ef34bcaad0692eca90cc3d9b530f119033dd08e07d8dfeedb0ba611687e05ef3

Analysis

max time kernel
65s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef34bcaad0692eca90cc3d9b530f119033dd08e07d8dfeedb0ba611687e05ef3.exe
Size

50KB
MD5

0b397bb545be789ffd7c0ff37d155c00
SHA1

f598ef1661800987cb3dc4dd473167a030cfd659
SHA256

ef34bcaad0692eca90cc3d9b530f119033dd08e07d8dfeedb0ba611687e05ef3
SHA512

cdf35bcc6697b1da28408749900e6645c875c3b4075c001015460cd5d255d29aa9f7979d533a8b3357c8f8f79d9a5aaaea4a74ee5ecdf04db68423d5986681bc
SSDEEP

768:Rnf8qlIDhgmuChdoAr1YyTLgHVKrGL2QU+AEzkzroZUEIZpjDFwdvzqlz/1H5r:RfqlpPoAr1ERL2QU+AECeUEIZpj5wBI

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Hmpfkbig.exeIbfbihod.exeOlcmfefg.exePdckef32.exeLdfijj32.exeMagimbfi.exeOmmfha32.exeHgcnblkp.exeGhbafqpe.exeJbaemled.exeMjjdbcmm.exeMnepbb32.exePgobic32.exeLleeacdc.exeNfgkhcmi.exeKdcjlbmp.exeJokbhm32.exeKodenk32.exeKkkfcl32.exeMjblhl32.exeJeemmphg.exeKmggbq32.exeMafnfkon.exeHpapmn32.exeKmiboh32.exeLfniji32.exeKaepho32.exeOfjhndji.exeHmepfb32.exePeflpo32.exeGkanbloi.exeIbbhni32.exeJljifa32.exeNkohlb32.exeKagmno32.exeNnbplf32.exeOhpbahif.exeNnelae32.exeMqldefcm.exeMcafbpli.exeJmldnmii.exeKbnfbc32.exeMlhpnolp.exeOqjonp32.exeMblgjonl.exePeqkjjib.exeObnhlheh.exeOmdqjnaf.exeLaelgb32.exeNcicme32.exeGhjhfp32.exeHdqhkq32.exeLcpmnm32.exeOnggnloj.exeNkdcpj32.exeMfefen32.exeGlqjlo32.exeJfkdhkpq.exeLnnkjgbn.exeLoohbo32.exeNmjkkf32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmpfkbig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibfbihod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcmfefg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdckef32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldfijj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Magimbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ommfha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgcnblkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghbafqpe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbaemled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjdbcmm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnepbb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgobic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lleeacdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgkhcmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ommfha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcjlbmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jokbhm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kodenk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkfcl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjblhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeemmphg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmggbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mafnfkon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapmn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmiboh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfniji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaepho32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofjhndji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmepfb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peflpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkanbloi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibbhni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jljifa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkohlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagmno32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnbplf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohpbahif.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnelae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqldefcm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcafbpli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmldnmii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbnfbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhpnolp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqjonp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mblgjonl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqldefcm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Peqkjjib.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnhlheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omdqjnaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laelgb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncicme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omdqjnaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghjhfp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdqhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpmnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onggnloj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkdcpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfefen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glqjlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkdhkpq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnnkjgbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loohbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmjkkf32.exe

Executes dropped EXE 64 IoCs

Processes:

Lamkkllp.exeLkglia32.exeLgnmnb32.exeLmkefi32.exeLgpica32.exeMqinmgjp.exeMfefen32.exeMonkncoh.exeMblgjonl.exeMmbkghna.exeMbodooli.exeMgklge32.exeMneddpbm.exeMgnime32.exeMafnfkon.exeNnjnoo32.exeNfecda32.exeNcicme32.exeNamdfjif.exeNfjloqgn.exeNpbqhf32.exeNikeql32.exeOeafemjc.exeOhpbahif.exeObefoaim.exeOedbklhp.exeOlnkhfom.exeObhcdq32.exeOefoql32.exeOhdkmg32.exeOoodialn.exeOampemkb.exeOfjhndji.exeOmdqjnaf.exeOpbmgipj.exePikapo32.exePpdjling.exePgobic32.exePmhjem32.exePgaoocca.exePiokknbe.exePchocd32.exePeflpo32.exePhdhlk32.exePonphe32.exePehheoff.exePkeqmfdn.exePcliocep.exeQdnefk32.exeQkgmcebk.exeQnfjoa32.exeQemapn32.exeQkjjhe32.exeAadbeohe.exeAhnkbi32.exeAafoko32.exeAgcgcf32.exeAnmpppkg.exeAjdqea32.exeAghanepd.exeAfmnoa32.exeBcanifcf.exeBklcmhaa.exeBgcdbi32.exe

pid	process
1176	Lamkkllp.exe
1492	Lkglia32.exe
2040	Lgnmnb32.exe
2004	Lmkefi32.exe
1728	Lgpica32.exe
1468	Mqinmgjp.exe
520	Mfefen32.exe
1756	Monkncoh.exe
888	Mblgjonl.exe
1276	Mmbkghna.exe
1296	Mbodooli.exe
1816	Mgklge32.exe
648	Mneddpbm.exe
1904	Mgnime32.exe
612	Mafnfkon.exe
432	Nnjnoo32.exe
1552	Nfecda32.exe
1992	Ncicme32.exe
556	Namdfjif.exe
1704	Nfjloqgn.exe
856	Npbqhf32.exe
664	Nikeql32.exe
1692	Oeafemjc.exe
1500	Ohpbahif.exe
1020	Obefoaim.exe
1336	Oedbklhp.exe
932	Olnkhfom.exe
1052	Obhcdq32.exe
1740	Oefoql32.exe
2024	Ohdkmg32.exe
1736	Ooodialn.exe
1976	Oampemkb.exe
1824	Ofjhndji.exe
1724	Omdqjnaf.exe
1872	Opbmgipj.exe
1044	Pikapo32.exe
1760	Ppdjling.exe
1108	Pgobic32.exe
1284	Pmhjem32.exe
1456	Pgaoocca.exe
1404	Piokknbe.exe
784	Pchocd32.exe
1644	Peflpo32.exe
1536	Phdhlk32.exe
984	Ponphe32.exe
1936	Pehheoff.exe
1884	Pkeqmfdn.exe
748	Pcliocep.exe
680	Qdnefk32.exe
964	Qkgmcebk.exe
1952	Qnfjoa32.exe
240	Qemapn32.exe
1832	Qkjjhe32.exe
880	Aadbeohe.exe
1604	Ahnkbi32.exe
1708	Aafoko32.exe
1140	Agcgcf32.exe
1888	Anmpppkg.exe
1320	Ajdqea32.exe
1900	Aghanepd.exe
2028	Afmnoa32.exe
1372	Bcanifcf.exe
816	Bklcmhaa.exe
272	Bgcdbi32.exe

Loads dropped DLL 64 IoCs

Processes:

ef34bcaad0692eca90cc3d9b530f119033dd08e07d8dfeedb0ba611687e05ef3.exeLamkkllp.exeLkglia32.exeLgnmnb32.exeLmkefi32.exeLgpica32.exeMqinmgjp.exeMfefen32.exeMonkncoh.exeMblgjonl.exeMmbkghna.exeMbodooli.exeMgklge32.exeMneddpbm.exeMgnime32.exeMafnfkon.exeNnjnoo32.exeNfecda32.exeNcicme32.exeNamdfjif.exeNfjloqgn.exeNpbqhf32.exeNikeql32.exeOeafemjc.exeOhpbahif.exeObefoaim.exeOedbklhp.exeOlnkhfom.exeObhcdq32.exeOefoql32.exeOhdkmg32.exeOoodialn.exe

pid	process
1944	ef34bcaad0692eca90cc3d9b530f119033dd08e07d8dfeedb0ba611687e05ef3.exe
1944	ef34bcaad0692eca90cc3d9b530f119033dd08e07d8dfeedb0ba611687e05ef3.exe
1176	Lamkkllp.exe
1176	Lamkkllp.exe
1492	Lkglia32.exe
1492	Lkglia32.exe
2040	Lgnmnb32.exe
2040	Lgnmnb32.exe
2004	Lmkefi32.exe
2004	Lmkefi32.exe
1728	Lgpica32.exe
1728	Lgpica32.exe
1468	Mqinmgjp.exe
1468	Mqinmgjp.exe
520	Mfefen32.exe
520	Mfefen32.exe
1756	Monkncoh.exe
1756	Monkncoh.exe
888	Mblgjonl.exe
888	Mblgjonl.exe
1276	Mmbkghna.exe
1276	Mmbkghna.exe
1296	Mbodooli.exe
1296	Mbodooli.exe
1816	Mgklge32.exe
1816	Mgklge32.exe
648	Mneddpbm.exe
648	Mneddpbm.exe
1904	Mgnime32.exe
1904	Mgnime32.exe
612	Mafnfkon.exe
612	Mafnfkon.exe
432	Nnjnoo32.exe
432	Nnjnoo32.exe
1552	Nfecda32.exe
1552	Nfecda32.exe
1992	Ncicme32.exe
1992	Ncicme32.exe
556	Namdfjif.exe
556	Namdfjif.exe
1704	Nfjloqgn.exe
1704	Nfjloqgn.exe
856	Npbqhf32.exe
856	Npbqhf32.exe
664	Nikeql32.exe
664	Nikeql32.exe
1692	Oeafemjc.exe
1692	Oeafemjc.exe
1500	Ohpbahif.exe
1500	Ohpbahif.exe
1020	Obefoaim.exe
1020	Obefoaim.exe
1336	Oedbklhp.exe
1336	Oedbklhp.exe
932	Olnkhfom.exe
932	Olnkhfom.exe
1052	Obhcdq32.exe
1052	Obhcdq32.exe
1740	Oefoql32.exe
1740	Oefoql32.exe
2024	Ohdkmg32.exe
2024	Ohdkmg32.exe
1736	Ooodialn.exe
1736	Ooodialn.exe

Drops file in System32 directory 64 IoCs

Processes:

