gozi | 0010e172ff80a8708344311506fe6b8c753f7953a1fe38c31d3321a37ed69257

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0010e172ff80a8708344311506fe6b8c753f7953a1fe38c31d3321a37ed69257_NeikiAnalytics.exe
Size

163KB
MD5

1160ded5a7ebf91d28830c638f5cb150
SHA1

82043b7efce7c7356c4ee7fb99fb4276e0d6dae9
SHA256

0010e172ff80a8708344311506fe6b8c753f7953a1fe38c31d3321a37ed69257
SHA512

88f58c59c2dbe5f1d0bfaae104b16313fb424689fe3cfe88fe17c269a0d2b7f102c7d9e9946780931de3ac0e77d4d39b00de6d969c42dedf09c3620a86e18fde
SSDEEP

1536:PdbiVhjJgQwVEvfaymXC8SKpxQE51o6lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNy:lbiVhjJgzA7mXCI51xltOrWKDBr+yJb

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Cdolgfbp.exeMcifkf32.exeNclbpf32.exeGokbgpeg.exeNiojoeel.exeOikjkc32.exePmpolgoi.exeJifecp32.exeMjidgkog.exePciqnk32.exeIpgkjlmg.exeOjemig32.exePbhgoh32.exeMjggal32.exeMlofcf32.exeNcpeaoih.exeQmdblp32.exePjaleemj.exeQodeajbg.exeDhgonidg.exeEomffaag.exeFdlkdhnk.exeNagiji32.exeHejqldci.exeNfgklkoc.exeQclmck32.exeAbjmkf32.exeCdmoafdb.exeNadleilm.exeBnoddcef.exeHicpgc32.exeLlqjbhdc.exePmmlla32.exeEbaplnie.exeFinnef32.exeMokfja32.exeNcmhko32.exe0010e172ff80a8708344311506fe6b8c753f7953a1fe38c31d3321a37ed69257_NeikiAnalytics.exeDhbebj32.exeKbhmbdle.exeCildom32.exeOmgmeigd.exeCkebcg32.exeGpdennml.exeLohqnd32.exeMpeiie32.exeCcdihbgg.exeAadghn32.exeApaadpng.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcifkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nclbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gokbgpeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niojoeel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oikjkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmpolgoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jifecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjidgkog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcifkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipgkjlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjggal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmdblp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhgonidg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eomffaag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdlkdhnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nagiji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejqldci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nagiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdlkdhnk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgklkoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pciqnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qclmck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abjmkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nadleilm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicpgc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llqjbhdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebaplnie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Finnef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokfja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncmhko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0010e172ff80a8708344311506fe6b8c753f7953a1fe38c31d3321a37ed69257_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhmbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjggal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omgmeigd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpdennml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lohqnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mokfja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oikjkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejqldci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadghn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apaadpng.exe

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 64 IoCs

Processes:

Mfchlbfd.exeMcifkf32.exeNclbpf32.exeNmfcok32.exeNadleilm.exeNagiji32.exeOfhknodl.exeOmgmeigd.exePnifekmd.exePmpolgoi.exeQodeajbg.exeAfbgkl32.exeApmhiq32.exeApaadpng.exeBdagpnbk.exeBnoddcef.exeCkebcg32.exeCpdgqmnb.exeDhbebj32.exeDhgonidg.exeEbaplnie.exeEqgmmk32.exeEgcaod32.exeEomffaag.exeFdlkdhnk.exeFijdjfdb.exeFinnef32.exeGokbgpeg.exeGnblnlhl.exeGpdennml.exeHicpgc32.exeHejqldci.exeIpgkjlmg.exeIehmmb32.exeJifecp32.exeJpbjfjci.exeJohggfha.exeJahqiaeb.exeKbhmbdle.exeKpnjah32.exeKlggli32.exeLohqnd32.exeLjpaqmgb.exeLlqjbhdc.exeLjdkll32.exeMjggal32.exeMjidgkog.exeMpeiie32.exeMokfja32.exeMlofcf32.exeNfgklkoc.exeNcmhko32.exeNcpeaoih.exeNimmifgo.exeNiojoeel.exeOjnfihmo.exeOiccje32.exeOjemig32.exeOikjkc32.exePbhgoh32.exePmmlla32.exePjaleemj.exePciqnk32.exeQclmck32.exe

pid	process
2240	Mfchlbfd.exe
3804	Mcifkf32.exe
4004	Nclbpf32.exe
3928	Nmfcok32.exe
220	Nadleilm.exe
3800	Nagiji32.exe
4180	Ofhknodl.exe
1200	Omgmeigd.exe
4540	Pnifekmd.exe
3656	Pmpolgoi.exe
748	Qodeajbg.exe
3572	Afbgkl32.exe
3524	Apmhiq32.exe
3740	Apaadpng.exe
756	Bdagpnbk.exe
2640	Bnoddcef.exe
3348	Ckebcg32.exe
3232	Cpdgqmnb.exe
4348	Dhbebj32.exe
3476	Dhgonidg.exe
1864	Ebaplnie.exe
5028	Eqgmmk32.exe
1108	Egcaod32.exe
1964	Eomffaag.exe
4132	Fdlkdhnk.exe
4848	Fijdjfdb.exe
3336	Finnef32.exe
3972	Gokbgpeg.exe
2160	Gnblnlhl.exe
2260	Gpdennml.exe
1752	Hicpgc32.exe
4712	Hejqldci.exe
1600	Ipgkjlmg.exe
1112	Iehmmb32.exe
432	Jifecp32.exe
3448	Jpbjfjci.exe
4480	Johggfha.exe
692	Jahqiaeb.exe
4440	Kbhmbdle.exe
4228	Kpnjah32.exe
4808	Klggli32.exe
4684	Lohqnd32.exe
3052	Ljpaqmgb.exe
3096	Llqjbhdc.exe
3288	Ljdkll32.exe
2164	Mjggal32.exe
4728	Mjidgkog.exe
2388	Mpeiie32.exe
4664	Mokfja32.exe
4484	Mlofcf32.exe
3460	Nfgklkoc.exe
3956	Ncmhko32.exe
2356	Ncpeaoih.exe
376	Nimmifgo.exe
3380	Niojoeel.exe
2384	Ojnfihmo.exe
3900	Oiccje32.exe
2888	Ojemig32.exe
2688	Oikjkc32.exe
2960	Pbhgoh32.exe
3548	Pmmlla32.exe
3496	Pjaleemj.exe
1504	Pciqnk32.exe
1716	Qclmck32.exe

Drops file in System32 directory 64 IoCs

Processes:

Mcifkf32.exeBdagpnbk.exeEbaplnie.exeJohggfha.exeOmgmeigd.exeJpbjfjci.exeBabcil32.exeCdolgfbp.exePmpolgoi.exeGpdennml.exeMlofcf32.exeMfchlbfd.exeEqgmmk32.exeGnblnlhl.exeLjdkll32.exeNimmifgo.exePbhgoh32.exeCildom32.exeQclmck32.exeFdlkdhnk.exeOikjkc32.exeAfbgkl32.exeMokfja32.exeBnoddcef.exeMpeiie32.exeQjhbfd32.exePjaleemj.exeAbjmkf32.exePciqnk32.exeGokbgpeg.exeIpgkjlmg.exeApaadpng.exeEgcaod32.exe0010e172ff80a8708344311506fe6b8c753f7953a1fe38c31d3321a37ed69257_NeikiAnalytics.exeDhbebj32.exeNcmhko32.exeNadleilm.exeKbhmbdle.exeJifecp32.exeLlqjbhdc.exeOfhknodl.exePnifekmd.exeFinnef32.exePmmlla32.exeNmfcok32.exeQodeajbg.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Kbjpeo32.dll	Mcifkf32.exe
File created	C:\Windows\SysWOW64\Lahoec32.dll	Bdagpnbk.exe
File opened for modification	C:\Windows\SysWOW64\Eqgmmk32.exe	Ebaplnie.exe
File opened for modification	C:\Windows\SysWOW64\Jahqiaeb.exe	Johggfha.exe
File created	C:\Windows\SysWOW64\Dojpmiij.dll	Johggfha.exe
File created	C:\Windows\SysWOW64\Fidhnlin.dll	Omgmeigd.exe
File created	C:\Windows\SysWOW64\Mjjkejin.dll	Jpbjfjci.exe
File created	C:\Windows\SysWOW64\Ckpamabg.exe	Babcil32.exe
File created	C:\Windows\SysWOW64\Lncmdghm.dll	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Qodeajbg.exe	Pmpolgoi.exe
File created	C:\Windows\SysWOW64\Hicpgc32.exe	Gpdennml.exe
File opened for modification	C:\Windows\SysWOW64\Nfgklkoc.exe	Mlofcf32.exe
File created	C:\Windows\SysWOW64\Mcifkf32.exe	Mfchlbfd.exe
File created	C:\Windows\SysWOW64\Egcaod32.exe	Eqgmmk32.exe
File opened for modification	C:\Windows\SysWOW64\Gpdennml.exe	Gnblnlhl.exe
File created	C:\Windows\SysWOW64\Mjggal32.exe	Ljdkll32.exe
File created	C:\Windows\SysWOW64\Hjcbmgnb.dll	Nimmifgo.exe
File opened for modification	C:\Windows\SysWOW64\Pmmlla32.exe	Pbhgoh32.exe
File opened for modification	C:\Windows\SysWOW64\Ccdihbgg.exe	Cildom32.exe
File created	C:\Windows\SysWOW64\Qmdblp32.exe	Qclmck32.exe
File created	C:\Windows\SysWOW64\Fijdjfdb.exe	Fdlkdhnk.exe
File created	C:\Windows\SysWOW64\Dblamanm.dll	Oikjkc32.exe
File created	C:\Windows\SysWOW64\Dgeaknci.dll	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Mlofcf32.exe	Mokfja32.exe
File opened for modification	C:\Windows\SysWOW64\Ckebcg32.exe	Bnoddcef.exe
File opened for modification	C:\Windows\SysWOW64\Mokfja32.exe	Mpeiie32.exe
File created	C:\Windows\SysWOW64\Aadghn32.exe	Qjhbfd32.exe
File opened for modification	C:\Windows\SysWOW64\Niojoeel.exe	Nimmifgo.exe
File created	C:\Windows\SysWOW64\Pciqnk32.exe	Pjaleemj.exe
File opened for modification	C:\Windows\SysWOW64\Babcil32.exe	Abjmkf32.exe
File created	C:\Windows\SysWOW64\Apmhiq32.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Qclmck32.exe	Pciqnk32.exe
File created	C:\Windows\SysWOW64\Anhaoj32.dll	Fdlkdhnk.exe
File created	C:\Windows\SysWOW64\Libmeq32.dll	Gokbgpeg.exe
File opened for modification	C:\Windows\SysWOW64\Hicpgc32.exe	Gpdennml.exe
File created	C:\Windows\SysWOW64\Qglobbdg.dll	Ipgkjlmg.exe
File opened for modification	C:\Windows\SysWOW64\Nclbpf32.exe	Mcifkf32.exe
File created	C:\Windows\SysWOW64\Bdagpnbk.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Eomffaag.exe	Egcaod32.exe
File created	C:\Windows\SysWOW64\Niojoeel.exe	Nimmifgo.exe
File created	C:\Windows\SysWOW64\Pfgbakef.dll	Pbhgoh32.exe
File opened for modification	C:\Windows\SysWOW64\Mfchlbfd.exe	0010e172ff80a8708344311506fe6b8c753f7953a1fe38c31d3321a37ed69257_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nclbpf32.exe	Mcifkf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhgonidg.exe	Dhbebj32.exe
File created	C:\Windows\SysWOW64\Ncpeaoih.exe	Ncmhko32.exe
File opened for modification	C:\Windows\SysWOW64\Nagiji32.exe	Nadleilm.exe
File created	C:\Windows\SysWOW64\Aijjhbli.dll	Bnoddcef.exe
File created	C:\Windows\SysWOW64\Cagdge32.dll	Egcaod32.exe
File created	C:\Windows\SysWOW64\Gpdennml.exe	Gnblnlhl.exe
File created	C:\Windows\SysWOW64\Kpnjah32.exe	Kbhmbdle.exe
File created	C:\Windows\SysWOW64\Cldaec32.dll	Qjhbfd32.exe
File opened for modification	C:\Windows\SysWOW64\Bdagpnbk.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Jpbjfjci.exe	Jifecp32.exe
File opened for modification	C:\Windows\SysWOW64\Ljdkll32.exe	Llqjbhdc.exe
File opened for modification	C:\Windows\SysWOW64\Mjggal32.exe	Ljdkll32.exe
File created	C:\Windows\SysWOW64\Omgmeigd.exe	Ofhknodl.exe
File created	C:\Windows\SysWOW64\Lngqkhda.dll	Pnifekmd.exe
File opened for modification	C:\Windows\SysWOW64\Gokbgpeg.exe	Finnef32.exe
File created	C:\Windows\SysWOW64\Ecipcemb.dll	Finnef32.exe
File created	C:\Windows\SysWOW64\Ljdkll32.exe	Llqjbhdc.exe
File created	C:\Windows\SysWOW64\Pjaleemj.exe	Pmmlla32.exe
File created	C:\Windows\SysWOW64\Cfkeihph.dll	Pciqnk32.exe
File created	C:\Windows\SysWOW64\Bgagea32.dll	Nmfcok32.exe
File opened for modification	C:\Windows\SysWOW64\Afbgkl32.exe	Qodeajbg.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5204 3424 WerFault.exe Diqnjl32.exe

pid	pid_target	process	target process
5204	3424	WerFault.exe	Diqnjl32.exe

Modifies registry class 64 IoCs

Processes:

Pmmlla32.exeCdmoafdb.exeCcdihbgg.exeMjggal32.exeEomffaag.exeKbhmbdle.exeLjpaqmgb.exeMfchlbfd.exeOmgmeigd.exeOjemig32.exeAadghn32.exeJifecp32.exeMlofcf32.exeNfgklkoc.exeMcifkf32.exeBdagpnbk.exeDhbebj32.exeApaadpng.exeIpgkjlmg.exeMpeiie32.exeOiccje32.exeKpnjah32.exe0010e172ff80a8708344311506fe6b8c753f7953a1fe38c31d3321a37ed69257_NeikiAnalytics.exeQclmck32.exeNcpeaoih.exeQodeajbg.exeGnblnlhl.exeMjidgkog.exeCdolgfbp.exeJpbjfjci.exeNimmifgo.exeOjnfihmo.exePciqnk32.exeDhgonidg.exeEbaplnie.exeJohggfha.exeNcmhko32.exeQmdblp32.exeCildom32.exePmpolgoi.exeNiojoeel.exePjaleemj.exeFijdjfdb.exeLohqnd32.exeAbjmkf32.exeJahqiaeb.exeLjdkll32.exePbhgoh32.exeAfbgkl32.exeGpdennml.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpjna32.dll"	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anafep32.dll"	Mjggal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eomffaag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhmbdle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfchlbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidhnlin.dll"	Omgmeigd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadghn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjaqmkhl.dll"	Jifecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiciojhd.dll"	Kbhmbdle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlofcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfgklkoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcifkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apaadpng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipgkjlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpeiie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oiccje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpnjah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0010e172ff80a8708344311506fe6b8c753f7953a1fe38c31d3321a37ed69257_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qclmck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klndfknp.dll"	Ncpeaoih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkphhg32.dll"	Gnblnlhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpifjj32.dll"	Mjidgkog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpbjfjci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojnfihmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pciqnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0010e172ff80a8708344311506fe6b8c753f7953a1fe38c31d3321a37ed69257_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhgonidg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjccmbf.dll"	Ebaplnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojpmiij.dll"	Johggfha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfgklkoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoope32.dll"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmdml32.dll"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnoigkk.dll"	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnckgmik.dll"	Fijdjfdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lohqnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcejdp32.dll"	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojemig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignjamf.dll"	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jahqiaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljdkll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgbakef.dll"	Pbhgoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhlbgmif.dll"	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeaknci.dll"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afbgkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpdennml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcndmiqg.dll"	Ljdkll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0010e172ff80a8708344311506fe6b8c753f7953a1fe38c31d3321a37ed69257_NeikiAnalytics.exeMfchlbfd.exeMcifkf32.exeNclbpf32.exeNmfcok32.exeNadleilm.exeNagiji32.exeOfhknodl.exeOmgmeigd.exePnifekmd.exePmpolgoi.exeQodeajbg.exeAfbgkl32.exeApmhiq32.exeApaadpng.exeBdagpnbk.exeBnoddcef.exeCkebcg32.exeCpdgqmnb.exeDhbebj32.exeDhgonidg.exeEbaplnie.exe

description	pid	process	target process
PID 2252 wrote to memory of 2240	2252	0010e172ff80a8708344311506fe6b8c753f7953a1fe38c31d3321a37ed69257_NeikiAnalytics.exe	Mfchlbfd.exe
PID 2252 wrote to memory of 2240	2252	0010e172ff80a8708344311506fe6b8c753f7953a1fe38c31d3321a37ed69257_NeikiAnalytics.exe	Mfchlbfd.exe
PID 2252 wrote to memory of 2240	2252	0010e172ff80a8708344311506fe6b8c753f7953a1fe38c31d3321a37ed69257_NeikiAnalytics.exe	Mfchlbfd.exe
PID 2240 wrote to memory of 3804	2240	Mfchlbfd.exe	Mcifkf32.exe
PID 2240 wrote to memory of 3804	2240	Mfchlbfd.exe	Mcifkf32.exe
PID 2240 wrote to memory of 3804	2240	Mfchlbfd.exe	Mcifkf32.exe
PID 3804 wrote to memory of 4004	3804	Mcifkf32.exe	Nclbpf32.exe
PID 3804 wrote to memory of 4004	3804	Mcifkf32.exe	Nclbpf32.exe
PID 3804 wrote to memory of 4004	3804	Mcifkf32.exe	Nclbpf32.exe
PID 4004 wrote to memory of 3928	4004	Nclbpf32.exe	Nmfcok32.exe
PID 4004 wrote to memory of 3928	4004	Nclbpf32.exe	Nmfcok32.exe
PID 4004 wrote to memory of 3928	4004	Nclbpf32.exe	Nmfcok32.exe
PID 3928 wrote to memory of 220	3928	Nmfcok32.exe	Nadleilm.exe
PID 3928 wrote to memory of 220	3928	Nmfcok32.exe	Nadleilm.exe
PID 3928 wrote to memory of 220	3928	Nmfcok32.exe	Nadleilm.exe
PID 220 wrote to memory of 3800	220	Nadleilm.exe	Nagiji32.exe
PID 220 wrote to memory of 3800	220	Nadleilm.exe	Nagiji32.exe
PID 220 wrote to memory of 3800	220	Nadleilm.exe	Nagiji32.exe
PID 3800 wrote to memory of 4180	3800	Nagiji32.exe	Ofhknodl.exe
PID 3800 wrote to memory of 4180	3800	Nagiji32.exe	Ofhknodl.exe
PID 3800 wrote to memory of 4180	3800	Nagiji32.exe	Ofhknodl.exe
PID 4180 wrote to memory of 1200	4180	Ofhknodl.exe	Omgmeigd.exe
PID 4180 wrote to memory of 1200	4180	Ofhknodl.exe	Omgmeigd.exe
PID 4180 wrote to memory of 1200	4180	Ofhknodl.exe	Omgmeigd.exe
PID 1200 wrote to memory of 4540	1200	Omgmeigd.exe	Pnifekmd.exe
PID 1200 wrote to memory of 4540	1200	Omgmeigd.exe	Pnifekmd.exe
PID 1200 wrote to memory of 4540	1200	Omgmeigd.exe	Pnifekmd.exe
PID 4540 wrote to memory of 3656	4540	Pnifekmd.exe	Pmpolgoi.exe
PID 4540 wrote to memory of 3656	4540	Pnifekmd.exe	Pmpolgoi.exe
PID 4540 wrote to memory of 3656	4540	Pnifekmd.exe	Pmpolgoi.exe
PID 3656 wrote to memory of 748	3656	Pmpolgoi.exe	Qodeajbg.exe
PID 3656 wrote to memory of 748	3656	Pmpolgoi.exe	Qodeajbg.exe
PID 3656 wrote to memory of 748	3656	Pmpolgoi.exe	Qodeajbg.exe
PID 748 wrote to memory of 3572	748	Qodeajbg.exe	Afbgkl32.exe
PID 748 wrote to memory of 3572	748	Qodeajbg.exe	Afbgkl32.exe
PID 748 wrote to memory of 3572	748	Qodeajbg.exe	Afbgkl32.exe
PID 3572 wrote to memory of 3524	3572	Afbgkl32.exe	Apmhiq32.exe
PID 3572 wrote to memory of 3524	3572	Afbgkl32.exe	Apmhiq32.exe
PID 3572 wrote to memory of 3524	3572	Afbgkl32.exe	Apmhiq32.exe
PID 3524 wrote to memory of 3740	3524	Apmhiq32.exe	Apaadpng.exe
PID 3524 wrote to memory of 3740	3524	Apmhiq32.exe	Apaadpng.exe
PID 3524 wrote to memory of 3740	3524	Apmhiq32.exe	Apaadpng.exe
PID 3740 wrote to memory of 756	3740	Apaadpng.exe	Bdagpnbk.exe
PID 3740 wrote to memory of 756	3740	Apaadpng.exe	Bdagpnbk.exe
PID 3740 wrote to memory of 756	3740	Apaadpng.exe	Bdagpnbk.exe
PID 756 wrote to memory of 2640	756	Bdagpnbk.exe	Bnoddcef.exe
PID 756 wrote to memory of 2640	756	Bdagpnbk.exe	Bnoddcef.exe
PID 756 wrote to memory of 2640	756	Bdagpnbk.exe	Bnoddcef.exe
PID 2640 wrote to memory of 3348	2640	Bnoddcef.exe	Ckebcg32.exe
PID 2640 wrote to memory of 3348	2640	Bnoddcef.exe	Ckebcg32.exe
PID 2640 wrote to memory of 3348	2640	Bnoddcef.exe	Ckebcg32.exe
PID 3348 wrote to memory of 3232	3348	Ckebcg32.exe	Cpdgqmnb.exe
PID 3348 wrote to memory of 3232	3348	Ckebcg32.exe	Cpdgqmnb.exe
PID 3348 wrote to memory of 3232	3348	Ckebcg32.exe	Cpdgqmnb.exe
PID 3232 wrote to memory of 4348	3232	Cpdgqmnb.exe	Dhbebj32.exe
PID 3232 wrote to memory of 4348	3232	Cpdgqmnb.exe	Dhbebj32.exe
PID 3232 wrote to memory of 4348	3232	Cpdgqmnb.exe	Dhbebj32.exe
PID 4348 wrote to memory of 3476	4348	Dhbebj32.exe	Dhgonidg.exe
PID 4348 wrote to memory of 3476	4348	Dhbebj32.exe	Dhgonidg.exe
PID 4348 wrote to memory of 3476	4348	Dhbebj32.exe	Dhgonidg.exe
PID 3476 wrote to memory of 1864	3476	Dhgonidg.exe	Ebaplnie.exe
PID 3476 wrote to memory of 1864	3476	Dhgonidg.exe	Ebaplnie.exe
PID 3476 wrote to memory of 1864	3476	Dhgonidg.exe	Ebaplnie.exe
PID 1864 wrote to memory of 5028	1864	Ebaplnie.exe	Eqgmmk32.exe

