gozi | 34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
Size

163KB
MD5

db32c4c9a4e8e7ad2e5dcd2f9a4da490
SHA1

2057bae2e9d6bcaa93b0e7cdf3b4aed02e0b6ca2
SHA256

34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9
SHA512

f4904a97970be5c6492429d9152152ba264337c36864a1f30f30d60e4b3431dd72f6f86f218157f2a06e6964ba1be4eec1c98d1fe6303583ce326073ecbf5df5
SSDEEP

3072:gVI42/5ZOj8FxOVolbPltOrWKDBr+yJb:gu42/5wATOVebPLOf

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Jfaloa32.exeKacphh32.exeLiggbi32.exeLaalifad.exeLklnhlfb.exeMkepnjng.exeNjljefql.exeHibljoco.exeImdnklfp.exeMajopeii.exeNjogjfoj.exeNcgkcl32.exeKgfoan32.exeLalcng32.exeMkbchk32.exeMkgmcjld.exeIcgqggce.exeIjhodq32.exeJaimbj32.exeKmnjhioc.exeLaefdf32.exeIbmmhdhm.exeJmbklj32.exeKdcijcke.exeKcifkp32.exeLgikfn32.exeLcgblncm.exeMnlfigcc.exeNklfoi32.exeJbmfoa32.exeKkpnlm32.exeMpdelajl.exeNacbfdao.exeNnolfdcn.exeJdhine32.exeKdaldd32.exeJmpngk32.exeJpaghf32.exeLgneampk.exeLdaeka32.exeKmgdgjek.exeKgphpo32.exeImgkql32.exeLmqgnhmp.exeMdmegp32.exeNjacpf32.exeNkqpjidj.exeIcljbg32.exeIdofhfmm.exeHaidklda.exeKpjjod32.exeMcnhmm32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 64 IoCs

Processes:

Hibljoco.exeHaidklda.exeIpldfi32.exeIcgqggce.exeIakaql32.exeIbmmhdhm.exeIiffen32.exeIcljbg32.exeIfjfnb32.exeImdnklfp.exeIdofhfmm.exeIjhodq32.exeImgkql32.exeIbccic32.exeImihfl32.exeJpgdbg32.exeJfaloa32.exeJagqlj32.exeJdemhe32.exeJjpeepnb.exeJaimbj32.exeJdhine32.exeJidbflcj.exeJmpngk32.exeJbmfoa32.exeJmbklj32.exeJpaghf32.exeJfkoeppq.exeJiikak32.exeKdopod32.exeKgmlkp32.exeKmgdgjek.exeKacphh32.exeKdaldd32.exeKgphpo32.exeKkkdan32.exeKmjqmi32.exeKdcijcke.exeKknafn32.exeKipabjil.exeKpjjod32.exeKcifkp32.exeKkpnlm32.exeKmnjhioc.exeKgfoan32.exeLmqgnhmp.exeLalcng32.exeLdkojb32.exeLgikfn32.exeLiggbi32.exeLaopdgcg.exeLpappc32.exeLgkhlnbn.exeLnepih32.exeLaalifad.exeLdohebqh.exeLgneampk.exeLnhmng32.exeLdaeka32.exeLklnhlfb.exeLaefdf32.exeLcgblncm.exeMnlfigcc.exeMahbje32.exe

pid	process
4896	Hibljoco.exe
688	Haidklda.exe
616	Ipldfi32.exe
1780	Icgqggce.exe
4280	Iakaql32.exe
1936	Ibmmhdhm.exe
4856	Iiffen32.exe
4536	Icljbg32.exe
2176	Ifjfnb32.exe
3580	Imdnklfp.exe
4524	Idofhfmm.exe
4992	Ijhodq32.exe
4276	Imgkql32.exe
4716	Ibccic32.exe
2024	Imihfl32.exe
1584	Jpgdbg32.exe
4456	Jfaloa32.exe
3472	Jagqlj32.exe
5028	Jdemhe32.exe
2324	Jjpeepnb.exe
1816	Jaimbj32.exe
1512	Jdhine32.exe
2284	Jidbflcj.exe
1472	Jmpngk32.exe
5040	Jbmfoa32.exe
4140	Jmbklj32.exe
4084	Jpaghf32.exe
4572	Jfkoeppq.exe
4616	Jiikak32.exe
4316	Kdopod32.exe
3496	Kgmlkp32.exe
1224	Kmgdgjek.exe
1908	Kacphh32.exe
4920	Kdaldd32.exe
3732	Kgphpo32.exe
4632	Kkkdan32.exe
2100	Kmjqmi32.exe
1204	Kdcijcke.exe
3216	Kknafn32.exe
316	Kipabjil.exe
2632	Kpjjod32.exe
1392	Kcifkp32.exe
4312	Kkpnlm32.exe
2012	Kmnjhioc.exe
4256	Kgfoan32.exe
4644	Lmqgnhmp.exe
3612	Lalcng32.exe
4380	Ldkojb32.exe
3040	Lgikfn32.exe
5020	Liggbi32.exe
3264	Laopdgcg.exe
3644	Lpappc32.exe
4324	Lgkhlnbn.exe
1356	Lnepih32.exe
4736	Laalifad.exe
1972	Ldohebqh.exe
5072	Lgneampk.exe
1060	Lnhmng32.exe
4908	Ldaeka32.exe
1284	Lklnhlfb.exe
3528	Laefdf32.exe
2700	Lcgblncm.exe
3796	Mnlfigcc.exe
5012	Mahbje32.exe

