gozi | 756b02b71881ecac8a3d4da099479a23869974882d20df6a450eab398bda5c94

Analysis

max time kernel
93s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exe
Size

163KB
MD5

478b4e98f7e62b3864522ebbeb098a00
SHA1

bceca91830deb7976e85772844b58c1f42e62dec
SHA256

756b02b71881ecac8a3d4da099479a23869974882d20df6a450eab398bda5c94
SHA512

46ddeb6806209bda85f7fe031b1f46e8db40efde10acfbda429d22933321b3425558274b717f8136fcc722b0dacf54471abf770676fd59a04db97084e5ae9ca9
SSDEEP

3072:DbKUbKyz8YsgaIKE5Kw1fSOltOrWKDBr+yJb:DeUbcRlE5Kw1fSOLOf

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Mcbahlip.exeMnfipekh.exeMcklgm32.exeMjhqjg32.exeNacbfdao.exeNjacpf32.exeLddbqa32.exeMglack32.exeNceonl32.exeNnolfdcn.exeMjeddggd.exe478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exeNddkgonp.exeLaefdf32.exeMaohkd32.exeLcdegnep.exeMnocof32.exeNgpjnkpf.exeLaciofpa.exeMnlfigcc.exeMpolqa32.exeMpdelajl.exeLknjmkdo.exeMgekbljc.exeMgidml32.exeNdghmo32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 26 IoCs

Processes:

Laciofpa.exeLcdegnep.exeLaefdf32.exeLddbqa32.exeLknjmkdo.exeMnlfigcc.exeMgekbljc.exeMnocof32.exeMcklgm32.exeMjeddggd.exeMpolqa32.exeMgidml32.exeMjhqjg32.exeMaohkd32.exeMglack32.exeMnfipekh.exeMpdelajl.exeMcbahlip.exeNacbfdao.exeNceonl32.exeNgpjnkpf.exeNddkgonp.exeNjacpf32.exeNdghmo32.exeNnolfdcn.exeNkcmohbg.exe

pid	process
2856	Laciofpa.exe
2788	Lcdegnep.exe
2196	Laefdf32.exe
2120	Lddbqa32.exe
2536	Lknjmkdo.exe
4884	Mnlfigcc.exe
2892	Mgekbljc.exe
3800	Mnocof32.exe
5116	Mcklgm32.exe
3868	Mjeddggd.exe
4420	Mpolqa32.exe
3304	Mgidml32.exe
3352	Mjhqjg32.exe
5028	Maohkd32.exe
1404	Mglack32.exe
3180	Mnfipekh.exe
2616	Mpdelajl.exe
2996	Mcbahlip.exe
2132	Nacbfdao.exe
2992	Nceonl32.exe
4608	Ngpjnkpf.exe
4468	Nddkgonp.exe
3580	Njacpf32.exe
5100	Ndghmo32.exe
928	Nnolfdcn.exe
3112	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

Processes:

Ngpjnkpf.exeNddkgonp.exeNdghmo32.exeMnlfigcc.exeMpdelajl.exeNceonl32.exeNnolfdcn.exeMgekbljc.exeMjhqjg32.exeMcbahlip.exe478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exeLaefdf32.exeLcdegnep.exeMnocof32.exeMglack32.exeMgidml32.exeNacbfdao.exeNjacpf32.exeMpolqa32.exeMaohkd32.exeMnfipekh.exeMjeddggd.exeLddbqa32.exeLaciofpa.exeLknjmkdo.exeMcklgm32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4564 3112 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
4564	3112	WerFault.exe	Nkcmohbg.exe

Modifies registry class 64 IoCs

Processes:

Mjeddggd.exeLcdegnep.exeLaefdf32.exeLknjmkdo.exeMnlfigcc.exeMnocof32.exeMgidml32.exeMcbahlip.exeNddkgonp.exe478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exeNjacpf32.exeMjhqjg32.exeMaohkd32.exeLddbqa32.exeMgekbljc.exeMglack32.exeNgpjnkpf.exeNnolfdcn.exeLaciofpa.exeMcklgm32.exeMpolqa32.exeMnfipekh.exeNdghmo32.exeMpdelajl.exeNceonl32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exeLaciofpa.exeLcdegnep.exeLaefdf32.exeLddbqa32.exeLknjmkdo.exeMnlfigcc.exeMgekbljc.exeMnocof32.exeMcklgm32.exeMjeddggd.exeMpolqa32.exeMgidml32.exeMjhqjg32.exeMaohkd32.exeMglack32.exeMnfipekh.exeMpdelajl.exeMcbahlip.exeNacbfdao.exeNceonl32.exeNgpjnkpf.exe