Hmlmpc32.exeLnnkjgbn.exeNbnidl32.exeOnggnloj.exePpmipg32.exeJeemmphg.exeGnbgcg32.exeIdlhlpam.exeOjccgehm.exeQemapn32.exeMjjdbcmm.exeLninnk32.exeIinmqb32.exeOahppg32.exeObhcdq32.exeLeipoioi.exeMcafbpli.exeJinlhnbc.exeIcjkfpcp.exeJmgijeek.exeKbkgck32.exeNhoacp32.exePlmbel32.exeOpbmgipj.exeOpjpldbf.exeNfgkhcmi.exeOkimkj32.exeJkdpbm32.exeKdanfb32.exeLhlffd32.exeJfdigb32.exeLlanompm.exeLmkefi32.exeIhanloon.exeJfpmcj32.exeKaepho32.exeOmmfha32.exeef34bcaad0692eca90cc3d9b530f119033dd08e07d8dfeedb0ba611687e05ef3.exeHfikdh32.exeLdcfkepl.exeJfncfceb.exeLfgblepb.exePehheoff.exeMnepbb32.exeNonbki32.exeOaecjh32.exeMcbhki32.exeOfdhhn32.exeOmopehap.exePdckef32.exePcigio32.exeMneddpbm.exeGgjklmcj.exeOfjhndji.exeFkfknh32.exeJaphedpf.exeNnbplf32.exeLkglia32.exeAnmpppkg.exeLleeacdc.exeNpfidm32.exeMgklge32.exeNkohlb32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Hceemmdi.exe	Hmlmpc32.exe
File created	C:\Windows\SysWOW64\Lplgfbab.exe	Lnnkjgbn.exe
File opened for modification	C:\Windows\SysWOW64\Nelepg32.exe	Nbnidl32.exe
File created	C:\Windows\SysWOW64\Oaecjh32.exe	Onggnloj.exe
File opened for modification	C:\Windows\SysWOW64\Jfncfceb.exe	Ppmipg32.exe
File opened for modification	C:\Windows\SysWOW64\Jmldnmii.exe	Jeemmphg.exe
File opened for modification	C:\Windows\SysWOW64\Gfioed32.exe	Gnbgcg32.exe
File created	C:\Windows\SysWOW64\Jfkdhkpq.exe	Idlhlpam.exe
File opened for modification	C:\Windows\SysWOW64\Omaocaga.exe	Ojccgehm.exe
File created	C:\Windows\SysWOW64\Nkdphk32.dll	Qemapn32.exe
File created	C:\Windows\SysWOW64\Iibnhcdc.dll	Mjjdbcmm.exe
File created	C:\Windows\SysWOW64\Nhfihdhl.dll	Lninnk32.exe
File created	C:\Windows\SysWOW64\Njjjofgi.dll	Iinmqb32.exe
File opened for modification	C:\Windows\SysWOW64\Opjpldbf.exe	Oahppg32.exe
File created	C:\Windows\SysWOW64\Dcpgplih.dll	Obhcdq32.exe
File created	C:\Windows\SysWOW64\Hmgeck32.dll	Leipoioi.exe
File opened for modification	C:\Windows\SysWOW64\Mfpbnllm.exe	Mcafbpli.exe
File created	C:\Windows\SysWOW64\Kbekip32.dll	Jinlhnbc.exe
File created	C:\Windows\SysWOW64\Ijdccj32.exe	Icjkfpcp.exe
File created	C:\Windows\SysWOW64\Jljifa32.exe	Jmgijeek.exe
File opened for modification	C:\Windows\SysWOW64\Kanhogdd.exe	Kbkgck32.exe
File created	C:\Windows\SysWOW64\Npfidm32.exe	Nhoacp32.exe
File created	C:\Windows\SysWOW64\Pnloah32.exe	Plmbel32.exe
File opened for modification	C:\Windows\SysWOW64\Pikapo32.exe	Opbmgipj.exe
File created	C:\Windows\SysWOW64\Ofdhhn32.exe	Opjpldbf.exe
File opened for modification	C:\Windows\SysWOW64\Nhfgdoll.exe	Nfgkhcmi.exe
File created	C:\Windows\SysWOW64\Fgcjajhm.dll	Okimkj32.exe
File created	C:\Windows\SysWOW64\Kbkgck32.exe	Jkdpbm32.exe
File created	C:\Windows\SysWOW64\Kagceg32.dll	Kdanfb32.exe
File created	C:\Windows\SysWOW64\Adepgpfo.dll	Lhlffd32.exe
File created	C:\Windows\SysWOW64\Kicecn32.exe	Jfdigb32.exe
File created	C:\Windows\SysWOW64\Lfgblepb.exe	Llanompm.exe
File created	C:\Windows\SysWOW64\Ngblch32.dll	Lmkefi32.exe
File opened for modification	C:\Windows\SysWOW64\Ibfbihod.exe	Ihanloon.exe
File created	C:\Windows\SysWOW64\Ddfpfckp.dll	Jfpmcj32.exe
File created	C:\Windows\SysWOW64\Khoheimm.exe	Kaepho32.exe
File created	C:\Windows\SysWOW64\Ghmhnf32.dll	Ommfha32.exe
File created	C:\Windows\SysWOW64\Agkflacm.dll	ef34bcaad0692eca90cc3d9b530f119033dd08e07d8dfeedb0ba611687e05ef3.exe
File opened for modification	C:\Windows\SysWOW64\Higgpc32.exe	Hfikdh32.exe
File created	C:\Windows\SysWOW64\Lgabgqoo.exe	Ldcfkepl.exe
File opened for modification	C:\Windows\SysWOW64\Jmgkcm32.exe	Jfncfceb.exe
File created	C:\Windows\SysWOW64\Iggglbfn.dll	Lfgblepb.exe
File created	C:\Windows\SysWOW64\Pkeqmfdn.exe	Pehheoff.exe
File opened for modification	C:\Windows\SysWOW64\Mlhpnolp.exe	Mnepbb32.exe
File opened for modification	C:\Windows\SysWOW64\Nfgkhcmi.exe	Nonbki32.exe
File created	C:\Windows\SysWOW64\Ofbkbo32.exe	Oaecjh32.exe
File opened for modification	C:\Windows\SysWOW64\Nfqegd32.exe	Mcbhki32.exe
File created	C:\Windows\SysWOW64\Ipjhon32.dll	Jmgijeek.exe
File created	C:\Windows\SysWOW64\Mkfhdmle.dll	Ofdhhn32.exe
File created	C:\Windows\SysWOW64\Ochiabil.exe	Omopehap.exe
File opened for modification	C:\Windows\SysWOW64\Ppmipg32.exe	Pdckef32.exe
File created	C:\Windows\SysWOW64\Fffhkohk.dll	Pcigio32.exe
File created	C:\Windows\SysWOW64\Mgnime32.exe	Mneddpbm.exe
File opened for modification	C:\Windows\SysWOW64\Gbppjfbp.exe	Ggjklmcj.exe
File created	C:\Windows\SysWOW64\Omdqjnaf.exe	Ofjhndji.exe
File created	C:\Windows\SysWOW64\Ghbafqpe.exe	Fkfknh32.exe
File created	C:\Windows\SysWOW64\Jbaemled.exe	Japhedpf.exe
File created	C:\Windows\SysWOW64\Nqalha32.exe	Nnbplf32.exe
File created	C:\Windows\SysWOW64\Lhcfbqga.dll	Lkglia32.exe
File created	C:\Windows\SysWOW64\Ajdqea32.exe	Anmpppkg.exe
File created	C:\Windows\SysWOW64\Mgmojgfq.dll	Lleeacdc.exe
File opened for modification	C:\Windows\SysWOW64\Nageleie.exe	Npfidm32.exe
File opened for modification	C:\Windows\SysWOW64\Mneddpbm.exe	Mgklge32.exe
File opened for modification	C:\Windows\SysWOW64\Nghefckc.exe	Nkohlb32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3984 3976 WerFault.exe Qckdonai.exe

pid	pid_target	process	target process
3984	3976	WerFault.exe	Qckdonai.exe

Modifies registry class 64 IoCs

Processes:

Paeabdhn.exeMonkncoh.exeOampemkb.exeBgeqgidc.exeMdjmkdjd.exeMghigpig.exeLicabaai.exeIlhpaoll.exeef34bcaad0692eca90cc3d9b530f119033dd08e07d8dfeedb0ba611687e05ef3.exeJpjobp32.exeLhoedm32.exeMnepbb32.exeKnlodg32.exePhdhlk32.exeBgcdbi32.exeJfncfceb.exeKlaapi32.exeMfefen32.exeLpodlboo.exeNelepg32.exeJinlhnbc.exeLpofdk32.exeOlnkhfom.exeGhbafqpe.exeLoohbo32.exeOnggnloj.exeLodcfg32.exeHjmach32.exeOpjpldbf.exeMneddpbm.exeGlqjlo32.exeLlanompm.exeIbbhni32.exeNfjloqgn.exePmhjem32.exeHceemmdi.exeOchiabil.exeGffboeoo.exeLfgblepb.exeMkbjkgkg.exeObnhlheh.exeNpbqhf32.exeJkdpbm32.exeLlhafcbq.exeJcacpgdl.exePehheoff.exeLdfijj32.exeHmpfkbig.exeLcmqhnnc.exePbenlgoq.exeKmiboh32.exeKpjkqc32.exeNcofkdag.exeMjggld32.exeOcbejl32.exePajkmc32.exeOedbklhp.exeOmdqjnaf.exeMajfbadg.exeHpapmn32.exePpdekl32.exeIalojd32.exePbpdag32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enpqchgk.dll"	Paeabdhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnkmg32.dll"	Monkncoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oampemkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgeqgidc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdjmkdjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mghigpig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Licabaai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilhpaoll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ef34bcaad0692eca90cc3d9b530f119033dd08e07d8dfeedb0ba611687e05ef3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjobp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhoedm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnepbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knlodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phdhlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcdbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfncfceb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljapic32.dll"	Klaapi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfefen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqehmadg.dll"	Lpodlboo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nelepg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbekip32.dll"	Jinlhnbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpofdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andkqmdo.dll"	Olnkhfom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emimgp32.dll"	Ghbafqpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chgmndip.dll"	Loohbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onggnloj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joaaihgf.dll"	Lodcfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjmach32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opjpldbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mneddpbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glqjlo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llanompm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgdlhmlb.dll"	Ibbhni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gciaie32.dll"	Nfjloqgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmhjem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmjgpa32.dll"	Hceemmdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ochiabil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gffboeoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggglbfn.dll"	Lfgblepb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbjkgkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcegoofa.dll"	Obnhlheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcakmndg.dll"	Npbqhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkdpbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llhafcbq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddcako32.dll"	Jcacpgdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pehheoff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldfijj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmpfkbig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmeqbd32.dll"	Lcmqhnnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbenlgoq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacegnjl.dll"	Kmiboh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjkqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibabd32.dll"	Ncofkdag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjggld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnecf32.dll"	Ocbejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pajkmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Monkncoh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oedbklhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjeha32.dll"	Omdqjnaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majfbadg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpapmn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppdekl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ialojd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbpdag32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1944 wrote to memory of 1176	1944	ef34bcaad0692eca90cc3d9b530f119033dd08e07d8dfeedb0ba611687e05ef3.exe	Lamkkllp.exe
PID 1944 wrote to memory of 1176	1944	ef34bcaad0692eca90cc3d9b530f119033dd08e07d8dfeedb0ba611687e05ef3.exe	Lamkkllp.exe
PID 1944 wrote to memory of 1176	1944	ef34bcaad0692eca90cc3d9b530f119033dd08e07d8dfeedb0ba611687e05ef3.exe	Lamkkllp.exe
PID 1944 wrote to memory of 1176	1944	ef34bcaad0692eca90cc3d9b530f119033dd08e07d8dfeedb0ba611687e05ef3.exe	Lamkkllp.exe
PID 1176 wrote to memory of 1492	1176	Lamkkllp.exe	Lkglia32.exe
PID 1176 wrote to memory of 1492	1176	Lamkkllp.exe	Lkglia32.exe
PID 1176 wrote to memory of 1492	1176	Lamkkllp.exe	Lkglia32.exe
PID 1176 wrote to memory of 1492	1176	Lamkkllp.exe	Lkglia32.exe
PID 1492 wrote to memory of 2040	1492	Lkglia32.exe	Lgnmnb32.exe
PID 1492 wrote to memory of 2040	1492	Lkglia32.exe	Lgnmnb32.exe
PID 1492 wrote to memory of 2040	1492	Lkglia32.exe	Lgnmnb32.exe
PID 1492 wrote to memory of 2040	1492	Lkglia32.exe	Lgnmnb32.exe
PID 2040 wrote to memory of 2004	2040	Lgnmnb32.exe	Lmkefi32.exe
PID 2040 wrote to memory of 2004	2040	Lgnmnb32.exe	Lmkefi32.exe
PID 2040 wrote to memory of 2004	2040	Lgnmnb32.exe	Lmkefi32.exe
PID 2040 wrote to memory of 2004	2040	Lgnmnb32.exe	Lmkefi32.exe
PID 2004 wrote to memory of 1728	2004	Lmkefi32.exe	Lgpica32.exe
PID 2004 wrote to memory of 1728	2004	Lmkefi32.exe	Lgpica32.exe
PID 2004 wrote to memory of 1728	2004	Lmkefi32.exe	Lgpica32.exe
PID 2004 wrote to memory of 1728	2004	Lmkefi32.exe	Lgpica32.exe
PID 1728 wrote to memory of 1468	1728	Lgpica32.exe	Mqinmgjp.exe
PID 1728 wrote to memory of 1468	1728	Lgpica32.exe	Mqinmgjp.exe
PID 1728 wrote to memory of 1468	1728	Lgpica32.exe	Mqinmgjp.exe
PID 1728 wrote to memory of 1468	1728	Lgpica32.exe	Mqinmgjp.exe
PID 1468 wrote to memory of 520	1468	Mqinmgjp.exe	Mfefen32.exe
PID 1468 wrote to memory of 520	1468	Mqinmgjp.exe	Mfefen32.exe
PID 1468 wrote to memory of 520	1468	Mqinmgjp.exe	Mfefen32.exe
PID 1468 wrote to memory of 520	1468	Mqinmgjp.exe	Mfefen32.exe
PID 520 wrote to memory of 1756	520	Mfefen32.exe	Monkncoh.exe
PID 520 wrote to memory of 1756	520	Mfefen32.exe	Monkncoh.exe
PID 520 wrote to memory of 1756	520	Mfefen32.exe	Monkncoh.exe
PID 520 wrote to memory of 1756	520	Mfefen32.exe	Monkncoh.exe
PID 1756 wrote to memory of 888	1756	Monkncoh.exe	Mblgjonl.exe
PID 1756 wrote to memory of 888	1756	Monkncoh.exe	Mblgjonl.exe
PID 1756 wrote to memory of 888	1756	Monkncoh.exe	Mblgjonl.exe
PID 1756 wrote to memory of 888	1756	Monkncoh.exe	Mblgjonl.exe
PID 888 wrote to memory of 1276	888	Mblgjonl.exe	Mmbkghna.exe
PID 888 wrote to memory of 1276	888	Mblgjonl.exe	Mmbkghna.exe
PID 888 wrote to memory of 1276	888	Mblgjonl.exe	Mmbkghna.exe
PID 888 wrote to memory of 1276	888	Mblgjonl.exe	Mmbkghna.exe
PID 1276 wrote to memory of 1296	1276	Mmbkghna.exe	Mbodooli.exe
PID 1276 wrote to memory of 1296	1276	Mmbkghna.exe	Mbodooli.exe
PID 1276 wrote to memory of 1296	1276	Mmbkghna.exe	Mbodooli.exe
PID 1276 wrote to memory of 1296	1276	Mmbkghna.exe	Mbodooli.exe
PID 1296 wrote to memory of 1816	1296	Mbodooli.exe	Mgklge32.exe
PID 1296 wrote to memory of 1816	1296	Mbodooli.exe	Mgklge32.exe
PID 1296 wrote to memory of 1816	1296	Mbodooli.exe	Mgklge32.exe
PID 1296 wrote to memory of 1816	1296	Mbodooli.exe	Mgklge32.exe
PID 1816 wrote to memory of 648	1816	Mgklge32.exe	Mneddpbm.exe
PID 1816 wrote to memory of 648	1816	Mgklge32.exe	Mneddpbm.exe
PID 1816 wrote to memory of 648	1816	Mgklge32.exe	Mneddpbm.exe
PID 1816 wrote to memory of 648	1816	Mgklge32.exe	Mneddpbm.exe
PID 648 wrote to memory of 1904	648	Mneddpbm.exe	Mgnime32.exe
PID 648 wrote to memory of 1904	648	Mneddpbm.exe	Mgnime32.exe
PID 648 wrote to memory of 1904	648	Mneddpbm.exe	Mgnime32.exe
PID 648 wrote to memory of 1904	648	Mneddpbm.exe	Mgnime32.exe
PID 1904 wrote to memory of 612	1904	Mgnime32.exe	Mafnfkon.exe
PID 1904 wrote to memory of 612	1904	Mgnime32.exe	Mafnfkon.exe
PID 1904 wrote to memory of 612	1904	Mgnime32.exe	Mafnfkon.exe
PID 1904 wrote to memory of 612	1904	Mgnime32.exe	Mafnfkon.exe
PID 612 wrote to memory of 432	612	Mafnfkon.exe	Nnjnoo32.exe
PID 612 wrote to memory of 432	612	Mafnfkon.exe	Nnjnoo32.exe
PID 612 wrote to memory of 432	612	Mafnfkon.exe	Nnjnoo32.exe
PID 612 wrote to memory of 432	612	Mafnfkon.exe	Nnjnoo32.exe