C:\Users\Admin\AppData\Local\Temp\0010e172ff80a8708344311506fe6b8c753f7953a1fe38c31d3321a37ed69257_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0010e172ff80a8708344311506fe6b8c753f7953a1fe38c31d3321a37ed69257_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\Mfchlbfd.exe
C:\Windows\system32\Mfchlbfd.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\Mcifkf32.exe
C:\Windows\system32\Mcifkf32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\SysWOW64\Nclbpf32.exe
C:\Windows\system32\Nclbpf32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\Nmfcok32.exe
C:\Windows\system32\Nmfcok32.exe
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SysWOW64\Nadleilm.exe
C:\Windows\system32\Nadleilm.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\SysWOW64\Nagiji32.exe
C:\Windows\system32\Nagiji32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800

C:\Windows\SysWOW64\Ofhknodl.exe
C:\Windows\system32\Ofhknodl.exe
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\Omgmeigd.exe
C:\Windows\system32\Omgmeigd.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\Pnifekmd.exe
C:\Windows\system32\Pnifekmd.exe
10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\Pmpolgoi.exe
C:\Windows\system32\Pmpolgoi.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\SysWOW64\Qodeajbg.exe
C:\Windows\system32\Qodeajbg.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\Afbgkl32.exe
C:\Windows\system32\Afbgkl32.exe
13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\SysWOW64\Apmhiq32.exe
C:\Windows\system32\Apmhiq32.exe
14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\SysWOW64\Apaadpng.exe
C:\Windows\system32\Apaadpng.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\SysWOW64\Bdagpnbk.exe
C:\Windows\system32\Bdagpnbk.exe
16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\Bnoddcef.exe
C:\Windows\system32\Bnoddcef.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\SysWOW64\Ckebcg32.exe
C:\Windows\system32\Ckebcg32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348

C:\Windows\SysWOW64\Cpdgqmnb.exe
C:\Windows\system32\Cpdgqmnb.exe
19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\SysWOW64\Dhbebj32.exe
C:\Windows\system32\Dhbebj32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\Dhgonidg.exe
C:\Windows\system32\Dhgonidg.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\SysWOW64\Ebaplnie.exe
C:\Windows\system32\Ebaplnie.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\Eqgmmk32.exe
C:\Windows\system32\Eqgmmk32.exe
23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5028

C:\Windows\SysWOW64\Egcaod32.exe
C:\Windows\system32\Egcaod32.exe
24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1108

C:\Windows\SysWOW64\Eomffaag.exe
C:\Windows\system32\Eomffaag.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1964

C:\Windows\SysWOW64\Fdlkdhnk.exe
C:\Windows\system32\Fdlkdhnk.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4132

C:\Windows\SysWOW64\Fijdjfdb.exe
C:\Windows\system32\Fijdjfdb.exe
27⤵
- Executes dropped EXE
- Modifies registry class
PID:4848

C:\Windows\SysWOW64\Finnef32.exe
C:\Windows\system32\Finnef32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3336

C:\Windows\SysWOW64\Gokbgpeg.exe
C:\Windows\system32\Gokbgpeg.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3972

C:\Windows\SysWOW64\Gnblnlhl.exe
C:\Windows\system32\Gnblnlhl.exe
30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2160

C:\Windows\SysWOW64\Gpdennml.exe
C:\Windows\system32\Gpdennml.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2260

C:\Windows\SysWOW64\Hicpgc32.exe
C:\Windows\system32\Hicpgc32.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1752

C:\Windows\SysWOW64\Hejqldci.exe
C:\Windows\system32\Hejqldci.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4712

C:\Windows\SysWOW64\Ipgkjlmg.exe
C:\Windows\system32\Ipgkjlmg.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1600

C:\Windows\SysWOW64\Iehmmb32.exe
C:\Windows\system32\Iehmmb32.exe
35⤵
- Executes dropped EXE
PID:1112

C:\Windows\SysWOW64\Jifecp32.exe
C:\Windows\system32\Jifecp32.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:432

C:\Windows\SysWOW64\Jpbjfjci.exe
C:\Windows\system32\Jpbjfjci.exe
37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3448

C:\Windows\SysWOW64\Johggfha.exe
C:\Windows\system32\Johggfha.exe
38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4480

C:\Windows\SysWOW64\Jahqiaeb.exe
C:\Windows\system32\Jahqiaeb.exe
39⤵
- Executes dropped EXE
- Modifies registry class
PID:692

C:\Windows\SysWOW64\Kbhmbdle.exe
C:\Windows\system32\Kbhmbdle.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4440

C:\Windows\SysWOW64\Kpnjah32.exe
C:\Windows\system32\Kpnjah32.exe
41⤵
- Executes dropped EXE
- Modifies registry class
PID:4228

C:\Windows\SysWOW64\Klggli32.exe
C:\Windows\system32\Klggli32.exe
42⤵
- Executes dropped EXE
PID:4808

C:\Windows\SysWOW64\Lohqnd32.exe
C:\Windows\system32\Lohqnd32.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4684

C:\Windows\SysWOW64\Ljpaqmgb.exe
C:\Windows\system32\Ljpaqmgb.exe
44⤵
- Executes dropped EXE
- Modifies registry class
PID:3052