description	pid	process	target process
PID 2312 wrote to memory of 2856	2312	478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exe	Laciofpa.exe
PID 2312 wrote to memory of 2856	2312	478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exe	Laciofpa.exe
PID 2312 wrote to memory of 2856	2312	478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exe	Laciofpa.exe
PID 2856 wrote to memory of 2788	2856	Laciofpa.exe	Lcdegnep.exe
PID 2856 wrote to memory of 2788	2856	Laciofpa.exe	Lcdegnep.exe
PID 2856 wrote to memory of 2788	2856	Laciofpa.exe	Lcdegnep.exe
PID 2788 wrote to memory of 2196	2788	Lcdegnep.exe	Laefdf32.exe
PID 2788 wrote to memory of 2196	2788	Lcdegnep.exe	Laefdf32.exe
PID 2788 wrote to memory of 2196	2788	Lcdegnep.exe	Laefdf32.exe
PID 2196 wrote to memory of 2120	2196	Laefdf32.exe	Lddbqa32.exe
PID 2196 wrote to memory of 2120	2196	Laefdf32.exe	Lddbqa32.exe
PID 2196 wrote to memory of 2120	2196	Laefdf32.exe	Lddbqa32.exe
PID 2120 wrote to memory of 2536	2120	Lddbqa32.exe	Lknjmkdo.exe
PID 2120 wrote to memory of 2536	2120	Lddbqa32.exe	Lknjmkdo.exe
PID 2120 wrote to memory of 2536	2120	Lddbqa32.exe	Lknjmkdo.exe
PID 2536 wrote to memory of 4884	2536	Lknjmkdo.exe	Mnlfigcc.exe
PID 2536 wrote to memory of 4884	2536	Lknjmkdo.exe	Mnlfigcc.exe
PID 2536 wrote to memory of 4884	2536	Lknjmkdo.exe	Mnlfigcc.exe
PID 4884 wrote to memory of 2892	4884	Mnlfigcc.exe	Mgekbljc.exe
PID 4884 wrote to memory of 2892	4884	Mnlfigcc.exe	Mgekbljc.exe
PID 4884 wrote to memory of 2892	4884	Mnlfigcc.exe	Mgekbljc.exe
PID 2892 wrote to memory of 3800	2892	Mgekbljc.exe	Mnocof32.exe
PID 2892 wrote to memory of 3800	2892	Mgekbljc.exe	Mnocof32.exe
PID 2892 wrote to memory of 3800	2892	Mgekbljc.exe	Mnocof32.exe
PID 3800 wrote to memory of 5116	3800	Mnocof32.exe	Mcklgm32.exe
PID 3800 wrote to memory of 5116	3800	Mnocof32.exe	Mcklgm32.exe
PID 3800 wrote to memory of 5116	3800	Mnocof32.exe	Mcklgm32.exe
PID 5116 wrote to memory of 3868	5116	Mcklgm32.exe	Mjeddggd.exe
PID 5116 wrote to memory of 3868	5116	Mcklgm32.exe	Mjeddggd.exe
PID 5116 wrote to memory of 3868	5116	Mcklgm32.exe	Mjeddggd.exe
PID 3868 wrote to memory of 4420	3868	Mjeddggd.exe	Mpolqa32.exe
PID 3868 wrote to memory of 4420	3868	Mjeddggd.exe	Mpolqa32.exe
PID 3868 wrote to memory of 4420	3868	Mjeddggd.exe	Mpolqa32.exe
PID 4420 wrote to memory of 3304	4420	Mpolqa32.exe	Mgidml32.exe
PID 4420 wrote to memory of 3304	4420	Mpolqa32.exe	Mgidml32.exe
PID 4420 wrote to memory of 3304	4420	Mpolqa32.exe	Mgidml32.exe
PID 3304 wrote to memory of 3352	3304	Mgidml32.exe	Mjhqjg32.exe
PID 3304 wrote to memory of 3352	3304	Mgidml32.exe	Mjhqjg32.exe
PID 3304 wrote to memory of 3352	3304	Mgidml32.exe	Mjhqjg32.exe
PID 3352 wrote to memory of 5028	3352	Mjhqjg32.exe	Maohkd32.exe
PID 3352 wrote to memory of 5028	3352	Mjhqjg32.exe	Maohkd32.exe
PID 3352 wrote to memory of 5028	3352	Mjhqjg32.exe	Maohkd32.exe
PID 5028 wrote to memory of 1404	5028	Maohkd32.exe	Mglack32.exe
PID 5028 wrote to memory of 1404	5028	Maohkd32.exe	Mglack32.exe
PID 5028 wrote to memory of 1404	5028	Maohkd32.exe	Mglack32.exe
PID 1404 wrote to memory of 3180	1404	Mglack32.exe	Mnfipekh.exe
PID 1404 wrote to memory of 3180	1404	Mglack32.exe	Mnfipekh.exe
PID 1404 wrote to memory of 3180	1404	Mglack32.exe	Mnfipekh.exe
PID 3180 wrote to memory of 2616	3180	Mnfipekh.exe	Mpdelajl.exe
PID 3180 wrote to memory of 2616	3180	Mnfipekh.exe	Mpdelajl.exe
PID 3180 wrote to memory of 2616	3180	Mnfipekh.exe	Mpdelajl.exe
PID 2616 wrote to memory of 2996	2616	Mpdelajl.exe	Mcbahlip.exe
PID 2616 wrote to memory of 2996	2616	Mpdelajl.exe	Mcbahlip.exe
PID 2616 wrote to memory of 2996	2616	Mpdelajl.exe	Mcbahlip.exe
PID 2996 wrote to memory of 2132	2996	Mcbahlip.exe	Nacbfdao.exe
PID 2996 wrote to memory of 2132	2996	Mcbahlip.exe	Nacbfdao.exe
PID 2996 wrote to memory of 2132	2996	Mcbahlip.exe	Nacbfdao.exe
PID 2132 wrote to memory of 2992	2132	Nacbfdao.exe	Nceonl32.exe
PID 2132 wrote to memory of 2992	2132	Nacbfdao.exe	Nceonl32.exe
PID 2132 wrote to memory of 2992	2132	Nacbfdao.exe	Nceonl32.exe
PID 2992 wrote to memory of 4608	2992	Nceonl32.exe	Ngpjnkpf.exe
PID 2992 wrote to memory of 4608	2992	Nceonl32.exe	Ngpjnkpf.exe
PID 2992 wrote to memory of 4608	2992	Nceonl32.exe	Ngpjnkpf.exe
PID 4608 wrote to memory of 4468	4608	Ngpjnkpf.exe	Nddkgonp.exe