Drops file in System32 directory 64 IoCs

Processes:

Haidklda.exeIdofhfmm.exeJdemhe32.exeLmqgnhmp.exeMkpgck32.exeMpaifalo.exeIiffen32.exeJbmfoa32.exeLgneampk.exeMamleegg.exeNacbfdao.exeImdnklfp.exeNcihikcg.exeImihfl32.exeLiggbi32.exeLnepih32.exeMahbje32.exeKacphh32.exeKpjjod32.exeMgnnhk32.exeIjhodq32.exeLcgblncm.exeMnlfigcc.exeKdcijcke.exeKipabjil.exeLalcng32.exeLdaeka32.exeMkepnjng.exeNcgkcl32.exeJiikak32.exeLaopdgcg.exeMcnhmm32.exeNbhkac32.exeIbccic32.exeJmpngk32.exeLgkhlnbn.exeNdbnboqb.exeJdhine32.exeKkkdan32.exeKgfoan32.exeKcifkp32.exeMpdelajl.exeNkqpjidj.exeIcljbg32.exeJaimbj32.exeKmgdgjek.exeKdaldd32.exeLpappc32.exeMnfipekh.exeMdiklqhm.exeMkbchk32.exeMdmegp32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Ijhodq32.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Bekppcpp.dll	Haidklda.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Bclgpkgk.dll	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mahbje32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5404 5312 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
5404	5312	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Mkbchk32.exeNkqpjidj.exeNnolfdcn.exeJpgdbg32.exeJfkoeppq.exeKacphh32.exeKpjjod32.exeLgikfn32.exeLaefdf32.exeNjacpf32.exeIdofhfmm.exeImgkql32.exeJidbflcj.exeKipabjil.exeKgfoan32.exeNcgkcl32.exeJjpeepnb.exeJbmfoa32.exeLaopdgcg.exeLaalifad.exeNbhkac32.exe34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exeIakaql32.exeJmbklj32.exeKgmlkp32.exeJiikak32.exeKkkdan32.exeLnhmng32.exeMkpgck32.exeHibljoco.exeJpaghf32.exeIpldfi32.exeNcihikcg.exeKmnjhioc.exeLcgblncm.exeHaidklda.exeIcljbg32.exeIbccic32.exeKmgdgjek.exeKgphpo32.exeKkpnlm32.exeLiggbi32.exeLpappc32.exeMnfipekh.exeIjhodq32.exeMkgmcjld.exeIcgqggce.exeMpdelajl.exeKknafn32.exeLdohebqh.exeMahbje32.exeJfaloa32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll"	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbkmemo.dll"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkiobic.dll"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jfaloa32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exeHibljoco.exeHaidklda.exeIpldfi32.exeIcgqggce.exeIakaql32.exeIbmmhdhm.exeIiffen32.exeIcljbg32.exeIfjfnb32.exeImdnklfp.exeIdofhfmm.exeIjhodq32.exeImgkql32.exeIbccic32.exeImihfl32.exeJpgdbg32.exeJfaloa32.exeJagqlj32.exeJdemhe32.exeJjpeepnb.exeJaimbj32.exe