C:\Windows\SysWOW64\Llqjbhdc.exe
C:\Windows\system32\Llqjbhdc.exe
45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3096

C:\Windows\SysWOW64\Ljdkll32.exe
C:\Windows\system32\Ljdkll32.exe
46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3288

C:\Windows\SysWOW64\Mjggal32.exe
C:\Windows\system32\Mjggal32.exe
47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2164

C:\Windows\SysWOW64\Mjidgkog.exe
C:\Windows\system32\Mjidgkog.exe
48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4728

C:\Windows\SysWOW64\Mpeiie32.exe
C:\Windows\system32\Mpeiie32.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2388

C:\Windows\SysWOW64\Mokfja32.exe
C:\Windows\system32\Mokfja32.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4664

C:\Windows\SysWOW64\Mlofcf32.exe
C:\Windows\system32\Mlofcf32.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4484

C:\Windows\SysWOW64\Nfgklkoc.exe
C:\Windows\system32\Nfgklkoc.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3460

C:\Windows\SysWOW64\Ncmhko32.exe
C:\Windows\system32\Ncmhko32.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3956

C:\Windows\SysWOW64\Ncpeaoih.exe
C:\Windows\system32\Ncpeaoih.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2356

C:\Windows\SysWOW64\Nimmifgo.exe
C:\Windows\system32\Nimmifgo.exe
55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:376

C:\Windows\SysWOW64\Niojoeel.exe
C:\Windows\system32\Niojoeel.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3380

C:\Windows\SysWOW64\Ojnfihmo.exe
C:\Windows\system32\Ojnfihmo.exe
57⤵
- Executes dropped EXE
- Modifies registry class
PID:2384

C:\Windows\SysWOW64\Oiccje32.exe
C:\Windows\system32\Oiccje32.exe
58⤵
- Executes dropped EXE
- Modifies registry class
PID:3900

C:\Windows\SysWOW64\Ojemig32.exe
C:\Windows\system32\Ojemig32.exe
59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2888

C:\Windows\SysWOW64\Oikjkc32.exe
C:\Windows\system32\Oikjkc32.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2688

C:\Windows\SysWOW64\Pbhgoh32.exe
C:\Windows\system32\Pbhgoh32.exe
61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2960

C:\Windows\SysWOW64\Pmmlla32.exe
C:\Windows\system32\Pmmlla32.exe
62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3548

C:\Windows\SysWOW64\Pjaleemj.exe
C:\Windows\system32\Pjaleemj.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3496

C:\Windows\SysWOW64\Pciqnk32.exe
C:\Windows\system32\Pciqnk32.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1504

C:\Windows\SysWOW64\Qclmck32.exe
C:\Windows\system32\Qclmck32.exe
65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1716

C:\Windows\SysWOW64\Qmdblp32.exe
C:\Windows\system32\Qmdblp32.exe
66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4012

C:\Windows\SysWOW64\Qjhbfd32.exe
C:\Windows\system32\Qjhbfd32.exe
67⤵
- Drops file in System32 directory
PID:4032

C:\Windows\SysWOW64\Aadghn32.exe
C:\Windows\system32\Aadghn32.exe
68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2416

C:\Windows\SysWOW64\Abjmkf32.exe
C:\Windows\system32\Abjmkf32.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:404

C:\Windows\SysWOW64\Babcil32.exe
C:\Windows\system32\Babcil32.exe
70⤵
- Drops file in System32 directory
PID:4020

C:\Windows\SysWOW64\Ckpamabg.exe
C:\Windows\system32\Ckpamabg.exe
71⤵
PID:1776

C:\Windows\SysWOW64\Cdmoafdb.exe
C:\Windows\system32\Cdmoafdb.exe
72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1636

C:\Windows\SysWOW64\Cdolgfbp.exe
C:\Windows\system32\Cdolgfbp.exe
73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4536

C:\Windows\SysWOW64\Cildom32.exe
C:\Windows\system32\Cildom32.exe
74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3332

C:\Windows\SysWOW64\Ccdihbgg.exe
C:\Windows\system32\Ccdihbgg.exe
75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3912

C:\Windows\SysWOW64\Diqnjl32.exe
C:\Windows\system32\Diqnjl32.exe
76⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 400
77⤵
- Program crash
PID:5204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3424 -ip 3424
1⤵
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4396 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadghn32.exe
Filesize
163KB

MD5
550d9d4d4c4c0a561e61f55580b08c73

SHA1
4508317beade8f8c0f2227ea56ad5392734e6896

SHA256
26b08a5430c0c1b85267292dc1d2f5ee51b181be689beb8eadfa64a2134ccab6

SHA512
fe2bb7d2db15bc4917f4c754765114a9874ded1f271eed3eed94ac3602b805546f6c8654e42b79806ca48c0f6b1faf3cec48ad90b2f3df40f2bbcb39d8eab7d4

Download Submit
C:\Windows\SysWOW64\Afbgkl32.exe
Filesize
163KB

MD5
685b20611fafdb629af755d87a85b9b1

SHA1
dbd85f8b7dc98df4e635f34e70d19089b0b91b92

SHA256
bfd10c5f0dd035d6a4c1a25b8b18361170f2647d25d9170c24110675690a2fe3

SHA512
9741066a3905f1fb008c825a02d6bfd0e3a22399c92f17f89db334845fccaeeaf4d58e6dc02b7f1bd069dec98457dc9edc21a8670272e0891979d22f9acffaa6

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe
Filesize
163KB

MD5
717004129caa5a4a2d3131cd163eee0e

SHA1
e3e3df97cd474fec250c306b118981f4ae9b9595

SHA256
e7a1667bfe39e8c156be2ce9f166c7c3e167e8909490c04a2de8936c10753133

SHA512
ed4b3d2ab982769391e3e238a1a1ff3d0b96601de5cc66de1ea7bc2af8c85ed9ca3021a774f6eaac4cb7faafa43115a27af0fb1d09fb39a1d703855bf579b923

Download Submit
C:\Windows\SysWOW64\Apmhiq32.exe
Filesize
163KB

MD5
a7b7b69f92c5b1670383f3569d84fe02

SHA1
104a2cd9627ef359c2840c2ab32682215f0b25a1

SHA256
910c3bdf19ab7e864c8831adefb01fc003b9abefb5c517f331afd2888ec4e80a

SHA512
916bb1aca835fb3662e5541b0fe24b052a25c26c3b0e55d9486c379786e3fc09685f7544aa8e2c23bd2e67bb56396187f9a3f307abb0b2a078b15f7e853858c6

Download Submit
C:\Windows\SysWOW64\Bdagpnbk.exe
Filesize
163KB

MD5
1c95e2749a3b2a1a7cfa0e07efae3577

SHA1
fc58c11590b7b1c9de250bfd2b56e9535add1ab2

SHA256
d824067b1a44f841bf3757244a0bd4e2e83043055a6891a6dd4e602465036e47

SHA512
0b3ef215c8eb60a380fbac243450ec4a2f9caba012a924091dda01d678bcd0fac12f9ee8f63735d02d32b794269d8dc6d7e1ba12444d9673709b7bc759f35652