C:\Users\Admin\AppData\Local\Temp\478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\478b4e98f7e62b3864522ebbeb098a00_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3800

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4468

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3580

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5100

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:928

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
27⤵
- Executes dropped EXE
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 400
28⤵
- Program crash
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3112 -ip 3112
1⤵
PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laciofpa.exe

Filesize
163KB

MD5
6e39cd28202b5cc7bb3729d2568debfb

SHA1
53a1dbd5082478c53595f04ae0a6ff80b547488a

SHA256
05aada2af5c6fdafefd396e590b1afb4372253cb1376c800551754d5b2b1a8dc

SHA512
5277ef4409c0f14d173de6dcd0ff5f6f788c9f84d9e303a078ecd5fc63f67d4b4d3fd67e2732b3299fbe72d917115c03c8a5b563bc8b18ab8a72e70e3490d1af

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
163KB

MD5
a9f7d48b54fe47423335fe259e80140c

SHA1
05bb4868cd653427c53641b741de35f66fbf8e86

SHA256
eb0bc2025cc461d2cd8adc72520738b70270fcfdd45a4e6984d27378171014ed

SHA512
41025f5aaad8356270e6ab681bdf99459142bdf6ed63be1870249aca6d30e374f1a42b67f83d0e21c201e2447b2760ca78ddff415cabc29a6f22e630a4fae2da