C:\Users\Admin\AppData\Local\Temp\ef34bcaad0692eca90cc3d9b530f119033dd08e07d8dfeedb0ba611687e05ef3.exe
"C:\Users\Admin\AppData\Local\Temp\ef34bcaad0692eca90cc3d9b530f119033dd08e07d8dfeedb0ba611687e05ef3.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\Lamkkllp.exe
C:\Windows\system32\Lamkkllp.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\Lkglia32.exe
C:\Windows\system32\Lkglia32.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\Lgnmnb32.exe
C:\Windows\system32\Lgnmnb32.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\Lmkefi32.exe
C:\Windows\system32\Lmkefi32.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\Lgpica32.exe
C:\Windows\system32\Lgpica32.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\Mqinmgjp.exe
C:\Windows\system32\Mqinmgjp.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\Mfefen32.exe
C:\Windows\system32\Mfefen32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\Monkncoh.exe
C:\Windows\system32\Monkncoh.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\Mblgjonl.exe
C:\Windows\system32\Mblgjonl.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\Mmbkghna.exe
C:\Windows\system32\Mmbkghna.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\Mbodooli.exe
C:\Windows\system32\Mbodooli.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\Mgklge32.exe
C:\Windows\system32\Mgklge32.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\Mneddpbm.exe
C:\Windows\system32\Mneddpbm.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\Mgnime32.exe
C:\Windows\system32\Mgnime32.exe
15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\Mafnfkon.exe
C:\Windows\system32\Mafnfkon.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\SysWOW64\Nnjnoo32.exe
C:\Windows\system32\Nnjnoo32.exe
17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:432

C:\Windows\SysWOW64\Nfecda32.exe
C:\Windows\system32\Nfecda32.exe
18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552

C:\Windows\SysWOW64\Ncicme32.exe
C:\Windows\system32\Ncicme32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1992

C:\Windows\SysWOW64\Namdfjif.exe
C:\Windows\system32\Namdfjif.exe
20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556

C:\Windows\SysWOW64\Nfjloqgn.exe
C:\Windows\system32\Nfjloqgn.exe
21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1704

C:\Windows\SysWOW64\Npbqhf32.exe
C:\Windows\system32\Npbqhf32.exe
22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:856

C:\Windows\SysWOW64\Nikeql32.exe
C:\Windows\system32\Nikeql32.exe
23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:664

C:\Windows\SysWOW64\Oeafemjc.exe
C:\Windows\system32\Oeafemjc.exe
24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692

C:\Windows\SysWOW64\Ohpbahif.exe
C:\Windows\system32\Ohpbahif.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1500

C:\Windows\SysWOW64\Obefoaim.exe
C:\Windows\system32\Obefoaim.exe
26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020

C:\Windows\SysWOW64\Oedbklhp.exe
C:\Windows\system32\Oedbklhp.exe
27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1336

C:\Windows\SysWOW64\Olnkhfom.exe
C:\Windows\system32\Olnkhfom.exe
28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:932

C:\Windows\SysWOW64\Obhcdq32.exe
C:\Windows\system32\Obhcdq32.exe
29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1052

C:\Windows\SysWOW64\Oefoql32.exe
C:\Windows\system32\Oefoql32.exe
30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740

C:\Windows\SysWOW64\Ohdkmg32.exe
C:\Windows\system32\Ohdkmg32.exe
31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024

C:\Windows\SysWOW64\Ooodialn.exe
C:\Windows\system32\Ooodialn.exe
32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736

C:\Windows\SysWOW64\Oampemkb.exe
C:\Windows\system32\Oampemkb.exe
33⤵
- Executes dropped EXE
- Modifies registry class
PID:1976

C:\Windows\SysWOW64\Ofjhndji.exe
C:\Windows\system32\Ofjhndji.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1824

C:\Windows\SysWOW64\Omdqjnaf.exe
C:\Windows\system32\Omdqjnaf.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1724

C:\Windows\SysWOW64\Opbmgipj.exe
C:\Windows\system32\Opbmgipj.exe
36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1872

C:\Windows\SysWOW64\Pikapo32.exe
C:\Windows\system32\Pikapo32.exe
37⤵
- Executes dropped EXE
PID:1044

C:\Windows\SysWOW64\Ppdjling.exe
C:\Windows\system32\Ppdjling.exe
38⤵
- Executes dropped EXE
PID:1760

C:\Windows\SysWOW64\Pgobic32.exe
C:\Windows\system32\Pgobic32.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1108

C:\Windows\SysWOW64\Pmhjem32.exe
C:\Windows\system32\Pmhjem32.exe
40⤵
- Executes dropped EXE
- Modifies registry class
PID:1284

C:\Windows\SysWOW64\Pgaoocca.exe
C:\Windows\system32\Pgaoocca.exe
41⤵
- Executes dropped EXE
PID:1456

C:\Windows\SysWOW64\Piokknbe.exe
C:\Windows\system32\Piokknbe.exe
42⤵
- Executes dropped EXE
PID:1404

C:\Windows\SysWOW64\Pchocd32.exe
C:\Windows\system32\Pchocd32.exe
43⤵
- Executes dropped EXE
PID:784

C:\Windows\SysWOW64\Peflpo32.exe
C:\Windows\system32\Peflpo32.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1644

C:\Windows\SysWOW64\Phdhlk32.exe
C:\Windows\system32\Phdhlk32.exe
45⤵
- Executes dropped EXE
- Modifies registry class
PID:1536

C:\Windows\SysWOW64\Ponphe32.exe
C:\Windows\system32\Ponphe32.exe
46⤵
- Executes dropped EXE
PID:984

C:\Windows\SysWOW64\Pehheoff.exe
C:\Windows\system32\Pehheoff.exe
47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1936

C:\Windows\SysWOW64\Pkeqmfdn.exe
C:\Windows\system32\Pkeqmfdn.exe
48⤵
- Executes dropped EXE
PID:1884

C:\Windows\SysWOW64\Pcliocep.exe
C:\Windows\system32\Pcliocep.exe
49⤵
- Executes dropped EXE
PID:748

C:\Windows\SysWOW64\Qdnefk32.exe
C:\Windows\system32\Qdnefk32.exe
50⤵
- Executes dropped EXE
PID:680

C:\Windows\SysWOW64\Qkgmcebk.exe
C:\Windows\system32\Qkgmcebk.exe
51⤵
- Executes dropped EXE
PID:964

C:\Windows\SysWOW64\Qnfjoa32.exe
C:\Windows\system32\Qnfjoa32.exe
52⤵
- Executes dropped EXE
PID:1952

C:\Windows\SysWOW64\Qemapn32.exe
C:\Windows\system32\Qemapn32.exe
53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:240

C:\Windows\SysWOW64\Qkjjhe32.exe
C:\Windows\system32\Qkjjhe32.exe
54⤵
- Executes dropped EXE
PID:1832

C:\Windows\SysWOW64\Aadbeohe.exe
C:\Windows\system32\Aadbeohe.exe
55⤵
- Executes dropped EXE
PID:880

C:\Windows\SysWOW64\Ahnkbi32.exe
C:\Windows\system32\Ahnkbi32.exe
56⤵
- Executes dropped EXE
PID:1604

C:\Windows\SysWOW64\Aafoko32.exe
C:\Windows\system32\Aafoko32.exe
57⤵
- Executes dropped EXE
PID:1708

C:\Windows\SysWOW64\Agcgcf32.exe
C:\Windows\system32\Agcgcf32.exe
58⤵
- Executes dropped EXE
PID:1140

C:\Windows\SysWOW64\Anmpppkg.exe
C:\Windows\system32\Anmpppkg.exe
59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1888

C:\Windows\SysWOW64\Ajdqea32.exe
C:\Windows\system32\Ajdqea32.exe
60⤵
- Executes dropped EXE
PID:1320

C:\Windows\SysWOW64\Aghanepd.exe
C:\Windows\system32\Aghanepd.exe
61⤵
- Executes dropped EXE
PID:1900

C:\Windows\SysWOW64\Afmnoa32.exe
C:\Windows\system32\Afmnoa32.exe
62⤵
- Executes dropped EXE
PID:2028

C:\Windows\SysWOW64\Bcanifcf.exe
C:\Windows\system32\Bcanifcf.exe
63⤵
- Executes dropped EXE
PID:1372

C:\Windows\SysWOW64\Bklcmhaa.exe
C:\Windows\system32\Bklcmhaa.exe
64⤵
- Executes dropped EXE
PID:816

C:\Windows\SysWOW64\Bgcdbi32.exe
C:\Windows\system32\Bgcdbi32.exe
65⤵
- Executes dropped EXE
- Modifies registry class
PID:272

C:\Windows\SysWOW64\Bgeqgidc.exe
C:\Windows\system32\Bgeqgidc.exe
66⤵
- Modifies registry class
PID:1380

C:\Windows\SysWOW64\Bnoidc32.exe
C:\Windows\system32\Bnoidc32.exe
67⤵
PID:1576

C:\Windows\SysWOW64\Bclamj32.exe
C:\Windows\system32\Bclamj32.exe
68⤵
PID:1980

C:\Windows\SysWOW64\Fakjpc32.exe
C:\Windows\system32\Fakjpc32.exe
69⤵
PID:1104

C:\Windows\SysWOW64\Fkfknh32.exe
C:\Windows\system32\Fkfknh32.exe
70⤵
- Drops file in System32 directory
PID:936

C:\Windows\SysWOW64\Ghbafqpe.exe
C:\Windows\system32\Ghbafqpe.exe
71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2032

C:\Windows\SysWOW64\Gkanbloi.exe
C:\Windows\system32\Gkanbloi.exe
72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1968

C:\Windows\SysWOW64\Gchfcjpk.exe
C:\Windows\system32\Gchfcjpk.exe
73⤵
PID:328

C:\Windows\SysWOW64\Gffboeoo.exe
C:\Windows\system32\Gffboeoo.exe
74⤵
- Modifies registry class
PID:1100

C:\Windows\SysWOW64\Glqjlo32.exe
C:\Windows\system32\Glqjlo32.exe
75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1996

C:\Windows\SysWOW64\Gnbgcg32.exe
C:\Windows\system32\Gnbgcg32.exe
76⤵
- Drops file in System32 directory
PID:1600