Download Submit
C:\Windows\SysWOW64\Bnoddcef.exe
Filesize
163KB

MD5
c4b67d7475a56232c8081dba705cdfcb

SHA1
3486710759ec50f062d7aeac895251f29e9b32a8

SHA256
0e9d27ade973125899f7be0b5b1189d88de9b2981dc351fd035f46f7031c6084

SHA512
780d8888a734b403d08b14c4f46f2037ca9dc87ccb49f98763e45257a1c70e694a544d48784f590fd9d3a19b4c605749b87ae78ca101471213f9e166020e0f33

Download Submit
C:\Windows\SysWOW64\Ccdihbgg.exe
Filesize
163KB

MD5
211ea342329d72e9f26a6285da007d65

SHA1
3765f2cfa56d9fca79645d3c60891f4ffa000550

SHA256
7e9d32f34110cc91f02af73ad25b0319c52ffa818d8ffa9aee276684dcb48e06

SHA512
5a4e2827e587ce9049f35f548fccef8553121ad4f32d3435e5eacb171b393020fc2df557ca5f8773fa21fa8594e001cfbf2bda500c3f7a3f23af9cc9cbc35634

Download Submit
C:\Windows\SysWOW64\Ckebcg32.exe
Filesize
163KB

MD5
c2b464c90ab61ec4c83a9f310feac98a

SHA1
09b7931392586e593a94a2cfe8d5ca21153757f6

SHA256
28dc5bd54a181510815ea442f4ac1e0b254e27a6eb32efbacebd0b73e43cb023

SHA512
d2c167c4dbd4f2aec6564d4f842f4ee4c51f52e2c5b49d14d4c03abf951c8a751d2de725b2e29167f86f024970653652a2ae2444e168094be858a6c885679b56

Download Submit
C:\Windows\SysWOW64\Cpdgqmnb.exe
Filesize
163KB

MD5
dcae66a661845d1de25a6cb870b9fd0f

SHA1
43bc47887cdf8374d56cb5dd0053e64f264a7995

SHA256
a64c98b90e37074e5e47b4c02f633d4dc2e26d6084b38bb0b32d5ba5a8a5b564

SHA512
f06a656ac2fc45b7332ce9ff9d8d1384325a1c91cf89451d73c322d56b5e3d684120d45115693a5c7881d912c6013b52a3ede969e8c5d09119cca447e95a4a50

Download Submit
C:\Windows\SysWOW64\Dhbebj32.exe
Filesize
163KB

MD5
ab6a202cf62bc0ca138a3ee032254459

SHA1
d9649739f45ff8450ca5732bc4d5405ccf049f02

SHA256
23567139f59d637bd4c786934d00b519e60a30d74338cf2e50a9d5965cd8077b

SHA512
f55444d7f0e8e561a0f17d200c73b9e23ef8baf517b67312d66173aeb6f20c5e6dc35a9bd0a998986115881305be0da0fe1823ce9a5cde88a43948f2b303cc7f

Download Submit
C:\Windows\SysWOW64\Dhgonidg.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Dhgonidg.exe
Filesize
163KB

MD5
0949b26bd8c154c08b3e7450a2bd5177

SHA1
c9d140318785f24a3835a61a6d372b8364567c61

SHA256
752389e6050e362bb0a07d44293a67cb1ed0b6a60dc507647b1c99469b4b42ca

SHA512
dc6f3c9d1206cd2c1ee42df2a10468df6a910b019a5529f95ba48a34637b9a351a4f4fd4886a4d87e7d674e1be5c9750e4fbbd20d9ac172aa24ce8b44b6317f6

Download Submit
C:\Windows\SysWOW64\Ebaplnie.exe
Filesize
163KB

MD5
f84b2319cbc5d66854c2c026be619f86

SHA1
7635ffb2581c02af7eb594e14fea75bbe70cb797

SHA256
0ce5910475fe7758d4403e265d8a067b85238c838bc44f03228afd8103d54cf8

SHA512
fcf442b33d3768dc08bb74286b06497d3ecead1d4847041b42e801e566a25fe570567a848135d4f5c856b773cf370af792538e360c5372a1fe2995c40dfe4d33

Download Submit
C:\Windows\SysWOW64\Egcaod32.exe
Filesize
163KB

MD5
95c45d85f8fc7189b08d8c5426ae539b

SHA1
00e5daa6e085a268278fe082cee33928321a6282

SHA256
03cc89bf55527383f80e255b372c77c0d981c193432390e1098f4517ab9c90fa

SHA512
50e7690bc3ca0c6367fe3d47f8635c6b0c3427c6223693a4e89f575ad0b09ecddc57b7ec8e42b32ec478e2bc6d22da23059b17b9449bf0b47a087feda88443b1

Download Submit
C:\Windows\SysWOW64\Eomffaag.exe
Filesize
163KB

MD5
3620c92a0c04fba35d8c19cd2a2ab277

SHA1
b81291f0ebd20d9ed77bd8531f30a1becf36bf34

SHA256
dc0bad3f78e19c7d6bfed2bd965e8df8cdcc47b69a18545dd4271a1ca12d700c

SHA512
5d00386f8b1ad4c82d8ada00b5437865311e10ca77751d239fdeee0f5b986d2a9fa52c94224ece4bc3410145418126a690a5ccebbbb234e6bc98cee7f61bb203

Download Submit
C:\Windows\SysWOW64\Eqgmmk32.exe
Filesize
163KB

MD5
b65778ebfcffaefce06c06a78950375b

SHA1
287711cdf17cfc8213e52952986abe5b0474f0c9

SHA256
d36a3ca8a08aab0c5dff66aea6b5440ec54b2622a056b0c4eaf4dae6aedb0798

SHA512
d3ae77b2ee9c73ea04052a65f6343b9eafaea817a0e68cfc18d4d4d66dc9e1436c13b4729adfd381a4862d27f3866967711eb0f35941f9a3a2819f75f37aa9d9

Download Submit
C:\Windows\SysWOW64\Fdlkdhnk.exe
Filesize
163KB

MD5
93437add1fad5333d2d79fa086897ba2

SHA1
df0f64a45499b1fc39f9b27d0ee4b556904645a2

SHA256
7b448925d432940087a77778a56b47959ef90bb70d1fee4d02c9bc2817f22791

SHA512
eb20ec93f5cf7df5e24b961c4e06415d041e2356b91896c60f80e31c24ea4ce0aac61c4897b820b019dcde04c57a1de33a7e50cbdf36ab998f8ab919359aeaa4

Download Submit
C:\Windows\SysWOW64\Fijdjfdb.exe
Filesize
163KB

MD5
ed6e8dbe1c636918a655348584ea4b29

SHA1
9be6e2ed67757575069e1935066b46291affc31f

SHA256
65f00f7684bb56653a0b47b8b0fe8a84eddcdf80c2eb034530b122e4b7882435

SHA512
1e448911433b3d13e60e69a66028293b139c6bee961ae3ca314e077809ffae5d4ff419806c29027178d1b48b2b6d87a36cdbdddcd93358b340e7964ec35d3400

Download Submit
C:\Windows\SysWOW64\Finnef32.exe
Filesize
163KB

MD5
d3b8b963ac8c5e9885fe00076399cc01

SHA1
89255d6c6f9f3d2ee1fa7c9f65d9e0d4a9b921d3

SHA256
1aa3d87f791d143e13a76ad6d6fc45d5684ca5adee0eb6bb840257db8bd94570

SHA512
ebb1405b27ae4153b9a3a1e34d905f240e80de223b1ba7b1033bb01abdcd2c1573bf51d8ceb4737bada894e3980a1f837c66dbdb80dc0f2799952f278629e1ee