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
163KB

MD5
ce22c3f08cf9f703aec25e738cbbf825

SHA1
122f7be7075490e799a85bda1645697f4ced5b67

SHA256
208260401a1cc6ae046c80c880c30c272468fccacb212dcf9ef3c0aec765d6a8

SHA512
ed6cfa8322a3da6d76b827b19069ac88472c4527b22fe68d5071757abcc46e0042e6f8db3029438f81438f63a5e2f7cda5b840cbad4f404e1ecc19bdd37eb290

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
163KB

MD5
1b0fcf7288b610e95d05ca25c5bdc5b6

SHA1
714cf29065c2d397559750f7af9ac5670f1edd1a

SHA256
20e7b1928af8c45687ab002a6b2d3749e900b9cf6cc374d341c2ea83db183f7e

SHA512
59aeba3bc05413a5568c9ca00de59b73ecdb7b1681234b38b607e28eb36571476cd804394e3945a395e8903108f7e1db5cefb0d04f741859f490b2772f529939

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
163KB

MD5
8a8a0c587209620969aeba3320da87fe

SHA1
828fb095c748e6210fb279d7247cc955429c671b

SHA256
f8a0b707ea69ada4a10f0437c1ac321fcfa4f1e2f5053857bf1b1b08f37408d9

SHA512
e5e1c40fc38cd52aa2ad8c2a10a0fe4601dd0f6a8145631542902991ef4daadaaa2fbe290ca96d88487d61d84f398e825987075152671d3dafe48337b938bdb6

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
163KB

MD5
c9b7fb0b618024032adb632b9baa6554

SHA1
3f309624c5a746231c38d755cac19b64c15f1913

SHA256
3b43e38e478bd2c721b25486f218272a61d82ca3c0d7e3d7f2e3a60601dddc4a

SHA512
4568a9b08a26e31fc695e43ef78776cc11eaafa22a71878a6e748e2f78717b66e7665e32ea911da2d0a8576c4f036322a43c8ab3e6c83b26fe4abd4e496be9ad

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
163KB

MD5
cfa24b3555f52da73300176088ec8c5a

SHA1
c147b6f5390090c23c8081f1151ea89999beffb7

SHA256
5c240eed0b4615bbc70b107ef744850362e8b0c7ce30c00240bd3b1fae5d3163

SHA512
b1d0cd1e8b416c0c490599e9e620c8757d69915dad2a3af7f193909263e8a08633f96ac897e031aa5e50b2d843490a3b2cb48db65d1fd7fb6cfd4ba20067e549

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
163KB

MD5
8ec748cad85f331952c52cf1cac3c254

SHA1
c54e34c1545f480ef3ae0ddc59432b36b69e8389

SHA256
df8384c13a30f99e6ab507a8341f4bf4e7411468e5aa1c333aca3a758e041b1b

SHA512
af28f9cb70737347efc5194017d3dd76af7d7223431d6ec6be6b241deb2fadedb614aa84d743d0fd4b498ffa42233633121325fa523cd18fbf4efafabc126e08

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
163KB

MD5
1a173f5d66af2af8ffb3949c8b1a056a

SHA1
efedf1d303134ded0746703216771649af3dc6ba

SHA256
2e390120788bd81be857daf21c0005356471263afddc59e4625226d6b2419388

SHA512
b01f0a7939a446aebd2b0624b8922a35d46405a76c2f8c7c78b1591fc7049126b004f5da5613477dd5554fe2554c619ce4549b2927f9147ba7bfe93c5e8ffdf2

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
163KB

MD5
e0ea8297fc5931eeea9987ed82a80680

SHA1
fb2ee7cc435f9b9e7fc8d2371114cd1d552a9cde

SHA256
4ebc30d717575d0632f8fcc75108fd866eddce984a81b0b2cc7ed693bb00fe34

SHA512
b710861a51dfff2ef8814a71d1a52d05e4865639fb5c2d91dfb373432eda9b2d81042fa05b0d7be5ac17fb7e7f0bd84a25f3f10bfa8be94eb16988ec247eea72

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
163KB

MD5
111350fda7c56be6daf34f4f4d5745ce

SHA1
fc6e5a7c2f03fcf872aa8c36c8211e44e3b15bd4

SHA256
18572bb8b7c28cb3da5430c22782cfa353f0abe3c0d5059bc9f68c731501bb86

SHA512
9e17e55c1ab18ca067bf78a8626f40b7e6510963a4ba2adda52bc7f37cd683ebd6fe16bf7e74dffef5f0c43ef591daa63897fedecbcd90249dad02968bc1ced0