description	pid	process	target process
PID 1528 wrote to memory of 4896	1528	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe	Hibljoco.exe
PID 1528 wrote to memory of 4896	1528	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe	Hibljoco.exe
PID 1528 wrote to memory of 4896	1528	34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe	Hibljoco.exe
PID 4896 wrote to memory of 688	4896	Hibljoco.exe	Haidklda.exe
PID 4896 wrote to memory of 688	4896	Hibljoco.exe	Haidklda.exe
PID 4896 wrote to memory of 688	4896	Hibljoco.exe	Haidklda.exe
PID 688 wrote to memory of 616	688	Haidklda.exe	Ipldfi32.exe
PID 688 wrote to memory of 616	688	Haidklda.exe	Ipldfi32.exe
PID 688 wrote to memory of 616	688	Haidklda.exe	Ipldfi32.exe
PID 616 wrote to memory of 1780	616	Ipldfi32.exe	Icgqggce.exe
PID 616 wrote to memory of 1780	616	Ipldfi32.exe	Icgqggce.exe
PID 616 wrote to memory of 1780	616	Ipldfi32.exe	Icgqggce.exe
PID 1780 wrote to memory of 4280	1780	Icgqggce.exe	Iakaql32.exe
PID 1780 wrote to memory of 4280	1780	Icgqggce.exe	Iakaql32.exe
PID 1780 wrote to memory of 4280	1780	Icgqggce.exe	Iakaql32.exe
PID 4280 wrote to memory of 1936	4280	Iakaql32.exe	Ibmmhdhm.exe
PID 4280 wrote to memory of 1936	4280	Iakaql32.exe	Ibmmhdhm.exe
PID 4280 wrote to memory of 1936	4280	Iakaql32.exe	Ibmmhdhm.exe
PID 1936 wrote to memory of 4856	1936	Ibmmhdhm.exe	Iiffen32.exe
PID 1936 wrote to memory of 4856	1936	Ibmmhdhm.exe	Iiffen32.exe
PID 1936 wrote to memory of 4856	1936	Ibmmhdhm.exe	Iiffen32.exe
PID 4856 wrote to memory of 4536	4856	Iiffen32.exe	Icljbg32.exe
PID 4856 wrote to memory of 4536	4856	Iiffen32.exe	Icljbg32.exe
PID 4856 wrote to memory of 4536	4856	Iiffen32.exe	Icljbg32.exe
PID 4536 wrote to memory of 2176	4536	Icljbg32.exe	Ifjfnb32.exe
PID 4536 wrote to memory of 2176	4536	Icljbg32.exe	Ifjfnb32.exe
PID 4536 wrote to memory of 2176	4536	Icljbg32.exe	Ifjfnb32.exe
PID 2176 wrote to memory of 3580	2176	Ifjfnb32.exe	Imdnklfp.exe
PID 2176 wrote to memory of 3580	2176	Ifjfnb32.exe	Imdnklfp.exe
PID 2176 wrote to memory of 3580	2176	Ifjfnb32.exe	Imdnklfp.exe
PID 3580 wrote to memory of 4524	3580	Imdnklfp.exe	Idofhfmm.exe
PID 3580 wrote to memory of 4524	3580	Imdnklfp.exe	Idofhfmm.exe
PID 3580 wrote to memory of 4524	3580	Imdnklfp.exe	Idofhfmm.exe
PID 4524 wrote to memory of 4992	4524	Idofhfmm.exe	Ijhodq32.exe
PID 4524 wrote to memory of 4992	4524	Idofhfmm.exe	Ijhodq32.exe
PID 4524 wrote to memory of 4992	4524	Idofhfmm.exe	Ijhodq32.exe
PID 4992 wrote to memory of 4276	4992	Ijhodq32.exe	Imgkql32.exe
PID 4992 wrote to memory of 4276	4992	Ijhodq32.exe	Imgkql32.exe
PID 4992 wrote to memory of 4276	4992	Ijhodq32.exe	Imgkql32.exe
PID 4276 wrote to memory of 4716	4276	Imgkql32.exe	Ibccic32.exe
PID 4276 wrote to memory of 4716	4276	Imgkql32.exe	Ibccic32.exe
PID 4276 wrote to memory of 4716	4276	Imgkql32.exe	Ibccic32.exe
PID 4716 wrote to memory of 2024	4716	Ibccic32.exe	Imihfl32.exe
PID 4716 wrote to memory of 2024	4716	Ibccic32.exe	Imihfl32.exe
PID 4716 wrote to memory of 2024	4716	Ibccic32.exe	Imihfl32.exe
PID 2024 wrote to memory of 1584	2024	Imihfl32.exe	Jpgdbg32.exe
PID 2024 wrote to memory of 1584	2024	Imihfl32.exe	Jpgdbg32.exe
PID 2024 wrote to memory of 1584	2024	Imihfl32.exe	Jpgdbg32.exe
PID 1584 wrote to memory of 4456	1584	Jpgdbg32.exe	Jfaloa32.exe
PID 1584 wrote to memory of 4456	1584	Jpgdbg32.exe	Jfaloa32.exe
PID 1584 wrote to memory of 4456	1584	Jpgdbg32.exe	Jfaloa32.exe
PID 4456 wrote to memory of 3472	4456	Jfaloa32.exe	Jagqlj32.exe
PID 4456 wrote to memory of 3472	4456	Jfaloa32.exe	Jagqlj32.exe
PID 4456 wrote to memory of 3472	4456	Jfaloa32.exe	Jagqlj32.exe
PID 3472 wrote to memory of 5028	3472	Jagqlj32.exe	Jdemhe32.exe
PID 3472 wrote to memory of 5028	3472	Jagqlj32.exe	Jdemhe32.exe
PID 3472 wrote to memory of 5028	3472	Jagqlj32.exe	Jdemhe32.exe
PID 5028 wrote to memory of 2324	5028	Jdemhe32.exe	Jjpeepnb.exe
PID 5028 wrote to memory of 2324	5028	Jdemhe32.exe	Jjpeepnb.exe
PID 5028 wrote to memory of 2324	5028	Jdemhe32.exe	Jjpeepnb.exe
PID 2324 wrote to memory of 1816	2324	Jjpeepnb.exe	Jaimbj32.exe
PID 2324 wrote to memory of 1816	2324	Jjpeepnb.exe	Jaimbj32.exe
PID 2324 wrote to memory of 1816	2324	Jjpeepnb.exe	Jaimbj32.exe
PID 1816 wrote to memory of 1512	1816	Jaimbj32.exe	Jdhine32.exe

