8b047a2a8baa804802a0d13f5adf5941d146084174bfaf

SHA512
b9a221b70c120d3226e4ffda6823c987acbac524944f0daeae385c524201c8d76099df09c8f090b2dcc85b723779bff2af089bbb0ebed405bdbdbc017550cbaa

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe
Filesize
94KB

MD5
1032b09fb9773051b2d8ab3f8fe254c6

SHA1
480cd05ce959c5662ef9633bc7ac3e765eb9cdf4

SHA256
3b9241461393c3f4c37d4d2d86dff446ccf45255e40437c8ea5ed055e90f874d

SHA512
edf56ffb0a90466b7583f0508bd4dabe6b9075bdb8db18de8cf60bd6b3f1d74aab37d216bfb6d3a929512c7cbae7a6b67c60a6beaa17b6a027573ad0a8dccf26

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe
Filesize
94KB

MD5
52c3ebf1ba7f95d75c4305a8a6ce0c56

SHA1
0df1c617903445f4b71a411a4ad5e57b0457bc57

SHA256
154d82c85c024db9d90a56f7a08f924831777d51845189f9883f050972c44746

SHA512
aa104dde1a7735006c26ca603dc3f0c37b6c8dd8dc6de9ce83be72cce9158544be92300cd1b9d7460c89f244ec880a1c06016ceeb68b9b26a40880941075e4f1

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe
Filesize
94KB

MD5
7dc81a173cbe86a93ecdf10c2acdff9b

SHA1
6e20322d00b5980eaa12b89b9b38484856ab48f4

SHA256
0fa83417d6e116a5ab160caf066cacf378ee4d4bf59898c64c7fde026ca859a0

SHA512
1dca76a00574178e7e7c9aa49d0d33ba58feef06584eb029a1fdc56dcb62c046f2fbffc8affbdeb207bd07211f868e6699c7baa866f0c4688b64026b479caf0e

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe
Filesize
94KB

MD5
a609cb0bb8b57041fbeb9940a65d382c

SHA1
8915053f590ad6708816ae0afa5225f450d0179e

SHA256
f3fd93cc62ba34d56a56bb2236c703735ffb594737e58f81b8b04b48e1e888dc

SHA512
663f8b2f402c067aa9676f6f2ff623f5e3ae39addf3b156570c7756c4bf2ac244156a631c1bff557dc957b48263757f15eb378f15f3fd8ff4a0154ba20df1fe6

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe
Filesize
94KB

MD5
264f7c8dfe0d7ec60aeb971cf7590b00

SHA1
c9901febb1e28432109f8904b51300c23005bf74

SHA256
59f6f12f68cdb821c73d37952ed9196e46803032f51bd3522305f3d72081adb4

SHA512
873f4dc77f40a6766fbd5c357f24cd30402116a47ca4db619d1b44f369fca26ef0b81925576d155815ac8a49b058b7cf3f44b0df52c4d358304d743cd4ea420a

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe
Filesize
94KB

MD5
a4fc99d9e44a81c8b016c3ea973a21d6

SHA1
fd5d62dc4313a37ab1678859b1b189f11a85bfe4

SHA256
b2a472689e5142d0bf4ef06d2d72224389274b08c2c041d24038712c631c8576

SHA512
7713bdf0a4c9748ee54173f8efb6b79eba8df67346f79ee286923c2c3170b4586c2ea4507b514e40a4833be7111b5932aac916034a33b75ae2efba278c7523f8

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe
Filesize
94KB

MD5
36d4c4e0d00f99ce423bdb240aa878bc

SHA1
ee3792666a895aaad8ff734dd8827b78d2cc3553

SHA256
848c663365a357a557633a01f5de44ffc079f78c1f82fb7e81f6d4509066d4ea

SHA512
fc68d95632bae34d4b4d656718bf8931d4c4b89e8908c754dc0c1d94c3cf6c05e0588c73ff4db99d999571da811ac9ac1dbf87bffbb010156f6af9032dbd3b5c

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe
Filesize
94KB

MD5
0671332983063fa60e12a0bca06fa51c

SHA1
365ec6827daaffd00abae5397a4c085f698bf7d8

SHA256
b8a45509cc2805e2dc40884a891254fb40f072e85fec6bfbb0b62879f1344459

SHA512
6ca8e29c3c13643a58fb52a9734d37ba81302787df0fe921a4f6a98e37da0b37116c2a26c5a22494662ea81b09d34e4c7f3212568af81a63bf045a3aa02721e6

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe
Filesize
94KB

MD5
9eb1b6113838ec511270f118204d00a7

SHA1
e97f8ca21e7adf008ebd6ef1e34e32220f4c2674

SHA256
a587055fda5d40df6d88ea4627068fa3be4397eb0637f69715cc24628f21e82b

SHA512
df540c9b33aa358db6f7ed8da4fbdfa816e0228d719eee1efac1bcbee653d352fbe3282f86380eebe2dda499f5ee4f3aaa1ca95879a3f4672489d9677929cea7

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe
Filesize
94KB

MD5
d12a5ade33dd944ff151ac7cb5dd3b4b

SHA1
f8e4c97d91cd68f353af7b12519a7dd8e9027c2a

SHA256
b60339f7b63042577daf0ebc0ab65beab0e2d15e8b976bbb2181dbf5c30fb496

SHA512
eba93a6a464ffb0ef33fc2a80426a1c15e7806f5b9044846311dbbacdada1507fd1c2b4fc6181b574638b438aeb935ea367fb0a3a2a84cb93cc677324aaca4e5

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe
Filesize
94KB

MD5
19549e7c0fef1cf1f989f88f8f43ef3a

SHA1
b970227d7bae0b184319ecdc9956a89f84a5892e

SHA256
00776fa8557ecb8debb79ea91d92cf1ac578d35b5a37a5e7c7e7fb4f7268c47c

SHA512
7f722ae706389e8a7626da242d6f13ea5d1e0382e5e0aa418334b389d15d543c4094934c90734cce99abba7917bc0909a33e759febb6e1384eb5a7f27ebea71f

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe
Filesize
94KB

MD5
6ef5a50c2f47d17f2ea0725f1ff7c945

SHA1
260b5493c93e910b929b56f79e33aa0034e51956

SHA256
af022bccc5aa6817a8a5ca206d1bf95e68a723412ffc2df9d2cf931400e2a162

SHA512
e4e4b1ce6c1c151887498e7bf28a73574c58cf230fc8777e5b9d3243a51375c8f6405ccb5d05503e00b6179b0883b1b29d84054df75afa91713fe4625f976172

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/484-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/488-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/496-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/684-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1124-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1124-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1376-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1408-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1532-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1532-500-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1572-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1576-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1576-489-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1580-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1584-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1584-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1800-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1800-496-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1832-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1872-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1872-481-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-502-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-498-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2160-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2160-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2300-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2340-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2364-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2364-495-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2436-494-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2436-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2744-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2908-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3104-486-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3104-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3348-493-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3348-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3464-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3592-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3680-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3692-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3692-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3804-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3884-465-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3896-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3900-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3964-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3964-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4076-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4212-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4212-504-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4412-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4488-490-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4488-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4504-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4568-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4568-439-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4932-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-484-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-435-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5116-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5116-488-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5260-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5296-480-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5296-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5320-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5364-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5364-499-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5488-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5488-483-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5504-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5548-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5576-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5576-482-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5608-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5612-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5688-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5764-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5900-501-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5900-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5944-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5980-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6040-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6100-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6100-487-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download