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
163KB

MD5
0b3ac6e647d1db5e6671e6d223ade643

SHA1
747b31783281285d64efec742970d729bf3f41cf

SHA256
2ac45d8acb134e0e9053e6132b0280b12e7b3f073990f8621e6b76a366f3f7d2

SHA512
c36e17873c63657a0aa913313e97fa47b5b58598be3f6f175fb3b9b8e8e14335f6d5684668c9a0df1e39ade445732d184d0a3cdedcd49018c18ab558f5b32930

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
163KB

MD5
af28fcf9a94efc3b2571d80e99a7acb4

SHA1
ae12d454cd4f9df9dbce28d918b90d3cad749c03

SHA256
3b03232b65ef6a8ca7d7d0fc0b9d1382a400f6617dabceb3bef22609f81efe4d

SHA512
a0a6642164772c5537d23eda0057414e29b505a6d2a9d94678006f165471a3a04d89110bb81e6eb8b6bd353eb6fd9edee1d3617ac21d273c65596d06330a9b30

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
163KB

MD5
20755e7ca2e865737ccbf2f601cb7f2b

SHA1
eb321039e04d75cddcd23b67192188d7520b6267

SHA256
6eec36ef3629bdb05ea5ab08c5a63bbc4f834423fe40e16a2b5235e9f0fa7988

SHA512
93535f38ca186bc13af7da09fe24318c24fdbd5ff4babdfe14f23789c15c236c3ebe0498ef5cab3cb946035e12c4a53de6f3d6742525cbfbcafd573398ee336f

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
163KB

MD5
61c79454890ef67bbb1b24034fa3bc35

SHA1
13e8fe12f899eef6551604efe2302b5686ce3c6e

SHA256
aee94413377b613b227630a2c22cee462c68ad93648208ac77994cefc7e5a071

SHA512
8ce060a29df913ff21e6bec82bfa144d9190b411fefde4a38478940defd79704b874458396451de6df1947724d64dfa9a822a2cfa347f1547faceb488491c9f3

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
163KB

MD5
f84f0fe3367136a12721c67ebfac0f9c

SHA1
fa38052d2fa92233ab41f200a2c10524d25e10bd

SHA256
aa0c36f01e5d1675e26ef17794b2814e129200ba10e2dd5aa1ee36057c122b69

SHA512
2ea7828e8ff0a4e292f37aee6880f69f32cad1af57e305ddacc52b17c85698fd6f1383c2d4aa4649b71514386f44949e785d03787a89b6d864c7620024485df4

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
163KB

MD5
f990f2048192f32425f0fa27ab2d87e6

SHA1
2a6e66f9078110fed0bd0d951c2088348446e84d

SHA256
9f5a91db506553c07860d722414092f7e48c0ddecdd699d0a6c411cf6f0e557f

SHA512
4244b5a5139cbaead3f89b7d3c5e9970dbe6c92e1b6dc878afc725c76033f54aa8b1447eecdd6b9b9c884a1ccb75f2dddd4ac648ebe716cee83bba287daeef93

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
163KB

MD5
2a9eff05d731048a423470308fd50c77

SHA1
d0136b1a0853b895298cd489c91583f302cf000c

SHA256
fb91fff9c038c223018f3a562bf3e3a9ef686f716e3c9f56e2da73fbe8d69d11

SHA512
af65e39a2d20c65eaa03ba07ce34720affa8d177b0c7b1648452e4f23f3dfbcef6542ba7ec33d939d8a97d0b8712e9a3af9841ff43d7b3009d97227c265207a9

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
163KB

MD5
a581ae35ec3ae4dfc8e6d48f3aa5286f

SHA1
8b80fa22aef81492b5ffd81ab7c6bd3f5f7ecd5c

SHA256
5d090b205b9f425c6062dfb7ca4e5e3408b9ae21dbd09b4ca815fa5cc60d7cfb

SHA512
c178a108292af6db8ab5e2db1e8e9a32126633392fd94e2d26608f465aa0173f679ae53f679431467558b565c969a9f7c1271f7e555210b528e69b913be13ead