C:\Users\Admin\AppData\Local\Temp\34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\34e62874e7f01c05d5154af6f8de7a2cf49d9d75bc0592c9d3a48b190377cbe9_NeikiAnalytics.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\Hibljoco.exe
C:\Windows\system32\Hibljoco.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\SysWOW64\Haidklda.exe
C:\Windows\system32\Haidklda.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SysWOW64\Ipldfi32.exe
C:\Windows\system32\Ipldfi32.exe
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\Icgqggce.exe
C:\Windows\system32\Icgqggce.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\Iakaql32.exe
C:\Windows\system32\Iakaql32.exe
6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\SysWOW64\Ibmmhdhm.exe
C:\Windows\system32\Ibmmhdhm.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\Iiffen32.exe
C:\Windows\system32\Iiffen32.exe
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\SysWOW64\Icljbg32.exe
C:\Windows\system32\Icljbg32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\SysWOW64\Ifjfnb32.exe
C:\Windows\system32\Ifjfnb32.exe
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\Imdnklfp.exe
C:\Windows\system32\Imdnklfp.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\Idofhfmm.exe
C:\Windows\system32\Idofhfmm.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SysWOW64\Ijhodq32.exe
C:\Windows\system32\Ijhodq32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\Imgkql32.exe
C:\Windows\system32\Imgkql32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\SysWOW64\Ibccic32.exe
C:\Windows\system32\Ibccic32.exe
15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SysWOW64\Imihfl32.exe
C:\Windows\system32\Imihfl32.exe
16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\Jpgdbg32.exe
C:\Windows\system32\Jpgdbg32.exe
17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\Jfaloa32.exe
C:\Windows\system32\Jfaloa32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SysWOW64\Jagqlj32.exe
C:\Windows\system32\Jagqlj32.exe
19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\Jdemhe32.exe
C:\Windows\system32\Jdemhe32.exe
20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\Jjpeepnb.exe
C:\Windows\system32\Jjpeepnb.exe
21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\Jaimbj32.exe
C:\Windows\system32\Jaimbj32.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\Jdhine32.exe
C:\Windows\system32\Jdhine32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1512

C:\Windows\SysWOW64\Jidbflcj.exe
C:\Windows\system32\Jidbflcj.exe
24⤵
- Executes dropped EXE
- Modifies registry class
PID:2284

C:\Windows\SysWOW64\Jmpngk32.exe
C:\Windows\system32\Jmpngk32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1472

C:\Windows\SysWOW64\Jbmfoa32.exe
C:\Windows\system32\Jbmfoa32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5040

C:\Windows\SysWOW64\Jmbklj32.exe
C:\Windows\system32\Jmbklj32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4140

C:\Windows\SysWOW64\Jpaghf32.exe
C:\Windows\system32\Jpaghf32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4084

C:\Windows\SysWOW64\Jfkoeppq.exe
C:\Windows\system32\Jfkoeppq.exe
29⤵
- Executes dropped EXE
- Modifies registry class
PID:4572

C:\Windows\SysWOW64\Jiikak32.exe
C:\Windows\system32\Jiikak32.exe
30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4616

C:\Windows\SysWOW64\Kdopod32.exe
C:\Windows\system32\Kdopod32.exe
31⤵
- Executes dropped EXE
PID:4316

C:\Windows\SysWOW64\Kgmlkp32.exe
C:\Windows\system32\Kgmlkp32.exe
32⤵
- Executes dropped EXE
- Modifies registry class
PID:3496

C:\Windows\SysWOW64\Kmgdgjek.exe
C:\Windows\system32\Kmgdgjek.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1224

C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1908

C:\Windows\SysWOW64\Kdaldd32.exe
C:\Windows\system32\Kdaldd32.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4920

C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3732

C:\Windows\SysWOW64\Kkkdan32.exe
C:\Windows\system32\Kkkdan32.exe
37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4632

C:\Windows\SysWOW64\Kmjqmi32.exe
C:\Windows\system32\Kmjqmi32.exe
38⤵
- Executes dropped EXE
PID:2100

C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1204

C:\Windows\SysWOW64\Kknafn32.exe
C:\Windows\system32\Kknafn32.exe
40⤵
- Executes dropped EXE
- Modifies registry class
PID:3216

C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:316

C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2632

C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1392

C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4312

C:\Windows\SysWOW64\Kmnjhioc.exe
C:\Windows\system32\Kmnjhioc.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2012

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4256

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4644

C:\Windows\SysWOW64\Lalcng32.exe
C:\Windows\system32\Lalcng32.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3612

C:\Windows\SysWOW64\Ldkojb32.exe
C:\Windows\system32\Ldkojb32.exe
49⤵
- Executes dropped EXE
PID:4380

C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3040

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5020

C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3264

C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3644

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4324

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1356

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4736

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
57⤵
- Executes dropped EXE
- Modifies registry class
PID:1972

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5072

C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
59⤵
- Executes dropped EXE
- Modifies registry class
PID:1060

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4908

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1284

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3528

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2700

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3796

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5012

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
66⤵
- Drops file in System32 directory
- Modifies registry class
PID:4852

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4300

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
68⤵
- Drops file in System32 directory
PID:2184

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2432

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
70⤵
- Drops file in System32 directory
PID:2720

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3348

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1828

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
73⤵
- Drops file in System32 directory
PID:884

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4052

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2900

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
76⤵
- Drops file in System32 directory
- Modifies registry class
PID:2968

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1344

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
78⤵
- Drops file in System32 directory
PID:3124

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3064

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4100

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
81⤵
- Drops file in System32 directory
PID:2964

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:916

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4904

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2252

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
85⤵
PID:1864

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3404

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
87⤵
- Drops file in System32 directory
- Modifies registry class
PID:3020

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
88⤵
- Drops file in System32 directory
- Modifies registry class
PID:5132

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5184

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5228

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
91⤵
PID:5272

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
92⤵
PID:5312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 408
93⤵
- Program crash
PID:5404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5312 -ip 5312
1⤵
PID:5380

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Haidklda.exe
Filesize
163KB

MD5
3691d1361025253319a2ec9ea0128ff1

SHA1
270cdc33927d444f4943fb6c7419e6878dd8a7d6

SHA256
de4016017fe555fef00d4429e7911420fe0948ae14c7b413be27c35c6ff47fde

SHA512
98658414b9852337ef8f6e646968d61b66661600e2d2c901cdb17a1954c19725eedec34ea71b462b27907bed98c937655cdbe5a53caa797287bd3222f7e8914e