Download Submit
C:\Windows\SysWOW64\Gnblnlhl.exe
Filesize
163KB

MD5
e96a91b191a7ac6d83a534ba607243aa

SHA1
479f288c30e8538e6113ab1740b7cec66ec1f4d2

SHA256
12dff05815243637dbf54daf16f710f4bf34dfef42809966ece97e3f1480e22f

SHA512
b164d4d38cb43da250cbee0a80b23fe1a39643de0b7820f2b8697bda905b3341aabda055227a13a13fb7b87aad4d600e7b632c91979d892c778d41e320b3467b

Download Submit
C:\Windows\SysWOW64\Gokbgpeg.exe
Filesize
163KB

MD5
55f4fddaaff046ab53c0d26aaab4e9bf

SHA1
e00f36b5a091476309510201f7a247fbc1518395

SHA256
018b356b8025ce9f6260282b6c1d5964e739ade6ee34364c33d1cb143a9b306b

SHA512
a0a7110f4dfd5f4452d666ed56ca6cbfafdb77036487ce13fe144b6bd8b76feb4c26cb9ad69461938bf0afea521a2ebc63a276de0ebab48f00e3708b1dfc6ab6

Download Submit
C:\Windows\SysWOW64\Gpdennml.exe
Filesize
163KB

MD5
61c69af6ce8045a9ed9794373618088c

SHA1
3a8fd01345136f8541a70dcb5435d8dc73ee0762

SHA256
6eca74254a83eba4eeca7217ad559df859710c69e7d29b69a000d45a39f13c56

SHA512
89d77776111365b277abb67c8493bd0c12213c4c86468b8fd1bf3a68b62b45d64a0da3f3e622a55af6b5f632b7ca98dbb8a1925ec39c04371ab7099c2f8c87fc

Download Submit
C:\Windows\SysWOW64\Hejqldci.exe
Filesize
163KB

MD5
0d7e9e8ab631ff87e9cba84dc9d36bbe

SHA1
770c5a6d49dc94b2149a87833a16280ab797ac86

SHA256
9b0b5a8a54e19f189480110abf6bc70d5dacdbe8021ace11bfcc1eab133e6a5c

SHA512
68ff7612ba9cb497ce6ed9570c488f5986202a6050c6094f95681cec2c653e7bce4dfc4c20f288884d74e871a9e2e39c9fb861bd5f3bf20f3eb75d042bc51c88

Download Submit
C:\Windows\SysWOW64\Hicpgc32.exe
Filesize
163KB

MD5
08a46a233192e3fe309e5cc1bcc9479d

SHA1
3dc625208884693d52dec83c2f9510375cd47c5a

SHA256
544173a788231de6c399611e6e6a3360aafc9aa0eaf7d60b546d4b42006e921c

SHA512
3cee15b35102cc848cc83cba511c3b451c71eebf41ec6697e657b6f775c03f2d02c3c1e74fdb3c3679a32f3c4b17a144e873ec3fe1b93af0d16e4dd9825bf985

Download Submit
C:\Windows\SysWOW64\Jpbjfjci.exe
Filesize
163KB

MD5
5d14ab51708b99afe190bc70c8062a64

SHA1
9f2ab224970b8003804817beb0e2a1be123d4fc9

SHA256
aef3191e7a32acdb37a776a78b9ca8dad81da8a3be3d050cfa16a9fb1d386814

SHA512
c1ee24f60e1701516f52d504294705c23c46e8d4216c82145e06bab629fe5941ed3683a76b9a8433305f33e1375ab33ad1843a06dd5c2b4c28fc225802ae9b74

Download Submit
C:\Windows\SysWOW64\Klggli32.exe
Filesize
64KB

MD5
f51c910797c884db9fe6ab28a4c7ab8e

SHA1
a70dfe86325253f189a0b495a894953e6e5cf48b

SHA256
2874ceb5a38062c48874bb61cd5e7210bedafa86156cac7ff6caee017b9a7012

SHA512
a81d1f0a6f98e83ebb7e5a17307a2b7f8a245c43eb02a8735cbb146eac06441a51b5fa915c3dada3827ceea00b175fccc2a12c395182ac93710411db5c7b3dd3

Download Submit
C:\Windows\SysWOW64\Kpnjah32.exe
Filesize
163KB

MD5
24954a889e34862c977c796046719558

SHA1
f254c6e43c9303fb80648ad5dcdf5dd605cb6436

SHA256
d61c8a25c1724e19b3518344446a47c1d20269db7e103c670d80fdcdb92054ba

SHA512
323acbafbf671939013e863a49dd73f088bf74f971e8ca1441d1402210ac69d42f55655aa114038d8487ace34ea5c2ac2f388dca9f46359bd4ad2ec35e6d1af8

Download Submit
C:\Windows\SysWOW64\Mcifkf32.exe
Filesize
163KB

MD5
45a073ff578024a63a06524afb11a441

SHA1
5a3d65e76a923a8bb885eb0a8c0976115646cc6d

SHA256
241e44116bc841c501c575ba282ea9bd7f908579206b3f2e8944ab5b791f9b0a

SHA512
6569a2a7bd1bdb9bee0f80d275650f98ce6657258d5c1f26a5d7a655a79d443f8094cb7c50c5f20db427635c98659185ef6e4de5b3759e830deaed14ebfd916d

Download Submit
C:\Windows\SysWOW64\Mfchlbfd.exe
Filesize
163KB

MD5
1cfdb663475b5a5fa06bf0f434a478f1

SHA1
0781911f3d207d415a8e9a7d5f336cc97a71a932

SHA256
8d9e30c64bf1d3fb0da465bf762173328bac3c795429dcf9fdb1564daa389c65

SHA512
7368ab7af557176f8ab736bde0ff4eb542d5642db55667e4354451a92b8290ac1081f6f62a5965b771ef2e16b5e71fc7f4b9a082703617cc71d59040698bfd0d

Download Submit
C:\Windows\SysWOW64\Mjidgkog.exe
Filesize
128KB

MD5
8c6825bb20b0dba1467e267b545dcc79

SHA1
533462de299b32bba2094aa92f20941fffc3acb3

SHA256
8bd1f747d530a4ce196104c2d051df7db2508a1965e6b3623d03964a9d23fd0c

SHA512
ee18889df2178d6f494d5235ad75338edc336caea27936467ea3c9733f26d3236baebbd11de0a739b02f0950850b417c73eb940049cf03cddb47402508a0aea8

Download Submit
C:\Windows\SysWOW64\Nadleilm.exe
Filesize
163KB

MD5
5a8f4e2f60a5a56b96e8d2520df9e3e0

SHA1
f784a6dc633c9b387d3f3bc66e7de587d4004a4c

SHA256
186fdf8c26061d9b5443cd7ecdc9498c656a546184ccc9424319c207bbbfcec7

SHA512
cb6d0eb9dc9ed370beb971106d5f12d4877278731310a293bb4a1d6e6a5d487df57be14e1fcfe7ae40040470a75d2d4709f2a9863ecffb95197ddda6774f64b8