C:\Windows\SysWOW64\Gfioed32.exe
C:\Windows\system32\Gfioed32.exe
77⤵
PID:1956

C:\Windows\SysWOW64\Ggjklmcj.exe
C:\Windows\system32\Ggjklmcj.exe
78⤵
- Drops file in System32 directory
PID:380

C:\Windows\SysWOW64\Gbppjfbp.exe
C:\Windows\system32\Gbppjfbp.exe
79⤵
PID:540

C:\Windows\SysWOW64\Ghjhfp32.exe
C:\Windows\system32\Ghjhfp32.exe
80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:952

C:\Windows\SysWOW64\Gnfpoghd.exe
C:\Windows\system32\Gnfpoghd.exe
81⤵
PID:532

C:\Windows\SysWOW64\Hdqhkq32.exe
C:\Windows\system32\Hdqhkq32.exe
82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2056

C:\Windows\SysWOW64\Hjmach32.exe
C:\Windows\system32\Hjmach32.exe
83⤵
- Modifies registry class
PID:2064

C:\Windows\SysWOW64\Hmlmpc32.exe
C:\Windows\system32\Hmlmpc32.exe
84⤵
- Drops file in System32 directory
PID:2072

C:\Windows\SysWOW64\Hceemmdi.exe
C:\Windows\system32\Hceemmdi.exe
85⤵
- Modifies registry class
PID:2080

C:\Windows\SysWOW64\Hjpnig32.exe
C:\Windows\system32\Hjpnig32.exe
86⤵
PID:2088

C:\Windows\SysWOW64\Hqiffa32.exe
C:\Windows\system32\Hqiffa32.exe
87⤵
PID:2096

C:\Windows\SysWOW64\Hgcnblkp.exe
C:\Windows\system32\Hgcnblkp.exe
88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2104

C:\Windows\SysWOW64\Hmpfkbig.exe
C:\Windows\system32\Hmpfkbig.exe
89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2112

C:\Windows\SysWOW64\Hcjohm32.exe
C:\Windows\system32\Hcjohm32.exe
90⤵
PID:2120

C:\Windows\SysWOW64\Hfikdh32.exe
C:\Windows\system32\Hfikdh32.exe
91⤵
- Drops file in System32 directory
PID:2128

C:\Windows\SysWOW64\Higgpc32.exe
C:\Windows\system32\Higgpc32.exe
92⤵
PID:2136

C:\Windows\SysWOW64\Hpapmn32.exe
C:\Windows\system32\Hpapmn32.exe
93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2144

C:\Windows\SysWOW64\Hfkhihme.exe
C:\Windows\system32\Hfkhihme.exe
94⤵
PID:2152

C:\Windows\SysWOW64\Hmepfb32.exe
C:\Windows\system32\Hmepfb32.exe
95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2160

C:\Windows\SysWOW64\Ilhpaoll.exe
C:\Windows\system32\Ilhpaoll.exe
96⤵
- Modifies registry class
PID:2168

C:\Windows\SysWOW64\Ibbhni32.exe
C:\Windows\system32\Ibbhni32.exe
97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2176

C:\Windows\SysWOW64\Igoafp32.exe
C:\Windows\system32\Igoafp32.exe
98⤵
PID:2184

C:\Windows\SysWOW64\Inhicjim.exe
C:\Windows\system32\Inhicjim.exe
99⤵
PID:2192

C:\Windows\SysWOW64\Iinmqb32.exe
C:\Windows\system32\Iinmqb32.exe
100⤵
- Drops file in System32 directory
PID:2200

C:\Windows\SysWOW64\Ihanloon.exe
C:\Windows\system32\Ihanloon.exe
101⤵
- Drops file in System32 directory
PID:2208

C:\Windows\SysWOW64\Ibfbihod.exe
C:\Windows\system32\Ibfbihod.exe
102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2216

C:\Windows\SysWOW64\Ihcjaomk.exe
C:\Windows\system32\Ihcjaomk.exe
103⤵
PID:2224

C:\Windows\SysWOW64\Ijafnjlo.exe
C:\Windows\system32\Ijafnjlo.exe
104⤵
PID:2232

C:\Windows\SysWOW64\Ialojd32.exe
C:\Windows\system32\Ialojd32.exe
105⤵
- Modifies registry class
PID:2240

C:\Windows\SysWOW64\Icjkfpcp.exe
C:\Windows\system32\Icjkfpcp.exe
106⤵
- Drops file in System32 directory
PID:2248

C:\Windows\SysWOW64\Ijdccj32.exe
C:\Windows\system32\Ijdccj32.exe
107⤵
PID:2256

C:\Windows\SysWOW64\Inpodibe.exe
C:\Windows\system32\Inpodibe.exe
108⤵
PID:2264

C:\Windows\SysWOW64\Ianlpdai.exe
C:\Windows\system32\Ianlpdai.exe
109⤵
PID:2280

C:\Windows\SysWOW64\Idlhlpam.exe
C:\Windows\system32\Idlhlpam.exe
110⤵
- Drops file in System32 directory
PID:2296

C:\Windows\SysWOW64\Jfkdhkpq.exe
C:\Windows\system32\Jfkdhkpq.exe
111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2324

C:\Windows\SysWOW64\Jmelee32.exe
C:\Windows\system32\Jmelee32.exe
112⤵
PID:2348

C:\Windows\SysWOW64\Japhedpf.exe
C:\Windows\system32\Japhedpf.exe
113⤵
- Drops file in System32 directory
PID:2368

C:\Windows\SysWOW64\Jbaemled.exe
C:\Windows\system32\Jbaemled.exe
114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2392

C:\Windows\SysWOW64\Jfmqnk32.exe
C:\Windows\system32\Jfmqnk32.exe
115⤵
PID:2412

C:\Windows\SysWOW64\Jjimnifg.exe
C:\Windows\system32\Jjimnifg.exe
116⤵
PID:2428

C:\Windows\SysWOW64\Jmgijeek.exe
C:\Windows\system32\Jmgijeek.exe
117⤵
- Drops file in System32 directory
PID:2444

C:\Windows\SysWOW64\Jljifa32.exe
C:\Windows\system32\Jljifa32.exe
118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2456

C:\Windows\SysWOW64\Jdaago32.exe
C:\Windows\system32\Jdaago32.exe
119⤵
PID:2472

C:\Windows\SysWOW64\Jfpmcj32.exe
C:\Windows\system32\Jfpmcj32.exe
120⤵
- Drops file in System32 directory
PID:2508

C:\Windows\SysWOW64\Jmifpdch.exe
C:\Windows\system32\Jmifpdch.exe
121⤵
PID:2524

C:\Windows\SysWOW64\Jllfla32.exe
C:\Windows\system32\Jllfla32.exe
122⤵
PID:2552

C:\Windows\SysWOW64\Jokbhm32.exe
C:\Windows\system32\Jokbhm32.exe
123⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2568

C:\Windows\SysWOW64\Jbfnhkao.exe
C:\Windows\system32\Jbfnhkao.exe
124⤵
PID:2624

C:\Windows\SysWOW64\Jhcfqb32.exe
C:\Windows\system32\Jhcfqb32.exe
125⤵
PID:2648

C:\Windows\SysWOW64\Jpjobp32.exe
C:\Windows\system32\Jpjobp32.exe
126⤵
- Modifies registry class
PID:2668

C:\Windows\SysWOW64\Jakkihfg.exe
C:\Windows\system32\Jakkihfg.exe
127⤵
PID:2688

C:\Windows\SysWOW64\Jeggjf32.exe
C:\Windows\system32\Jeggjf32.exe
128⤵
PID:2704

C:\Windows\SysWOW64\Jhecfb32.exe
C:\Windows\system32\Jhecfb32.exe
129⤵
PID:2720

C:\Windows\SysWOW64\Jlaogqfm.exe
C:\Windows\system32\Jlaogqfm.exe
130⤵
PID:2736

C:\Windows\SysWOW64\Jkdpbm32.exe
C:\Windows\system32\Jkdpbm32.exe
131⤵
- Drops file in System32 directory
- Modifies registry class
PID:2756

C:\Windows\SysWOW64\Kbkgck32.exe
C:\Windows\system32\Kbkgck32.exe
132⤵
- Drops file in System32 directory
PID:2772

C:\Windows\SysWOW64\Kanhogdd.exe
C:\Windows\system32\Kanhogdd.exe
133⤵
PID:2792

C:\Windows\SysWOW64\Khhplala.exe
C:\Windows\system32\Khhplala.exe
134⤵
PID:2812

C:\Windows\SysWOW64\Kkflhmke.exe
C:\Windows\system32\Kkflhmke.exe
135⤵
PID:2828

C:\Windows\SysWOW64\Kobhhl32.exe
C:\Windows\system32\Kobhhl32.exe
136⤵
PID:2848

C:\Windows\SysWOW64\Kelqefjk.exe
C:\Windows\system32\Kelqefjk.exe
137⤵
PID:2864

C:\Windows\SysWOW64\Kdoqqb32.exe
C:\Windows\system32\Kdoqqb32.exe
138⤵
PID:2888

C:\Windows\SysWOW64\Kkhimmib.exe
C:\Windows\system32\Kkhimmib.exe
139⤵
PID:2908

C:\Windows\SysWOW64\Kodenk32.exe
C:\Windows\system32\Kodenk32.exe
140⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2924

C:\Windows\SysWOW64\Kdanfb32.exe
C:\Windows\system32\Kdanfb32.exe
141⤵
- Drops file in System32 directory
PID:2944

C:\Windows\SysWOW64\Kkkfcl32.exe
C:\Windows\system32\Kkkfcl32.exe
142⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956

C:\Windows\SysWOW64\Kmiboh32.exe
C:\Windows\system32\Kmiboh32.exe
143⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2972

C:\Windows\SysWOW64\Kdcjlbmp.exe
C:\Windows\system32\Kdcjlbmp.exe
144⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3008

C:\Windows\SysWOW64\Knlodg32.exe
C:\Windows\system32\Knlodg32.exe
145⤵
- Modifies registry class
PID:3024

C:\Windows\SysWOW64\Kpjkqc32.exe
C:\Windows\system32\Kpjkqc32.exe
146⤵
- Modifies registry class
PID:3048

C:\Windows\SysWOW64\Kdegaakn.exe
C:\Windows\system32\Kdegaakn.exe
147⤵
PID:3064

C:\Windows\SysWOW64\Kgdcmmja.exe
C:\Windows\system32\Kgdcmmja.exe
148⤵
PID:2288

C:\Windows\SysWOW64\Lnnkjgbn.exe
C:\Windows\system32\Lnnkjgbn.exe
149⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2312

C:\Windows\SysWOW64\Lplgfbab.exe
C:\Windows\system32\Lplgfbab.exe
150⤵
PID:2340

C:\Windows\SysWOW64\Loohbo32.exe
C:\Windows\system32\Loohbo32.exe
151⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2360

C:\Windows\SysWOW64\Lgfpcm32.exe
C:\Windows\system32\Lgfpcm32.exe
152⤵
PID:2400

C:\Windows\SysWOW64\Leipoioi.exe
C:\Windows\system32\Leipoioi.exe
153⤵
- Drops file in System32 directory
PID:2424

C:\Windows\SysWOW64\Lpodlboo.exe
C:\Windows\system32\Lpodlboo.exe
154⤵
- Modifies registry class
PID:2464

C:\Windows\SysWOW64\Lcmqhnnc.exe
C:\Windows\system32\Lcmqhnnc.exe
155⤵
- Modifies registry class
PID:2484

C:\Windows\SysWOW64\Lapacj32.exe
C:\Windows\system32\Lapacj32.exe
156⤵
PID:2516

C:\Windows\SysWOW64\Lleeacdc.exe
C:\Windows\system32\Lleeacdc.exe
157⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2540

C:\Windows\SysWOW64\Lkhelp32.exe
C:\Windows\system32\Lkhelp32.exe
158⤵
PID:2580

C:\Windows\SysWOW64\Lcpmnm32.exe
C:\Windows\system32\Lcpmnm32.exe
159⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2596

C:\Windows\SysWOW64\Lfniji32.exe
C:\Windows\system32\Lfniji32.exe
160⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2608

C:\Windows\SysWOW64\Lhlffd32.exe
C:\Windows\system32\Lhlffd32.exe
161⤵
- Drops file in System32 directory
PID:2640

C:\Windows\SysWOW64\Llhafcbq.exe
C:\Windows\system32\Llhafcbq.exe
162⤵
- Modifies registry class
PID:2664

C:\Windows\SysWOW64\Lninnk32.exe
C:\Windows\system32\Lninnk32.exe
163⤵
- Drops file in System32 directory
PID:2696

C:\Windows\SysWOW64\Ldcfkepl.exe
C:\Windows\system32\Ldcfkepl.exe
164⤵
- Drops file in System32 directory
PID:2744