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe
Filesize
163KB

MD5
2216fc6833d05e1008793dc070861413

SHA1
a8e91ef7a448c259bc997e09d868fa59075cc435

SHA256
021d68c7dac9805ede93da73e3fd927a2897e3144afd6e6b5468bfb6f8d710fa

SHA512
7597f300120d561eda7f52520cb435520d9a4050ab4839808ce479f864d94efa18b50c3caeacc92021d29ac3ed17bfa7e007a249e2e7fad424a6fd8a9afaad43

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe
Filesize
163KB

MD5
bd6295cdabd8e2cb2299116cc8393031

SHA1
4dcf61a019bd1b35c0c0cbf9c5ab55a426614fcb

SHA256
afd235b68d2a82d44d00bf775c661483817497cb036486bbe95bdec5e6716593

SHA512
51e8b672cf5566093743c32e8b96ddc9a4682ea2ba487ab8c478c147e1974ce3cf3ccb536021e9ca20330a11640ea12398002e9dfbd33a1639267aad22347d53

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe
Filesize
163KB

MD5
21d0f5859dded652e680843ecee4908e

SHA1
271fb3668b255c6abf36179d27311f30aeda950a

SHA256
04aef28858b15a8f0ae8fa10be3267f053b920b2f20822f2475ac34c3b445d15

SHA512
afe4f705c80c3cd15d33070abf4f08d4be6cea53635ea7f2a57ad04072e0995f005b4798203a70389ae2558b023083f038987c3c68b8fcca383323935edf0cdb

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe
Filesize
163KB

MD5
729d9362a519fcab6908e0245ac39a76

SHA1
bffb96c59e243a04c2c01ab52a26224361c4747f

SHA256
8fed3b8e0e4c97c66d236d1dc2db5c5281f4de081f33ed745c9d990afc5cd01b

SHA512
0870919120d814ab86cecb1ac80d11fd7120d317acd68b03c4a7a7c5954bb35a609c0e57700620acdc620fd613b922a7cabaf59dcf110142ad52cf2bd5b1b2c8

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe
Filesize
163KB

MD5
45775cc461836d22743c4e62bd915352

SHA1
0b974c2d77f3c29ab8a67098c371e375dac9eb92

SHA256
4f4ab6897e95f72d6e9e3938c2f4fd596aa280707c3fb28285df1ed6f8dc65a9

SHA512
c4b5689792c75742a841b86d98b65ddc69d7ae442f65706cc169c0226ed03c754fccbec551e0f577de6825cd026dc15cb9a8d4584e212b172d1c74b5677f85b2

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe
Filesize
163KB

MD5
acd1aa6c547757c809b1add6761e77b9

SHA1
678ea220734a36a368e23a41258563147a3daa75

SHA256
f60618f4fd399105ceb150cc498374700c478b0d6afb9bc3186ef87633d20375

SHA512
41ffe6c400786f3d7afaf0c3bef7346008d3e1b4fd0d80cca605bd6efae79a21ce1255f85574be18503a27746a274e53015ebc560609b28b2dd99c0f26e9b7e9

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe
Filesize
163KB

MD5
22302568555cece74229f80ebb43d7f5

SHA1
71905b579a50c8b4b644432730807e1ee79d3017

SHA256
0bdba9e5cda3d14bddb64ba41bffe6abe24f6e203af300b0269c42d87c02ea37

SHA512
b6e37d0a6eacfcea9d1992bc001e3400d1c294da5a5f576a1db4def78950722ed6526670edfa2fc5abfb5cf20f6230e761a07582b43fd40c4cd6b7d08d4b71f9

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe
Filesize
163KB

MD5
73d12b0f170a2cdfe1ef0829f8a3fc4a

SHA1
da4f0eb26820676cf2aa56cbdabbfd40f4da3fa9

SHA256
08ba654f19cab20356f79b5f91d0db31c7a4a452ce422875f56b789eacc35b8c

SHA512
e2efbfdba7db5f3eb30009968dcb15a6108a816ebc898b6d2a1953d0e046a426a97e6bff24ceb92445dc33b58604765643cc881515116ed2405b80c79ba57881

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe
Filesize
163KB

MD5
483ce97a7b1e41d8b359b532b8895527

SHA1
9f4d932cb7deffa18ef811d3ccb215ddfe216702

SHA256
2bacc85486f97feb4906d9f5c10014997acb93a85d7d60aa19895bc0374596ed

SHA512
ff9632205828e03a33d0fccd630e84369a14ae2eab6c94c5281f7afe42ba7ce7094fc9c45a1ebe20dcdb61418227029712bd71e5d79c1679f6a161523b903049

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe
Filesize
163KB

MD5
f44e7186f8787ad769b2e1242fb0be7d

SHA1
5494e71110bfe993193653622a92b024c3728985

SHA256
2abb4465fe6ac391d26168bbf3ab9a90a1fe082a67e4b55771f7dc5c036e5286

SHA512
f3be9c8b6355a564b87f90d415541be431f304e3d7edaf1f245ae6ee293c64cdb28a6ae582e9f86c5ee13a18ae39e211bf7d5adc828d3923850ab290d4d07663