Download Submit
C:\Windows\SysWOW64\Nagiji32.exe
Filesize
163KB

MD5
6034eb12bd4588b4c9347e1921ff6fd0

SHA1
3e7eda6aff4755e49055d5f910d40286da2ebd15

SHA256
84d8b7c098607519e1c46fd7ed4aee5ef322d4bed334b0509c745443e80f2106

SHA512
ea4e8c2a6117f8a91e401d1191b84646e8b0dd39b5b611aa48c004ed0ab10247fb62c37747bb5ead9bdb1c09c2b65e9ac4ce0264c1b462c49a7e8f92c2a95a99

Download Submit
C:\Windows\SysWOW64\Nclbpf32.exe
Filesize
163KB

MD5
f06348648c8fcb2d0d069b5c045d1e3a

SHA1
0f3524e52e622032ff73f92c11121c3c501eb29d

SHA256
053a442e459ef8b3da3c71a49d42f24b88c10a7db725d7eeacbcfeda5ec6cb89

SHA512
a2f153be58af117f21ef35bbebc46813e2a6a8eacf98fe9993e0a2fcc14ae6d35d54fca43b4ab834b5a3088e6c5cd05d87fb9e5c92a1898395553fd95dab66f8

Download Submit
C:\Windows\SysWOW64\Nmfcok32.exe
Filesize
163KB

MD5
6951e8317c39f191260237f3b704c805

SHA1
84891516ac30e2c6c6b8622af1df7298f1a6f50b

SHA256
02400398daf689e99e3bc4adeadf9406cdb43cac059916f2a66bff9f609797fe

SHA512
377d79f7ffc4552aeda847fabcd7ef37a2f5a288413b50583af4eaf6dc57364a25edb240c475e91f668a1a8067a1851e27a28fad7d4b17f6b81e01cc6be1eee8

Download Submit
C:\Windows\SysWOW64\Ofhknodl.exe
Filesize
163KB

MD5
0e54c06367dad4973e7ee2f249b00601

SHA1
6e9244cb91c17afeae926b87e142f89c5ea48905

SHA256
daba018ec03d1f6d6b556a0d5e6329477c6ffb07b958b1a9a8648c6099d23f51

SHA512
ed398f91c88e7213df650446df4f940d6392af19ff4cba56f61212d3bbe41c08ed67225f775d01e27bc0b2411c8e53503e7d7450a5e5bbddc798d727cf535813

Download Submit
C:\Windows\SysWOW64\Oikjkc32.exe
Filesize
163KB

MD5
6dd2278940ea682287bdf132eeef14a3

SHA1
212ec10ba5dcac8d353cd5e4d3d97858ad938229

SHA256
088e172214b3704fdbb8fe6e26b6c61ed053247f86f726ed548396d1fa9286f2

SHA512
e40652b22f5d5720f865f29b96cd94316f7197406dfff6aa3e05b496d38a25e3feeaadb2ef061db85193502f5aa09c3a054126d171953f884346ce2f3a32b42c

Download Submit
C:\Windows\SysWOW64\Omgmeigd.exe
Filesize
163KB

MD5
b46cdea9c06be7f11cab5f3792d25e03

SHA1
0b3ac41548627e373fe48194df095cadd62ce583

SHA256
1b47445307dbe490cfa86054992e88fae26da4b538331033fa5577fb454b8c3b

SHA512
647af16e0e9adfbf4ed6251a2e981644eadad1408973dc2ffcd52499d567da62f010de576d027995b8dc278ae3cef346e7d7965fe6649d0f685d40dcc329db9b

Download Submit
C:\Windows\SysWOW64\Pmpolgoi.exe
Filesize
163KB

MD5
e290c21f95ea0ec51b33a05d40b59481

SHA1
e0a6bbfcb399368c9707398cfef019bba843c0d8

SHA256
fa53875000698c7e2099d4f87fca56cc80cfe3eccee687bef9ca6cc8dc1030fc

SHA512
c61bdcae1c58780aa845456c8f111c58aa622b2986221ee072e04b75c1501dba15c2a79c5e125f63507a3373ea123ce824f7725ab55a2f95a7bfa6ff789b3957

Download Submit
C:\Windows\SysWOW64\Pnifekmd.exe
Filesize
163KB

MD5
4b87d5938fab822815ba11e960d2bda2

SHA1
e1efee1be7a1ade4ebd7aa18c294e5b819dacd84

SHA256
5fa8761ad6b31e32efcd98a2dfd4f3b6c2b4319fbf5a185c337e2275d4923f83

SHA512
d7838fe396a7c932aa8e2c739f5d042736c10994d58a6f75a60ee05272553d53054f6e4dcb38963bdbf67bdf83ce4a43918a89280c13b6666852b510127c13c9

Download Submit
C:\Windows\SysWOW64\Qmdblp32.exe
Filesize
163KB

MD5
14138686dd2a0a243c742c011e8065da

SHA1
491e795b20e5eef811b21517417530fad007f0e5

SHA256
8df5c03f121bccd2ab7098d06898bcfd45269e82d527a421159e0d8ab0618443

SHA512
62d9ea62cfb95d28160b7602ce3580b99b16e73e88db44350d72c9b7f1b3e3ee4812ab27b1c25af77467db5b4c032c4253be65de59499c6b61a381869a18e162

Download Submit
C:\Windows\SysWOW64\Qodeajbg.exe
Filesize
163KB

MD5
3172a38e1acbfcbc3c3755c25ed3385c

SHA1
c70dff6f85d9803b3e239d22577543a485d225f2

SHA256
042f42c141b29b1cce061a857512107235c930380421ec6f6c72a4b8c2e2cd7e

SHA512
e295ef486ea240a786542094c621fce105571f14c32442311599fd5c0422f274abdda28f7093dd1251609b03e12a3332c7bf3d2b92cc0b9178f7276c7f78b9d7

Download Submit
memory/220-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/376-399-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/404-492-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/404-567-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/432-276-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/692-294-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/748-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/756-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1108-185-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1112-270-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1200-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1504-453-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1504-573-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1600-264-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1636-509-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1636-559-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1716-460-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1716-571-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1752-249-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1776-561-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1776-507-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1864-657-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1864-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1964-193-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2160-233-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2164-342-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2240-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2240-696-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2252-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2252-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2260-241-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2356-388-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2384-408-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2384-587-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2388-354-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-480-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-565-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2640-129-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2688-428-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2688-581-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2888-421-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2888-583-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2960-439-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2960-579-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3052-324-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3096-330-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3232-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3288-336-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3332-555-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3332-521-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3336-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3336-644-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3348-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3380-402-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3424-534-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3424-551-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3448-282-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3460-374-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3476-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3496-575-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3496-447-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3524-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3548-577-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3548-441-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3572-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3656-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3656-679-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3740-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3800-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3804-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3900-415-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3900-585-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3912-528-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3912-552-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3928-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3956-382-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3972-224-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4004-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4012-569-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4012-466-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4020-499-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4020-563-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4032-473-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4132-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4180-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4228-306-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4348-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4440-300-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4480-288-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4484-372-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4536-515-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4536-556-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4540-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4664-361-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4684-318-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4712-258-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4712-635-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4728-348-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4808-312-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4848-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5028-176-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download