C:\Windows\SysWOW64\Lgabgqoo.exe
C:\Windows\system32\Lgabgqoo.exe
165⤵
PID:2768

C:\Windows\SysWOW64\Lnkkckfl.exe
C:\Windows\system32\Lnkkckfl.exe
166⤵
PID:2808

C:\Windows\SysWOW64\Mqjgpfep.exe
C:\Windows\system32\Mqjgpfep.exe
167⤵
PID:2860

C:\Windows\SysWOW64\Mjblhl32.exe
C:\Windows\system32\Mjblhl32.exe
168⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2896

C:\Windows\SysWOW64\Mqldefcm.exe
C:\Windows\system32\Mqldefcm.exe
169⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2916

C:\Windows\SysWOW64\Mdjmkdjd.exe
C:\Windows\system32\Mdjmkdjd.exe
170⤵
- Modifies registry class
PID:2932

C:\Windows\SysWOW64\Mghigpig.exe
C:\Windows\system32\Mghigpig.exe
171⤵
- Modifies registry class
PID:2940

C:\Windows\SysWOW64\Mcafbpli.exe
C:\Windows\system32\Mcafbpli.exe
172⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2964

C:\Windows\SysWOW64\Mfpbnllm.exe
C:\Windows\system32\Mfpbnllm.exe
173⤵
PID:2980

C:\Windows\SysWOW64\Nmjkkf32.exe
C:\Windows\system32\Nmjkkf32.exe
174⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2988

C:\Windows\SysWOW64\Nohgga32.exe
C:\Windows\system32\Nohgga32.exe
175⤵
PID:2996

C:\Windows\SysWOW64\Nbgccm32.exe
C:\Windows\system32\Nbgccm32.exe
176⤵
PID:3004

C:\Windows\SysWOW64\Niqkpgin.exe
C:\Windows\system32\Niqkpgin.exe
177⤵
PID:3020

C:\Windows\SysWOW64\Nkohlb32.exe
C:\Windows\system32\Nkohlb32.exe
178⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3044

C:\Windows\SysWOW64\Nghefckc.exe
C:\Windows\system32\Nghefckc.exe
179⤵
PID:3036

C:\Windows\SysWOW64\Nbnidl32.exe
C:\Windows\system32\Nbnidl32.exe
180⤵
- Drops file in System32 directory
PID:2272

C:\Windows\SysWOW64\Nelepg32.exe
C:\Windows\system32\Nelepg32.exe
181⤵
- Modifies registry class
PID:2304

C:\Windows\SysWOW64\Ncofkdag.exe
C:\Windows\system32\Ncofkdag.exe
182⤵
- Modifies registry class
PID:2320

C:\Windows\SysWOW64\Nndjimqm.exe
C:\Windows\system32\Nndjimqm.exe
183⤵
PID:2336

C:\Windows\SysWOW64\Neobeg32.exe
C:\Windows\system32\Neobeg32.exe
184⤵
PID:2364

C:\Windows\SysWOW64\Ofpomonh.exe
C:\Windows\system32\Ofpomonh.exe
185⤵
PID:2384

C:\Windows\SysWOW64\Onggnloj.exe
C:\Windows\system32\Onggnloj.exe
186⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2408

C:\Windows\SysWOW64\Oaecjh32.exe
C:\Windows\system32\Oaecjh32.exe
187⤵
- Drops file in System32 directory
PID:2440

C:\Windows\SysWOW64\Ofbkbo32.exe
C:\Windows\system32\Ofbkbo32.exe
188⤵
PID:2468

C:\Windows\SysWOW64\Oahppg32.exe
C:\Windows\system32\Oahppg32.exe
189⤵
- Drops file in System32 directory
PID:2496

C:\Windows\SysWOW64\Opjpldbf.exe
C:\Windows\system32\Opjpldbf.exe
190⤵
- Drops file in System32 directory
- Modifies registry class
PID:2504

C:\Windows\SysWOW64\Ofdhhn32.exe
C:\Windows\system32\Ofdhhn32.exe
191⤵
- Drops file in System32 directory
PID:2536

C:\Windows\SysWOW64\Omopehap.exe
C:\Windows\system32\Omopehap.exe
192⤵
- Drops file in System32 directory
PID:2560

C:\Windows\SysWOW64\Ochiabil.exe
C:\Windows\system32\Ochiabil.exe
193⤵
- Modifies registry class
PID:2576

C:\Windows\SysWOW64\Ofgennhp.exe
C:\Windows\system32\Ofgennhp.exe
194⤵
PID:2592

C:\Windows\SysWOW64\Oejeik32.exe
C:\Windows\system32\Oejeik32.exe
195⤵
PID:2604

C:\Windows\SysWOW64\Olcmfefg.exe
C:\Windows\system32\Olcmfefg.exe
196⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632

C:\Windows\SysWOW64\Oobjbpek.exe
C:\Windows\system32\Oobjbpek.exe
197⤵
PID:2656

C:\Windows\SysWOW64\Ofiacnfm.exe
C:\Windows\system32\Ofiacnfm.exe
198⤵
PID:2680

C:\Windows\SysWOW64\Pacbdk32.exe
C:\Windows\system32\Pacbdk32.exe
199⤵
PID:2712

C:\Windows\SysWOW64\Phmkqeji.exe
C:\Windows\system32\Phmkqeji.exe
200⤵
PID:2764

C:\Windows\SysWOW64\Pogcmp32.exe
C:\Windows\system32\Pogcmp32.exe
201⤵
PID:2824

C:\Windows\SysWOW64\Peqkjjib.exe
C:\Windows\system32\Peqkjjib.exe
202⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872

C:\Windows\SysWOW64\Pdckef32.exe
C:\Windows\system32\Pdckef32.exe
203⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1264

C:\Windows\SysWOW64\Ppmipg32.exe
C:\Windows\system32\Ppmipg32.exe
204⤵
- Drops file in System32 directory
PID:2904

C:\Windows\SysWOW64\Jfncfceb.exe
C:\Windows\system32\Jfncfceb.exe
205⤵
- Drops file in System32 directory
- Modifies registry class
PID:2752

C:\Windows\SysWOW64\Jmgkcm32.exe
C:\Windows\system32\Jmgkcm32.exe
206⤵
PID:2788

C:\Windows\SysWOW64\Jcacpgdl.exe
C:\Windows\system32\Jcacpgdl.exe
207⤵
- Modifies registry class
PID:2804

C:\Windows\SysWOW64\Jinlhnbc.exe
C:\Windows\system32\Jinlhnbc.exe
208⤵
- Drops file in System32 directory
- Modifies registry class
PID:2844

C:\Windows\SysWOW64\Jlmhdjaf.exe
C:\Windows\system32\Jlmhdjaf.exe
209⤵
PID:2884

C:\Windows\SysWOW64\Jcdpeg32.exe
C:\Windows\system32\Jcdpeg32.exe
210⤵
PID:3076

C:\Windows\SysWOW64\Jfblab32.exe
C:\Windows\system32\Jfblab32.exe
211⤵
PID:3084

C:\Windows\SysWOW64\Jeemmphg.exe
C:\Windows\system32\Jeemmphg.exe
212⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3092

C:\Windows\SysWOW64\Jmldnmii.exe
C:\Windows\system32\Jmldnmii.exe
213⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3100

C:\Windows\SysWOW64\Jnnafe32.exe
C:\Windows\system32\Jnnafe32.exe
214⤵
PID:3108

C:\Windows\SysWOW64\Jfdigb32.exe
C:\Windows\system32\Jfdigb32.exe
215⤵
- Drops file in System32 directory
PID:3116

C:\Windows\SysWOW64\Kicecn32.exe
C:\Windows\system32\Kicecn32.exe
216⤵
PID:3124

C:\Windows\SysWOW64\Klaapi32.exe
C:\Windows\system32\Klaapi32.exe
217⤵
- Modifies registry class
PID:3132

C:\Windows\SysWOW64\Kbkjlcen.exe
C:\Windows\system32\Kbkjlcen.exe
218⤵
PID:3140

C:\Windows\SysWOW64\Kiebimlk.exe
C:\Windows\system32\Kiebimlk.exe
219⤵
PID:3148

C:\Windows\SysWOW64\Kldneiko.exe
C:\Windows\system32\Kldneiko.exe
220⤵
PID:3156

C:\Windows\SysWOW64\Kbnfbc32.exe
C:\Windows\system32\Kbnfbc32.exe
221⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3164

C:\Windows\SysWOW64\Kelcnn32.exe
C:\Windows\system32\Kelcnn32.exe
222⤵
PID:3172

C:\Windows\SysWOW64\Kjikfe32.exe
C:\Windows\system32\Kjikfe32.exe
223⤵
PID:3180

C:\Windows\SysWOW64\Kmggbq32.exe
C:\Windows\system32\Kmggbq32.exe
224⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3188

C:\Windows\SysWOW64\Keopcnpl.exe
C:\Windows\system32\Keopcnpl.exe
225⤵
PID:3196

C:\Windows\SysWOW64\Kfplkf32.exe
C:\Windows\system32\Kfplkf32.exe
226⤵
PID:3204

C:\Windows\SysWOW64\Kngdlc32.exe
C:\Windows\system32\Kngdlc32.exe
227⤵
PID:3212

C:\Windows\SysWOW64\Kaepho32.exe
C:\Windows\system32\Kaepho32.exe
228⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3220

C:\Windows\SysWOW64\Khoheimm.exe
C:\Windows\system32\Khoheimm.exe
229⤵
PID:3228

C:\Windows\SysWOW64\Kiqema32.exe
C:\Windows\system32\Kiqema32.exe
230⤵
PID:3236

C:\Windows\SysWOW64\Kagmno32.exe
C:\Windows\system32\Kagmno32.exe
231⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3244

C:\Windows\SysWOW64\Ldfijj32.exe
C:\Windows\system32\Ldfijj32.exe
232⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3252

C:\Windows\SysWOW64\Lfdefebe.exe
C:\Windows\system32\Lfdefebe.exe
233⤵
PID:3260

C:\Windows\SysWOW64\Licabaai.exe
C:\Windows\system32\Licabaai.exe
234⤵
- Modifies registry class
PID:3268

C:\Windows\SysWOW64\Llanompm.exe
C:\Windows\system32\Llanompm.exe
235⤵
- Drops file in System32 directory
- Modifies registry class
PID:3276

C:\Windows\SysWOW64\Lfgblepb.exe
C:\Windows\system32\Lfgblepb.exe
236⤵
- Drops file in System32 directory
- Modifies registry class
PID:3284

C:\Windows\SysWOW64\Lienhqof.exe
C:\Windows\system32\Lienhqof.exe
237⤵
PID:3292

C:\Windows\SysWOW64\Lpofdk32.exe
C:\Windows\system32\Lpofdk32.exe
238⤵
- Modifies registry class
PID:3300

C:\Windows\SysWOW64\Lfioae32.exe
C:\Windows\system32\Lfioae32.exe
239⤵
PID:3308

C:\Windows\SysWOW64\Ligknq32.exe
C:\Windows\system32\Ligknq32.exe
240⤵
PID:3316

C:\Windows\SysWOW64\Lpacjjdq.exe
C:\Windows\system32\Lpacjjdq.exe
241⤵
PID:3324

C:\Windows\SysWOW64\Lodcfg32.exe
C:\Windows\system32\Lodcfg32.exe
242⤵
- Modifies registry class
PID:3332

C:\Windows\SysWOW64\Labpbc32.exe
C:\Windows\system32\Labpbc32.exe
243⤵
PID:3340

C:\Windows\SysWOW64\Lijhcp32.exe
C:\Windows\system32\Lijhcp32.exe
244⤵
PID:3348

C:\Windows\SysWOW64\Lkkdkhqo.exe
C:\Windows\system32\Lkkdkhqo.exe
245⤵
PID:3356

C:\Windows\SysWOW64\Laelgb32.exe
C:\Windows\system32\Laelgb32.exe
246⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3364

C:\Windows\SysWOW64\Lhoedm32.exe
C:\Windows\system32\Lhoedm32.exe
247⤵
- Modifies registry class
PID:3372

C:\Windows\SysWOW64\Magimbfi.exe
C:\Windows\system32\Magimbfi.exe
248⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3380

C:\Windows\SysWOW64\Mhaajl32.exe
C:\Windows\system32\Mhaajl32.exe
249⤵
PID:3388

C:\Windows\SysWOW64\Mkpnfh32.exe
C:\Windows\system32\Mkpnfh32.exe
250⤵
PID:3396

C:\Windows\SysWOW64\Majfbadg.exe
C:\Windows\system32\Majfbadg.exe
251⤵
- Modifies registry class
PID:3404