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe
Filesize
163KB

MD5
e60d15f99b4f749885634a356002d82e

SHA1
e1a26eed3ffcb7e0a076dd5ae095cb7183558c8a

SHA256
b9e6496d8508bcea31e0fa15206a3208a6e1553b272e5160dc2e0a8053ce469e

SHA512
0bc2747f6452c9d9b443c986c56fa66f6d5e73b90857631ce713121b6989abfc0fdc9854d56cb67077cae871f4bc07712901ae768c3c1b470d815159b6866a91

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe
Filesize
163KB

MD5
b379a2a432751e49d997a9be19f93422

SHA1
c24a20fd10627f3cde456fcd5cd719d556401676

SHA256
e53b9f756837aba80a1213304201fe0f324529027cad500aaaaab07e167a83dd

SHA512
67f75a65e9e7e5b8086b4acb67a7872e4a6b93adb1008be357065554b9fb07a17c66d931ebdb608f9b83039a3e98453b16962437509c8064c1959ae45ad753e4

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe
Filesize
163KB

MD5
29815bac8e0178e6621c0d404b199842

SHA1
8c178d90052fb388fa564a4396658b7d96b75fbd

SHA256
b5d2c46e3039267e9da2f6c17e20164e5e8db3586558a4362c3aaedc55d95d23

SHA512
075f6e145cdb5c9afce600de624a1e0909d39dad45a13cc9129d1df379c9de170b2047ea70084825db730c4db2cd152718023b2b87d22c2e18d141d2d59e7f03

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe
Filesize
163KB

MD5
319e22fdba0d20d17511d6a9c32d5a4e

SHA1
13fb41fdba920b8b5b077ed4296ff25cda36faa8

SHA256
79e37c844c579296c505a9a7bd317d8ef490bae399d2f71b60a3e7db82cc9687

SHA512
f3e647844cd17295780137ce71d1cfd26ac1b07b76349c73c068995c0f272987e0ee913bae1c44908ad84f6b3db5dd2c8df1eb8d622e36644efe0c009db8f881

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe
Filesize
163KB

MD5
41a93002211f256b4d002c0700dc8efa

SHA1
17afa7c2b095dfd1e6abb67d357f9d9095255603

SHA256
428b2495dbd28ea3b0b0cd32b410fdfc6650d24c802f0df71aabab2f49393e43

SHA512
1d33691f03d760f87e724fe2c20bc94d6dfbac07a00393bf965e8ab928000e895e78c6a939caed1a159be36586ee49ae204641c985faec4218308956a5a733cb

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe
Filesize
163KB

MD5
44008ab0e6a67c75399ba09987e24b45

SHA1
79c8825fa6775a5e07018cbaafe4004124b571d3

SHA256
dc41881702270acd0bdb0c86694fc15b3acaa8e5f9a2afc6e439bf2890d25f7b

SHA512
aa07d6d817dde45694d509b5a2979a95670fab146b1be34658eb4eb25ca2330d811c790ab4028c9ca90d1a80c6d75a8dc3b14e2d086a7181691724ca8894ea06

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe
Filesize
163KB

MD5
718446a57985c0c94c6477abd9a79623

SHA1
8994b8d907c834cc5cdc0142bea35b22e9f04f30

SHA256
76238d6ae12d1780d0cd109aaeb02dcca02998d461b08d132b28564c04918051

SHA512
c32d1bc8c7b00ac62facc3b33550a9af1245e6689d567a48aceb4fb92b5391d8e8fb27e8b7836e285fff279ba93c1f84360e44fc4d8fab1823f119ccd385dbbf

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe
Filesize
163KB

MD5
e4b768664da44e59f44485074c95185a

SHA1
384ca7e1740fbec5465a400e242b9852ba716b55

SHA256
a38f15e69442a3ad7c6fca2085f85a2d577c83c7c30fd1488272f33932ca8a74

SHA512
c606ed11225b9b2114ae19fbaa6331b7c94090006fe9debdfe7f24435c1f2c13da1e25cccbd1eef85d43a6996d613ba49caa907bed7db26591b676cb480914b1

Download Submit
C:\Windows\SysWOW64\Jdhine32.exe
Filesize
163KB

MD5
50e04e2b27711ddea001ea7ea078423a

SHA1
021cef429727e6e2439de7973c3a8b7e2076a1a4

SHA256
b9e63e2f33be8a47182cd753dc42e70b23b3e1d64275f102f2d5c30e95b29ead

SHA512
94808dd4c9e0da47f54daacb44185bceebb131322fb67082b8e2e273f44905f7b622adfc1a27dd6502f5c819f79de34b91c192ed229ee6e017858d7ad0ac2450

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe
Filesize
163KB

MD5
b0b4484698ca4d7c53caebb2972119e9

SHA1
00a1715f3c8efabddf2acfdd6fd1bf823c1a4908

SHA256
6ee02a586dc1c702cd1abafdd7981de3a9da7cf613e19ac81790293858cbfa5b

SHA512
ec2bb8b473cf02755dcac6c57e9704c9de809d709accbdac0fc0b9e08589f8f900c6405524022d003a42e83dd0cbe336e0874254f1df0416e1e1825fb5a638ac