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
163KB

MD5
545afe315875c72c2b1d275c3b34b591

SHA1
e592987fd46fc3d9879501f846dc019ab9933f3d

SHA256
3de02d00cbd2b13502920ad604028c8b3695d9b707e3c2f911b16670435e11d3

SHA512
4c5b7e57b6a1f4f90c83f5c1e424793dc9fadfd3306dfe133a8c4d383923b6a4497b1738d6734fbcd2e91dae4a38b0436dbc05fdafaf527b40a0871b6c3890ee

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
163KB

MD5
8269398fb4a333fc3ed5d9001215617b

SHA1
b7a394f8d5cfaca5d4fd1f099b05dad0f7dbe622

SHA256
5682760864963c6574f377b604eb2b11f92db3089828aeaf5cdc25948dfc4f25

SHA512
d4f87fe5f53b90d0c72144eb6d84ed64c3ffca17b1867b00b21ab5b4a77ddac9fbea658ec4fd339010e6a30a259634bfba3f732059033b31920bfd162eb2d035

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
163KB

MD5
296bf422df3b012ae346fb2ae89c494c

SHA1
3c27da6654897a98fb3c61b810cba2fc3499e636

SHA256
885d71aa546b0e13beb480f537205537f6be46a6f37c214d45bb5020c174c558

SHA512
5d7b40f1cb004cc94400e2e4c800596eacf9fda817550f724f3381c4830dd8347e529ce4a09d8d0353485c3a402131c2acbcbc6332b7a4cb3cd15dc066faf072

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
163KB

MD5
2164db564ef13365217072c24323e6cc

SHA1
3ef6328720ed0ae4821bb9b60bae54c62a37b8b6

SHA256
298d30b53331e92a45dd8e481508913c3e7d105437dfaef88614d36db49c09ed

SHA512
33934bdb8a53d9b56a30c957899000cf5f88020b67ec1a39cf15b619ea19b6fbc24515892af59de1ff8f37d40120c89ff551c914d4c2ac46c0a10f9db7f2c184

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
163KB

MD5
402e9f7a4e651ae70e3e0f9ddf15788d

SHA1
2080b9dfe67aa969abdae76a5e99b62ab018f5d9

SHA256
85ed018144c0cc8bf01e3b2431db833667c666cb6d7e1c698496ad7fbccf0892

SHA512
e56cf3592fb1c0defb1be27094b0bbffb51b9a0906bba3585e2e512e4b407b724e5df58ca30a61dfa7c34f1238c93040808d5d6073531d019ed3edac2c2afb1c

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
163KB

MD5
356f6abdca1da7b09e723198ba326622

SHA1
93d03d610d154339cc1ebce62c9f2deebc7fe289

SHA256
c66815bf338783b67d25cab0cbbafb20610a73fa784183d9109ff1c28e131c78

SHA512
5d935bdc42857b323268519b20be87e9db3eaafdc43c8c7b899a270b31fd2d106e04f7905fd7c2f378786af29041233709d102cb415e202c78b8152eb8f9a588

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
163KB

MD5
690f9bf51750cbcf983a3db1b54a1b7c

SHA1
5ba918f219b3bd24e896d3b831fa12e276ce034b

SHA256
7cd180353d245203a69ac7a5cf10c036d7c22e472db9772414342dcd27b08833

SHA512
b0f804cd0d74cbc6baa2645de579cb5ca16eafdf8e07b89a00f7c1e471ef99a78aa037fac63e05fcae1618e5abccfbf82a8c198e7cff390c072d5c504098bb6c

Download Submit
memory/928-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/928-214-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1404-233-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1404-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2120-255-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2120-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2132-224-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2132-154-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2132-223-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2196-29-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2196-257-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2312-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2312-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2312-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2536-253-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2536-43-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2616-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2616-229-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2788-259-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2788-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2856-261-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2856-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2892-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2892-249-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2992-165-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2992-222-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2996-227-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2996-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3112-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3112-211-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3180-231-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3180-129-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3304-239-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3304-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3352-109-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3352-237-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3580-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3580-185-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3800-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3800-247-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3868-243-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3868-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4420-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4420-241-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4468-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4468-219-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4608-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4608-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4884-251-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4884-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5028-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5028-235-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5100-193-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5100-215-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5116-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5116-245-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download