C:\Windows\SysWOW64\Mhdnol32.exe
C:\Windows\system32\Mhdnol32.exe
252⤵
PID:3412

C:\Windows\SysWOW64\Mkbjkgkg.exe
C:\Windows\system32\Mkbjkgkg.exe
253⤵
- Modifies registry class
PID:3420

C:\Windows\SysWOW64\Malbha32.exe
C:\Windows\system32\Malbha32.exe
254⤵
PID:3436

C:\Windows\SysWOW64\Mcmopjhb.exe
C:\Windows\system32\Mcmopjhb.exe
255⤵
PID:3452

C:\Windows\SysWOW64\Mjggld32.exe
C:\Windows\system32\Mjggld32.exe
256⤵
- Modifies registry class
PID:3460

C:\Windows\SysWOW64\Mlfcho32.exe
C:\Windows\system32\Mlfcho32.exe
257⤵
PID:3468

C:\Windows\SysWOW64\Mpapingl.exe
C:\Windows\system32\Mpapingl.exe
258⤵
PID:3476

C:\Windows\SysWOW64\Mcpleifp.exe
C:\Windows\system32\Mcpleifp.exe
259⤵
PID:3484

C:\Windows\SysWOW64\Mgkhfh32.exe
C:\Windows\system32\Mgkhfh32.exe
260⤵
PID:3492

C:\Windows\SysWOW64\Mjjdbcmm.exe
C:\Windows\system32\Mjjdbcmm.exe
261⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3500

C:\Windows\SysWOW64\Mnepbb32.exe
C:\Windows\system32\Mnepbb32.exe
262⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3508

C:\Windows\SysWOW64\Mlhpnolp.exe
C:\Windows\system32\Mlhpnolp.exe
263⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3516

C:\Windows\SysWOW64\Mcbhki32.exe
C:\Windows\system32\Mcbhki32.exe
264⤵
- Drops file in System32 directory
PID:3524

C:\Windows\SysWOW64\Nfqegd32.exe
C:\Windows\system32\Nfqegd32.exe
265⤵
PID:3532

C:\Windows\SysWOW64\Nhoacp32.exe
C:\Windows\system32\Nhoacp32.exe
266⤵
- Drops file in System32 directory
PID:3540

C:\Windows\SysWOW64\Npfidm32.exe
C:\Windows\system32\Npfidm32.exe
267⤵
- Drops file in System32 directory
PID:3548

C:\Windows\SysWOW64\Nageleie.exe
C:\Windows\system32\Nageleie.exe
268⤵
PID:3556

C:\Windows\SysWOW64\Nhanip32.exe
C:\Windows\system32\Nhanip32.exe
269⤵
PID:3564

C:\Windows\SysWOW64\Nkpjekoe.exe
C:\Windows\system32\Nkpjekoe.exe
270⤵
PID:3572

C:\Windows\SysWOW64\Nfenbdok.exe
C:\Windows\system32\Nfenbdok.exe
271⤵
PID:3580

C:\Windows\SysWOW64\Nlofon32.exe
C:\Windows\system32\Nlofon32.exe
272⤵
PID:3588

C:\Windows\SysWOW64\Nonbki32.exe
C:\Windows\system32\Nonbki32.exe
273⤵
- Drops file in System32 directory
PID:3596

C:\Windows\SysWOW64\Nfgkhcmi.exe
C:\Windows\system32\Nfgkhcmi.exe
274⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3604

C:\Windows\SysWOW64\Nhfgdoll.exe
C:\Windows\system32\Nhfgdoll.exe
275⤵
PID:3612

C:\Windows\SysWOW64\Nkdcpj32.exe
C:\Windows\system32\Nkdcpj32.exe
276⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3620

C:\Windows\SysWOW64\Nnbplf32.exe
C:\Windows\system32\Nnbplf32.exe
277⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3628

C:\Windows\SysWOW64\Nqalha32.exe
C:\Windows\system32\Nqalha32.exe
278⤵
PID:3636

C:\Windows\SysWOW64\Ngkdekad.exe
C:\Windows\system32\Ngkdekad.exe
279⤵
PID:3644

C:\Windows\SysWOW64\Nnelae32.exe
C:\Windows\system32\Nnelae32.exe
280⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3652

C:\Windows\SysWOW64\Oqchna32.exe
C:\Windows\system32\Oqchna32.exe
281⤵
PID:3660

C:\Windows\SysWOW64\Ocbejl32.exe
C:\Windows\system32\Ocbejl32.exe
282⤵
- Modifies registry class
PID:3668

C:\Windows\SysWOW64\Okimkj32.exe
C:\Windows\system32\Okimkj32.exe
283⤵
- Drops file in System32 directory
PID:3676

C:\Windows\SysWOW64\Omjibb32.exe
C:\Windows\system32\Omjibb32.exe
284⤵
PID:3684

C:\Windows\SysWOW64\Ocdaoldf.exe
C:\Windows\system32\Ocdaoldf.exe
285⤵
PID:3692

C:\Windows\SysWOW64\Ofbnkgci.exe
C:\Windows\system32\Ofbnkgci.exe
286⤵
PID:3700

C:\Windows\SysWOW64\Onjfmedl.exe
C:\Windows\system32\Onjfmedl.exe
287⤵
PID:3708

C:\Windows\SysWOW64\Ommfha32.exe
C:\Windows\system32\Ommfha32.exe
288⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3716

C:\Windows\SysWOW64\Ocfnelbc.exe
C:\Windows\system32\Ocfnelbc.exe
289⤵
PID:3724

C:\Windows\SysWOW64\Ofejagag.exe
C:\Windows\system32\Ofejagag.exe
290⤵
PID:3732

C:\Windows\SysWOW64\Oicgmbqk.exe
C:\Windows\system32\Oicgmbqk.exe
291⤵
PID:3740

C:\Windows\SysWOW64\Oqjonp32.exe
C:\Windows\system32\Oqjonp32.exe
292⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3748

C:\Windows\SysWOW64\Ocikjk32.exe
C:\Windows\system32\Ocikjk32.exe
293⤵
PID:3756

C:\Windows\SysWOW64\Ojccgehm.exe
C:\Windows\system32\Ojccgehm.exe
294⤵
- Drops file in System32 directory
PID:3764

C:\Windows\SysWOW64\Omaocaga.exe
C:\Windows\system32\Omaocaga.exe
295⤵
PID:3772

C:\Windows\SysWOW64\Obnhlheh.exe
C:\Windows\system32\Obnhlheh.exe
296⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3780

C:\Windows\SysWOW64\Pihphb32.exe
C:\Windows\system32\Pihphb32.exe
297⤵
PID:3788

C:\Windows\SysWOW64\Ppbhel32.exe
C:\Windows\system32\Ppbhel32.exe
298⤵
PID:3796

C:\Windows\SysWOW64\Pbpdag32.exe
C:\Windows\system32\Pbpdag32.exe
299⤵
- Modifies registry class
PID:3804

C:\Windows\SysWOW64\Pijmnajb.exe
C:\Windows\system32\Pijmnajb.exe
300⤵
PID:3812

C:\Windows\SysWOW64\Ppdekl32.exe
C:\Windows\system32\Ppdekl32.exe
301⤵
- Modifies registry class
PID:3820

C:\Windows\SysWOW64\Paeabdhn.exe
C:\Windows\system32\Paeabdhn.exe
302⤵
- Modifies registry class
PID:3828

C:\Windows\SysWOW64\Pgpjon32.exe
C:\Windows\system32\Pgpjon32.exe
303⤵
PID:3836

C:\Windows\SysWOW64\Pjnfki32.exe
C:\Windows\system32\Pjnfki32.exe
304⤵
PID:3844

C:\Windows\SysWOW64\Pbenlgoq.exe
C:\Windows\system32\Pbenlgoq.exe
305⤵
- Modifies registry class
PID:3860

C:\Windows\SysWOW64\Pecjhbnd.exe
C:\Windows\system32\Pecjhbnd.exe
306⤵
PID:3868

C:\Windows\SysWOW64\Pgbfdnmh.exe
C:\Windows\system32\Pgbfdnmh.exe
307⤵
PID:3880

C:\Windows\SysWOW64\Plmbel32.exe
C:\Windows\system32\Plmbel32.exe
308⤵
- Drops file in System32 directory
PID:3892

C:\Windows\SysWOW64\Pnloah32.exe
C:\Windows\system32\Pnloah32.exe
309⤵
PID:3916

C:\Windows\SysWOW64\Pajkmc32.exe
C:\Windows\system32\Pajkmc32.exe
310⤵
- Modifies registry class
PID:3936

C:\Windows\SysWOW64\Pcigio32.exe
C:\Windows\system32\Pcigio32.exe
311⤵
- Drops file in System32 directory
PID:3948

C:\Windows\SysWOW64\Pfgcej32.exe
C:\Windows\system32\Pfgcej32.exe
312⤵
PID:3960

C:\Windows\SysWOW64\Qpphnp32.exe
C:\Windows\system32\Qpphnp32.exe
313⤵
PID:3968

C:\Windows\SysWOW64\Qckdonai.exe
C:\Windows\system32\Qckdonai.exe
314⤵
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 140
315⤵
- Program crash
PID:3984

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lamkkllp.exe
Filesize
50KB

MD5
64062418e8a115acbf113f43787bdd38

SHA1
eaa0205e01c5d32bcbaf0e7a65efb94df4cceaeb

SHA256
883cf8d1f4addf4fee40dfdca36c0e8524c29c4c95a065fc69774b81ad610974

SHA512
8c1b8ad9c3a04bb29afbf581dbb01266fc6cbe2cab001cdc955d43d118228a88faa5260c4d29559a872c3090a851040e2e95280d2fe75618f208c543d99655ac

Download Submit
C:\Windows\SysWOW64\Lamkkllp.exe
Filesize
50KB

MD5
64062418e8a115acbf113f43787bdd38

SHA1
eaa0205e01c5d32bcbaf0e7a65efb94df4cceaeb

SHA256
883cf8d1f4addf4fee40dfdca36c0e8524c29c4c95a065fc69774b81ad610974

SHA512
8c1b8ad9c3a04bb29afbf581dbb01266fc6cbe2cab001cdc955d43d118228a88faa5260c4d29559a872c3090a851040e2e95280d2fe75618f208c543d99655ac

Download Submit
C:\Windows\SysWOW64\Lgnmnb32.exe
Filesize
50KB

MD5
9c1ef5e8dd7e4287d1e1897a3695efd5

SHA1
19e378451c8c863a3a3b3b3cdba4a95195b92850

SHA256
e2ffa3a799bda6f27a568834c8f4830372be65d5f637312397297feea766083a

SHA512
7d84cb20e525a83f1800e11490790bf239d9b8378a45c8464ee7399fdde4ecff67f983cabdd494d897379feb70cc2b9462ca988770c0e210bebd9e716186f906

Download Submit
C:\Windows\SysWOW64\Lgnmnb32.exe
Filesize
50KB

MD5
9c1ef5e8dd7e4287d1e1897a3695efd5

SHA1
19e378451c8c863a3a3b3b3cdba4a95195b92850

SHA256
e2ffa3a799bda6f27a568834c8f4830372be65d5f637312397297feea766083a

SHA512
7d84cb20e525a83f1800e11490790bf239d9b8378a45c8464ee7399fdde4ecff67f983cabdd494d897379feb70cc2b9462ca988770c0e210bebd9e716186f906

Download Submit
C:\Windows\SysWOW64\Lgpica32.exe
Filesize
50KB

MD5
405b04b7b33889ee5755b3271bd6056f

SHA1
4f6d8ee619fde828c7acb3e84d206b0c17d88361

SHA256
427bf0c9a3cb54926e0430b2e8d039d6cd4f5619bccc468e3f4b6412678cc42c

SHA512
ec96099df831cb6eaef2e77e2d37a638abb3f18505b9147265cc708297c6ba56758154eb995b22a5a4bf9a5bb05810a78361597d7cb08bceb6bd33f93f6d9ce3

Download Submit
C:\Windows\SysWOW64\Lgpica32.exe
Filesize
50KB

MD5
405b04b7b33889ee5755b3271bd6056f

SHA1
4f6d8ee619fde828c7acb3e84d206b0c17d88361

SHA256
427bf0c9a3cb54926e0430b2e8d039d6cd4f5619bccc468e3f4b6412678cc42c

SHA512
ec96099df831cb6eaef2e77e2d37a638abb3f18505b9147265cc708297c6ba56758154eb995b22a5a4bf9a5bb05810a78361597d7cb08bceb6bd33f93f6d9ce3