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe
Filesize
163KB

MD5
b9ced5227bafc98ae0f7b4ea0afdab24

SHA1
2849051da50d6424f2b44fcb3e4763a20d8e5df7

SHA256
103f7906aac70eb7ea157535dd7e55263be719cef5bf50267532ae2f25e6a949

SHA512
60e6b50b3e450caa7fbff91797d86de656ffb9512d97dd3b5087fc0bcff3186dcc536b2bcb78378ab4411c8aa4e5ea41e756878ecc19f5bd939d8c822a60dea8

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe
Filesize
163KB

MD5
d27f0da5321be6fa31b9734ecda0d2b6

SHA1
86a04a790848020315e0b7b6d8172077cfea1353

SHA256
ba63fd0628f4ce16f614bb98cea3d57aba69ae6595fb82eec44892e9642e5673

SHA512
68f7a8410b57dfeb2ea79ac959428230efa2daf718f904a6f66480cc0739fac062830b103ebe85e8e21f81d361a1ab3830b1364843b0494fc713b82796671211

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe
Filesize
163KB

MD5
409120e25779ebe2654b4de2ab25334c

SHA1
c35519d3bcbb7c131d14254d7afe08263b6012c0

SHA256
6a1e971b975256ca85babe44ae3ee2ccdadb54a01cea74e0b547fd3b27653492

SHA512
82901a1c010e3e109fc46e83d000ee4a2d4ac60002959deb8a6f594bd95a5b514bf54193afd138d57b8db0defdab873c7eaad50c62b63e5d2d8dc34a708bded0

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe
Filesize
163KB

MD5
d6512b9c4dd7b8172d194e1a080f7d47

SHA1
4832bb9b4c344448d547d0c9f0b8f378f2ad8fb1

SHA256
869c4b9a51c67b978b4b5b6c5ae32396abb9e107c8668863ad4650e033236be9

SHA512
3e1104d65e558e3a3ac7c27abaa9ed4da4066d8ed239eb605bfb751645aaed471c4a95182c2fef22aa2c8383cd7f2ff9efbce7e4871ed966bc60be796ac8e370

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe
Filesize
163KB

MD5
5a5c0edab749759af7ab5b0bdc029957

SHA1
4b2836639791f1fa935220b921b247f40f36e8b2

SHA256
96fb37a15e15aa072c4faa9b3030f37df8df29b83c34c557b39943d5aeaf2d50

SHA512
b0af84305dbed41ab08b71c3600de0d1c72e4fb189aaf5f16a47855a0dedcfb2555acf287fc112a2f94fede97a0ed726fd4f7268193ccb7368978b32c1570adb

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe
Filesize
163KB

MD5
952d0e3345f7f63b0059bde269edd9f6

SHA1
a8c70e9c66359bfc35da941d266b2812f6964bb9

SHA256
3d878877e3acef16907c2429a5f10e86ad6f1e4f32dadf6a97c5665d7ce39ffc

SHA512
92f8b27c2a40896a3ec87b675736697cb20bbacb512844a1b676f5fd08f458776d44a5ff0e2d5469ee8e904d6c600d54fa7019d8fd3a3c55c4e05a760cdcd061

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe
Filesize
163KB

MD5
7af2bb473957675b16ff84b72507a957

SHA1
1c09ec14c1cdf0062c90b4e4935efe911fc148b6

SHA256
ac85b84e5db294c182557af02e03dbf167d44e292ca6b03eea238de490444a63

SHA512
c408f3773e0821d82dc1680b70fa5a136ed9db688cf72292a80f4fee0ff136bd876f7e3fe158334d370fdbab77be1e5b0d4b232f77a2533d27d83e07a84a39b1

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe
Filesize
163KB

MD5
e4ae06672d03f6cc765cff3a1979ee1b

SHA1
42ab5af2b907dafbae082cb05e82a9c7584d7247

SHA256
c668ebcdd085467607df4f7f89e0397f51fcad8247465aa181dbecc230e28a6a

SHA512
bfbe20d11e2d099f07148e1107af0dec1aa33ad412006811fac2125328835edb16c018af29c689db6009e990f3879c34036eae95bc075ecdf7b603d498b1a7a1

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe
Filesize
163KB

MD5
69d98e826782f4156af1c92626f56db9

SHA1
c79c920a4bcffec9d09adcd96dcae6db687d3c1b

SHA256
086d64f6d4a1ec0e59d27df3de70b16dab683e57f4edfaa0a325cd9d5331e6ff

SHA512
2c0965050d7bc559b4854aa34dbe575a8c4c8f950ad7beaa88d26a952e2c485d10fc17debc9b33d77bd2aa219b461982a90867e79b307f4847bfbc996ab47707

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe
Filesize
163KB

MD5
ef696de50f28d7d3e271ce74b061b9f7

SHA1
0df19cfda290b9c2087fae8977af4af4c1d995fc

SHA256
fdca5b45ccac512f5e854acbdac3d11a75c73e2d235a18aa6cfeb203be127f7f

SHA512
698fa246bd01c2b806eb8da8d21485fedbc7e3fba8d705e1abdb91a23747464e017de7611d22d808666122c3cbc6d2cab090d396cf45dca42df5b7ea2dbe7c6f

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe
Filesize
163KB

MD5
200312504cc1c8793ab63fa7edd16df5

SHA1
ee95edb6cb19e1dd73526e533346e57b9777847f

SHA256
412a813592f07edf23f498efe6554da26a2361713321fba610775f738d9afc1c

SHA512
bb948cfbe09dc4a7ea8ddd13d7caa2cf256c1890b282ba2f3f1fb3d0e0c15c0c5912565ad3f96c05de0b86a8f8a7b25c16411d82874aa68064ebb009d8eb95c1