Download Submit
C:\Windows\SysWOW64\Lkglia32.exe
Filesize
50KB

MD5
8da13bb2c12b8051dbdcfe71de396fef

SHA1
4ed0ac422d77f5f96d07c9f12156348c87a4a0bf

SHA256
ed4fb667f92e88d6b9a24fb144e3ad16edc4cb023add2246db2f141997588c68

SHA512
86ff49ddbc9942bfffd736c6ec2838f067c2472d13a7d704ac1619d4ea8b8ab897429cd7cab4f977020dbc84f3f442e4bf7f7545b8137f40e3486cf031930076

Download Submit
C:\Windows\SysWOW64\Lkglia32.exe
Filesize
50KB

MD5
8da13bb2c12b8051dbdcfe71de396fef

SHA1
4ed0ac422d77f5f96d07c9f12156348c87a4a0bf

SHA256
ed4fb667f92e88d6b9a24fb144e3ad16edc4cb023add2246db2f141997588c68

SHA512
86ff49ddbc9942bfffd736c6ec2838f067c2472d13a7d704ac1619d4ea8b8ab897429cd7cab4f977020dbc84f3f442e4bf7f7545b8137f40e3486cf031930076

Download Submit
C:\Windows\SysWOW64\Lmkefi32.exe
Filesize
50KB

MD5
ce9c0862941e281e9bf1dde0b2b33988

SHA1
543784cfa13d896b2992a47b114714b3be4bdab4

SHA256
befc2e6546e5f394985cc33d4f15c83f43ed8828dd547c3589d80fba0f6fbf41

SHA512
5395e3808a72323d9b502467d6e7eefdcc6866033309360d5028c31e15246b64e2c7f2b96764e6ddae45023b68a4694d002f76c6ac31a731898675324399e20f

Download Submit
C:\Windows\SysWOW64\Lmkefi32.exe
Filesize
50KB

MD5
ce9c0862941e281e9bf1dde0b2b33988

SHA1
543784cfa13d896b2992a47b114714b3be4bdab4

SHA256
befc2e6546e5f394985cc33d4f15c83f43ed8828dd547c3589d80fba0f6fbf41

SHA512
5395e3808a72323d9b502467d6e7eefdcc6866033309360d5028c31e15246b64e2c7f2b96764e6ddae45023b68a4694d002f76c6ac31a731898675324399e20f

Download Submit
C:\Windows\SysWOW64\Mafnfkon.exe
Filesize
50KB

MD5
d3e7527f18380c5d2352a2131d2a6e0c

SHA1
9b8c3a85de17c585ef39548db0ee3569376f990c

SHA256
f42afed5b2f89629ffe2e4cec461ead8067ba2856290246e3c376c7b4bd399e8

SHA512
e904c6fbf0d070e5b3b30b15961c54069b217c7eb5f004b0648d6a37aff4c0815431e4f526fd9e2bb7cf74752fd88d8609a3f4936a2833e58f4b5b9551d4c7ba

Download Submit
C:\Windows\SysWOW64\Mafnfkon.exe
Filesize
50KB

MD5
d3e7527f18380c5d2352a2131d2a6e0c

SHA1
9b8c3a85de17c585ef39548db0ee3569376f990c

SHA256
f42afed5b2f89629ffe2e4cec461ead8067ba2856290246e3c376c7b4bd399e8

SHA512
e904c6fbf0d070e5b3b30b15961c54069b217c7eb5f004b0648d6a37aff4c0815431e4f526fd9e2bb7cf74752fd88d8609a3f4936a2833e58f4b5b9551d4c7ba

Download Submit
C:\Windows\SysWOW64\Mblgjonl.exe
Filesize
50KB

MD5
783de4fc0a89900b9964bf40c96d4539

SHA1
b5ed78df9454d992a37848f2d38d37608665dd33

SHA256
cb14834e605044f49bee784c66c5c10b3f3f7bbfbc3d9780cb4b2565d1d73fdf

SHA512
b663505ede8067609ac3072c1558bc32e5fd944fc7449780462c0dfa5e21d4aae76034be778a5e6a1bfac6f664cb9e52fbc9a7e6f56c69eb1d836a0d727c786a

Download Submit
C:\Windows\SysWOW64\Mblgjonl.exe
Filesize
50KB

MD5
783de4fc0a89900b9964bf40c96d4539

SHA1
b5ed78df9454d992a37848f2d38d37608665dd33

SHA256
cb14834e605044f49bee784c66c5c10b3f3f7bbfbc3d9780cb4b2565d1d73fdf

SHA512
b663505ede8067609ac3072c1558bc32e5fd944fc7449780462c0dfa5e21d4aae76034be778a5e6a1bfac6f664cb9e52fbc9a7e6f56c69eb1d836a0d727c786a

Download Submit
C:\Windows\SysWOW64\Mbodooli.exe
Filesize
50KB

MD5
31d21f1aa19373c29aef054e0e3657f1

SHA1
720d40fd1985fa71952ac4f491e00f8c5d2b9a87

SHA256
111199c967aa52a2228639871ae7a65af1c026da86dda6404bdeca664cf4c2c4

SHA512
925e6f67c9b3df36dc7354b033dfbfa55ce3d3f53e67eaec8cc1565b54756b4cbebb70e39987bbe28f82b2cb2b61409cf6b032cd4360be1a7913fe1e020c2996

Download Submit
C:\Windows\SysWOW64\Mbodooli.exe
Filesize
50KB

MD5
31d21f1aa19373c29aef054e0e3657f1

SHA1
720d40fd1985fa71952ac4f491e00f8c5d2b9a87

SHA256
111199c967aa52a2228639871ae7a65af1c026da86dda6404bdeca664cf4c2c4

SHA512
925e6f67c9b3df36dc7354b033dfbfa55ce3d3f53e67eaec8cc1565b54756b4cbebb70e39987bbe28f82b2cb2b61409cf6b032cd4360be1a7913fe1e020c2996

Download Submit
C:\Windows\SysWOW64\Mfefen32.exe
Filesize
50KB

MD5
93eecb13f263241ecbb8b805381b3955

SHA1
7bb32e3d8421a2c0d04acdf17c48ae1ad2ba7275

SHA256
d6d862bdd5878428e1e7d1a89f1ce5b9d00a332d8cbb333a6402b877addf50fa

SHA512
bc32d464d469a2c274f1d61fa27079d1a91921fa32a2233c7c39571573ff5a040f23b208f4b49e09ce0f82d3a4e37d1c6aab1f712cc39545e339bf51d55ba733

Download Submit
C:\Windows\SysWOW64\Mfefen32.exe
Filesize
50KB

MD5
93eecb13f263241ecbb8b805381b3955

SHA1
7bb32e3d8421a2c0d04acdf17c48ae1ad2ba7275

SHA256
d6d862bdd5878428e1e7d1a89f1ce5b9d00a332d8cbb333a6402b877addf50fa

SHA512
bc32d464d469a2c274f1d61fa27079d1a91921fa32a2233c7c39571573ff5a040f23b208f4b49e09ce0f82d3a4e37d1c6aab1f712cc39545e339bf51d55ba733

Download Submit
C:\Windows\SysWOW64\Mgklge32.exe
Filesize
50KB

MD5
04a7ad35abc2ab5076d5bc56cbedfcaa

SHA1
389b4807eb6cebd91caca20f24943b4c0028a944

SHA256
499432cc2e9691a7bfacad1880ea34cb4d7d9250032dbb3c61b9ecfa616c8ab3

SHA512
e1096cd3244f50c5ffce27430933385e3231377e8ad55e3beeea1ce7779c43334320646ac053fb47ca817f46b55ed7b520fb6d950797ae0eb69ba4be10fef5ac

Download Submit
C:\Windows\SysWOW64\Mgklge32.exe
Filesize
50KB

MD5
04a7ad35abc2ab5076d5bc56cbedfcaa

SHA1
389b4807eb6cebd91caca20f24943b4c0028a944

SHA256
499432cc2e9691a7bfacad1880ea34cb4d7d9250032dbb3c61b9ecfa616c8ab3

SHA512
e1096cd3244f50c5ffce27430933385e3231377e8ad55e3beeea1ce7779c43334320646ac053fb47ca817f46b55ed7b520fb6d950797ae0eb69ba4be10fef5ac

Download Submit
C:\Windows\SysWOW64\Mgnime32.exe
Filesize
50KB

MD5
9153ff1e77e6b2e0036ea46373782680

SHA1
bca760dbad42a89652e4fc71e7dfa2f4348c528d

SHA256
b25883b982f16e1130d945c87cb188e66f2c29a176a1965baae12366b8451d67

SHA512
f9bd8d142ef4ba19dc459ea7f59062c2136dff4bde580b2fc948ea36058d5581a50f4882512fa93de3604fc664ef3177a25c51466d8449527504b6357b46ff97

Download Submit
C:\Windows\SysWOW64\Mgnime32.exe
Filesize
50KB

MD5
9153ff1e77e6b2e0036ea46373782680

SHA1
bca760dbad42a89652e4fc71e7dfa2f4348c528d

SHA256
b25883b982f16e1130d945c87cb188e66f2c29a176a1965baae12366b8451d67

SHA512
f9bd8d142ef4ba19dc459ea7f59062c2136dff4bde580b2fc948ea36058d5581a50f4882512fa93de3604fc664ef3177a25c51466d8449527504b6357b46ff97

Download Submit
C:\Windows\SysWOW64\Mmbkghna.exe
Filesize
50KB

MD5
5b693e5e5a5e868997e6094564e77262

SHA1
7020de4c5a033914d4fa29d2636a0d899a7298c1

SHA256
f0f4d9371e5040f9503825b2cfdef029d6bd494d8343fa19a1c6eef8352be8f7

SHA512
d01b7b41dd7c4569e4cf6f7a3c34658251597aa8cd21c9bc668055d22f93f133b4872b24b639fa824ec8a1e705d74aecd36a86abdeb4ad7cdc2786f7abe5e830

Download Submit
C:\Windows\SysWOW64\Mmbkghna.exe
Filesize
50KB

MD5
5b693e5e5a5e868997e6094564e77262

SHA1
7020de4c5a033914d4fa29d2636a0d899a7298c1

SHA256
f0f4d9371e5040f9503825b2cfdef029d6bd494d8343fa19a1c6eef8352be8f7

SHA512
d01b7b41dd7c4569e4cf6f7a3c34658251597aa8cd21c9bc668055d22f93f133b4872b24b639fa824ec8a1e705d74aecd36a86abdeb4ad7cdc2786f7abe5e830

Download Submit
C:\Windows\SysWOW64\Mneddpbm.exe
Filesize
50KB

MD5
fbebc6b0c6908f513323648a7c55b381

SHA1
ee3bef5ff0f72f617f22ca891c68abcf36e939da

SHA256
eacc81b9431fbe04203db4cca386588b09f2788535b313e80e30d0355def285e

SHA512
47575904420b1819ad84916df9fd5d3f358f20382b3a410fb15de60702e3d0df6ca53cb79e4096ea3e5f837376ab19fc85fca6c4d5881df88157e2d7fb107582

Download Submit
C:\Windows\SysWOW64\Mneddpbm.exe
Filesize
50KB

MD5
fbebc6b0c6908f513323648a7c55b381

SHA1
ee3bef5ff0f72f617f22ca891c68abcf36e939da

SHA256
eacc81b9431fbe04203db4cca386588b09f2788535b313e80e30d0355def285e

SHA512
47575904420b1819ad84916df9fd5d3f358f20382b3a410fb15de60702e3d0df6ca53cb79e4096ea3e5f837376ab19fc85fca6c4d5881df88157e2d7fb107582

Download Submit
C:\Windows\SysWOW64\Monkncoh.exe
Filesize
50KB

MD5
827ec22f1bf91341841bb92029cb8902

SHA1
63230bb3605f1d5abb9da9087e4297d33bc03051

SHA256
937b149f2a5c3351795267b4e2514d84df8ee2ed99cff674730ea9ac5de531d5

SHA512
b7031bab33a837607746bf86d3f782b71f594fc54153a78c47d5a6dda5218d0ffae7a4b6eb49432ad17b9da84ae3e44025e8521e1106d6969d7f022fe3eb8aa6

Download Submit
C:\Windows\SysWOW64\Monkncoh.exe
Filesize
50KB

MD5
827ec22f1bf91341841bb92029cb8902

SHA1
63230bb3605f1d5abb9da9087e4297d33bc03051

SHA256
937b149f2a5c3351795267b4e2514d84df8ee2ed99cff674730ea9ac5de531d5

SHA512
b7031bab33a837607746bf86d3f782b71f594fc54153a78c47d5a6dda5218d0ffae7a4b6eb49432ad17b9da84ae3e44025e8521e1106d6969d7f022fe3eb8aa6