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe
Filesize
163KB

MD5
b9f2267e278fb5d231dd71780901caec

SHA1
4cfa697af56492476ff54544eda9b1c99f337fbd

SHA256
02e00dd8e5d941324ae52ed053bf15a2d7f6e4afefd11ea1588dd969f46a859b

SHA512
b14e21cb9dd2c74a9cd526a8120df727857adc02c8c73988ee18935eb21c064d5dc78c89657b2f72ab399ab8ed338bd5ebffb315ada09ab441ad973eb6c581e6

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe
Filesize
163KB

MD5
667402e9ecb121bb1afae4700c5f789e

SHA1
276080cfa50400285c8b4bda9fcd39675b62f102

SHA256
3898c89f04ae51c8723c5420cce941acd29cf48a289eea047ff696a134cb7297

SHA512
4ec605095cb2b36b1a889223978575faa6badc842ee05043b269fc04e1251538a3cfe0a881c494e7e297d5b9fa270fc091f8f3f231cf8648f9ed28ef3bea3721

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe
Filesize
163KB

MD5
5d20c577f85a4fe5d3c39f59621b74af

SHA1
fe2a4cd58f4e674c5033214d07b3788fa6693631

SHA256
2383efef6b9793699f126edc6091f96162f1e44ee663d9c7f3200f3fa890f363

SHA512
0a88665f12f6895ebb70d34e5be6bd25598f2e4e0341581309e20cbc6ba5497f00d7c07ec49cc7e1c6d214a347996d62c8c1679bcaa13126ee65d639291b9015

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe
Filesize
163KB

MD5
a8932387999125492ab58b16fcf57450

SHA1
b61b5fb1f901cb536c6756cc399b19e5f9c9eae3

SHA256
02fcd66af3d25bfa6ff563b6c22f7e39e61a7511ce3c959c71757eac0faad0df

SHA512
e3c3782e118e1b56658afde09bf0ce6aed480b4788c9971bd77c4210afbfa32982991ef67f3c846ccae62b5456adffba02e9e96efc9b6600a2435da28c4cbbc6

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe
Filesize
163KB

MD5
7fb8f9bb4d27da73e2978a7300c79451

SHA1
f7fef732dc0ca2218283c20ad7aa10c1fb649fe2

SHA256
f2fb3fe9fa527765585fe2717b14811466a8c98576bc2747cb2323da4625d084

SHA512
809a2af651f03ba0c24dde4ff0d365433562b08c45a7c7fcc7c1d1f3f0e23d370be3ad20d052b60ae7f64d99eee485795d95ca8dd8a5ed94d43a2a6d77745ee0

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe
Filesize
163KB

MD5
cea39e7efcd072cf441748c1804acd15

SHA1
8edc7ef04be3b6fdf6120d506048f9810f39b8a8

SHA256
61d27b7229049f7fc444138cd4d9c13236a241bf7abe2326d832eb9c9c1aaae4

SHA512
08718e4c7f46817c5912cdd332dfed1ea1e937f93a4b9ee36fb7313aa842fd98efad7a3bcae780db633158822f96cbd255edbb243a47c6810cccaf1037f83634

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe
Filesize
163KB

MD5
6b9b2e879d74bc71a05905e6b0ab51e5

SHA1
20b9625ffc2fdb477827b3c1f999bc3f3e3eae89

SHA256
2184343ca89497eb9af1d502d790846a713ab6f72ac5af865087a7fbb720186e

SHA512
2e63cd5a4078ff72a30af5dca6e5eec2e79c60f2803ed2ef52a8084a0390bfc0f453990a0377b9fa42fd39b10504fccd0283ee929eb968b3106acf74403362ea

Download Submit
memory/316-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/616-29-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/616-557-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/688-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/688-544-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/916-545-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1060-406-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1204-289-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1224-260-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1284-418-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1344-513-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1356-387-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1472-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1512-175-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1528-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1528-531-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1528-6-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1584-133-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1780-37-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1780-567-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1816-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1828-484-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1908-265-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1936-576-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1936-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1972-681-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1972-398-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2012-324-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2024-125-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2100-718-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2176-596-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2176-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2184-460-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2284-747-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2284-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2324-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2432-466-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2632-309-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2700-434-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2720-474-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2720-655-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2900-505-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2968-507-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2968-643-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3020-577-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3040-356-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3064-525-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3124-523-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3216-295-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3264-370-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3348-478-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3404-574-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3496-247-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3528-424-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3580-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3580-603-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3612-342-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3644-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3732-276-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3796-436-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4052-495-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4084-216-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4100-532-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4140-207-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4256-703-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4256-330-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4276-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4280-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4280-569-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4300-454-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4312-318-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4312-707-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4324-377-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4380-348-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4456-141-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4524-609-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4524-771-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4524-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4536-589-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4536-777-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4536-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4572-228-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4616-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4632-278-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4632-720-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4644-336-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4644-701-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4716-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4852-448-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4856-57-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4856-583-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4896-543-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4896-14-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4904-551-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4908-412-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4992-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5012-442-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5020-693-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5028-755-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5028-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5040-199-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5072-400-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5184-590-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5184-618-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5228-597-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5228-616-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5272-614-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5312-610-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5312-612-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download