Download Submit
C:\Windows\SysWOW64\Mqinmgjp.exe
Filesize
50KB

MD5
e2b72663c7cd792f4761d48346583538

SHA1
a94e07c514ff6dac9d7e2b3ef990bb0a9ec3bf08

SHA256
d163041d12bfa7c2f8bc41fabff82ca853e3cf5742ef8c9dfd22194866c99120

SHA512
7963732aeda715cc00c6bc2dacc87cfe8fe1fecd257b2479b460d0dcd2ba7419a1b5ac9bddddbd49332ed788ab6773bf1c6fb61dadef4a449ae7e0a9298a7fdb

Download Submit
C:\Windows\SysWOW64\Mqinmgjp.exe
Filesize
50KB

MD5
e2b72663c7cd792f4761d48346583538

SHA1
a94e07c514ff6dac9d7e2b3ef990bb0a9ec3bf08

SHA256
d163041d12bfa7c2f8bc41fabff82ca853e3cf5742ef8c9dfd22194866c99120

SHA512
7963732aeda715cc00c6bc2dacc87cfe8fe1fecd257b2479b460d0dcd2ba7419a1b5ac9bddddbd49332ed788ab6773bf1c6fb61dadef4a449ae7e0a9298a7fdb

Download Submit
C:\Windows\SysWOW64\Nnjnoo32.exe
Filesize
50KB

MD5
d7bc5e93a6289280a3b47f81a1ef5656

SHA1
45c445a1b584dfd30e640e5629420a7b256a26de

SHA256
b968a1667f81b0897baccc1f34267ef4c7e33ece266dc7c9df3971fa4d0d3df8

SHA512
f4b872c270d9f759348533b42e3935dc633fa8e7d913b91a8d0446929108dbb8ba3feab9087e2273ca5e4f3b8457af057c33d4f00e22d565e6cecacd3af5ec6a

Download Submit
C:\Windows\SysWOW64\Nnjnoo32.exe
Filesize
50KB

MD5
d7bc5e93a6289280a3b47f81a1ef5656

SHA1
45c445a1b584dfd30e640e5629420a7b256a26de

SHA256
b968a1667f81b0897baccc1f34267ef4c7e33ece266dc7c9df3971fa4d0d3df8

SHA512
f4b872c270d9f759348533b42e3935dc633fa8e7d913b91a8d0446929108dbb8ba3feab9087e2273ca5e4f3b8457af057c33d4f00e22d565e6cecacd3af5ec6a

Download Submit
\Windows\SysWOW64\Lamkkllp.exe
Filesize
50KB

MD5
64062418e8a115acbf113f43787bdd38

SHA1
eaa0205e01c5d32bcbaf0e7a65efb94df4cceaeb

SHA256
883cf8d1f4addf4fee40dfdca36c0e8524c29c4c95a065fc69774b81ad610974

SHA512
8c1b8ad9c3a04bb29afbf581dbb01266fc6cbe2cab001cdc955d43d118228a88faa5260c4d29559a872c3090a851040e2e95280d2fe75618f208c543d99655ac

Download Submit
\Windows\SysWOW64\Lamkkllp.exe
Filesize
50KB

MD5
64062418e8a115acbf113f43787bdd38

SHA1
eaa0205e01c5d32bcbaf0e7a65efb94df4cceaeb

SHA256
883cf8d1f4addf4fee40dfdca36c0e8524c29c4c95a065fc69774b81ad610974

SHA512
8c1b8ad9c3a04bb29afbf581dbb01266fc6cbe2cab001cdc955d43d118228a88faa5260c4d29559a872c3090a851040e2e95280d2fe75618f208c543d99655ac

Download Submit
\Windows\SysWOW64\Lgnmnb32.exe
Filesize
50KB

MD5
9c1ef5e8dd7e4287d1e1897a3695efd5

SHA1
19e378451c8c863a3a3b3b3cdba4a95195b92850

SHA256
e2ffa3a799bda6f27a568834c8f4830372be65d5f637312397297feea766083a

SHA512
7d84cb20e525a83f1800e11490790bf239d9b8378a45c8464ee7399fdde4ecff67f983cabdd494d897379feb70cc2b9462ca988770c0e210bebd9e716186f906

Download Submit
\Windows\SysWOW64\Lgnmnb32.exe
Filesize
50KB

MD5
9c1ef5e8dd7e4287d1e1897a3695efd5

SHA1
19e378451c8c863a3a3b3b3cdba4a95195b92850

SHA256
e2ffa3a799bda6f27a568834c8f4830372be65d5f637312397297feea766083a

SHA512
7d84cb20e525a83f1800e11490790bf239d9b8378a45c8464ee7399fdde4ecff67f983cabdd494d897379feb70cc2b9462ca988770c0e210bebd9e716186f906

Download Submit
\Windows\SysWOW64\Lgpica32.exe
Filesize
50KB

MD5
405b04b7b33889ee5755b3271bd6056f

SHA1
4f6d8ee619fde828c7acb3e84d206b0c17d88361

SHA256
427bf0c9a3cb54926e0430b2e8d039d6cd4f5619bccc468e3f4b6412678cc42c

SHA512
ec96099df831cb6eaef2e77e2d37a638abb3f18505b9147265cc708297c6ba56758154eb995b22a5a4bf9a5bb05810a78361597d7cb08bceb6bd33f93f6d9ce3

Download Submit
\Windows\SysWOW64\Lgpica32.exe
Filesize
50KB

MD5
405b04b7b33889ee5755b3271bd6056f

SHA1
4f6d8ee619fde828c7acb3e84d206b0c17d88361

SHA256
427bf0c9a3cb54926e0430b2e8d039d6cd4f5619bccc468e3f4b6412678cc42c

SHA512
ec96099df831cb6eaef2e77e2d37a638abb3f18505b9147265cc708297c6ba56758154eb995b22a5a4bf9a5bb05810a78361597d7cb08bceb6bd33f93f6d9ce3

Download Submit
\Windows\SysWOW64\Lkglia32.exe
Filesize
50KB

MD5
8da13bb2c12b8051dbdcfe71de396fef

SHA1
4ed0ac422d77f5f96d07c9f12156348c87a4a0bf

SHA256
ed4fb667f92e88d6b9a24fb144e3ad16edc4cb023add2246db2f141997588c68

SHA512
86ff49ddbc9942bfffd736c6ec2838f067c2472d13a7d704ac1619d4ea8b8ab897429cd7cab4f977020dbc84f3f442e4bf7f7545b8137f40e3486cf031930076

Download Submit
\Windows\SysWOW64\Lkglia32.exe
Filesize
50KB

MD5
8da13bb2c12b8051dbdcfe71de396fef

SHA1
4ed0ac422d77f5f96d07c9f12156348c87a4a0bf

SHA256
ed4fb667f92e88d6b9a24fb144e3ad16edc4cb023add2246db2f141997588c68

SHA512
86ff49ddbc9942bfffd736c6ec2838f067c2472d13a7d704ac1619d4ea8b8ab897429cd7cab4f977020dbc84f3f442e4bf7f7545b8137f40e3486cf031930076

Download Submit
\Windows\SysWOW64\Lmkefi32.exe
Filesize
50KB

MD5
ce9c0862941e281e9bf1dde0b2b33988

SHA1
543784cfa13d896b2992a47b114714b3be4bdab4

SHA256
befc2e6546e5f394985cc33d4f15c83f43ed8828dd547c3589d80fba0f6fbf41

SHA512
5395e3808a72323d9b502467d6e7eefdcc6866033309360d5028c31e15246b64e2c7f2b96764e6ddae45023b68a4694d002f76c6ac31a731898675324399e20f

Download Submit
\Windows\SysWOW64\Lmkefi32.exe
Filesize
50KB

MD5
ce9c0862941e281e9bf1dde0b2b33988

SHA1
543784cfa13d896b2992a47b114714b3be4bdab4

SHA256
befc2e6546e5f394985cc33d4f15c83f43ed8828dd547c3589d80fba0f6fbf41

SHA512
5395e3808a72323d9b502467d6e7eefdcc6866033309360d5028c31e15246b64e2c7f2b96764e6ddae45023b68a4694d002f76c6ac31a731898675324399e20f

Download Submit
\Windows\SysWOW64\Mafnfkon.exe
Filesize
50KB

MD5
d3e7527f18380c5d2352a2131d2a6e0c

SHA1
9b8c3a85de17c585ef39548db0ee3569376f990c

SHA256
f42afed5b2f89629ffe2e4cec461ead8067ba2856290246e3c376c7b4bd399e8

SHA512
e904c6fbf0d070e5b3b30b15961c54069b217c7eb5f004b0648d6a37aff4c0815431e4f526fd9e2bb7cf74752fd88d8609a3f4936a2833e58f4b5b9551d4c7ba

Download Submit
\Windows\SysWOW64\Mafnfkon.exe
Filesize
50KB

MD5
d3e7527f18380c5d2352a2131d2a6e0c

SHA1
9b8c3a85de17c585ef39548db0ee3569376f990c

SHA256
f42afed5b2f89629ffe2e4cec461ead8067ba2856290246e3c376c7b4bd399e8

SHA512
e904c6fbf0d070e5b3b30b15961c54069b217c7eb5f004b0648d6a37aff4c0815431e4f526fd9e2bb7cf74752fd88d8609a3f4936a2833e58f4b5b9551d4c7ba

Download Submit
\Windows\SysWOW64\Mblgjonl.exe
Filesize
50KB

MD5
783de4fc0a89900b9964bf40c96d4539

SHA1
b5ed78df9454d992a37848f2d38d37608665dd33

SHA256
cb14834e605044f49bee784c66c5c10b3f3f7bbfbc3d9780cb4b2565d1d73fdf

SHA512
b663505ede8067609ac3072c1558bc32e5fd944fc7449780462c0dfa5e21d4aae76034be778a5e6a1bfac6f664cb9e52fbc9a7e6f56c69eb1d836a0d727c786a

Download Submit
\Windows\SysWOW64\Mblgjonl.exe
Filesize
50KB

MD5
783de4fc0a89900b9964bf40c96d4539

SHA1
b5ed78df9454d992a37848f2d38d37608665dd33

SHA256
cb14834e605044f49bee784c66c5c10b3f3f7bbfbc3d9780cb4b2565d1d73fdf

SHA512
b663505ede8067609ac3072c1558bc32e5fd944fc7449780462c0dfa5e21d4aae76034be778a5e6a1bfac6f664cb9e52fbc9a7e6f56c69eb1d836a0d727c786a

Download Submit
\Windows\SysWOW64\Mbodooli.exe
Filesize
50KB

MD5
31d21f1aa19373c29aef054e0e3657f1

SHA1
720d40fd1985fa71952ac4f491e00f8c5d2b9a87

SHA256
111199c967aa52a2228639871ae7a65af1c026da86dda6404bdeca664cf4c2c4

SHA512
925e6f67c9b3df36dc7354b033dfbfa55ce3d3f53e67eaec8cc1565b54756b4cbebb70e39987bbe28f82b2cb2b61409cf6b032cd4360be1a7913fe1e020c2996

Download Submit
\Windows\SysWOW64\Mbodooli.exe
Filesize
50KB

MD5
31d21f1aa19373c29aef054e0e3657f1

SHA1
720d40fd1985fa71952ac4f491e00f8c5d2b9a87

SHA256
111199c967aa52a2228639871ae7a65af1c026da86dda6404bdeca664cf4c2c4

SHA512
925e6f67c9b3df36dc7354b033dfbfa55ce3d3f53e67eaec8cc1565b54756b4cbebb70e39987bbe28f82b2cb2b61409cf6b032cd4360be1a7913fe1e020c2996

Download Submit
\Windows\SysWOW64\Mfefen32.exe
Filesize
50KB

MD5
93eecb13f263241ecbb8b805381b3955

SHA1
7bb32e3d8421a2c0d04acdf17c48ae1ad2ba7275

SHA256
d6d862bdd5878428e1e7d1a89f1ce5b9d00a332d8cbb333a6402b877addf50fa

SHA512
bc32d464d469a2c274f1d61fa27079d1a91921fa32a2233c7c39571573ff5a040f23b208f4b49e09ce0f82d3a4e37d1c6aab1f712cc39545e339bf51d55ba733

Download Submit
\Windows\SysWOW64\Mfefen32.exe
Filesize
50KB

MD5
93eecb13f263241ecbb8b805381b3955

SHA1
7bb32e3d8421a2c0d04acdf17c48ae1ad2ba7275

SHA256
d6d862bdd5878428e1e7d1a89f1ce5b9d00a332d8cbb333a6402b877addf50fa

SHA512
bc32d464d469a2c274f1d61fa27079d1a91921fa32a2233c7c39571573ff5a040f23b208f4b49e09ce0f82d3a4e37d1c6aab1f712cc39545e339bf51d55ba733

Download Submit
\Windows\SysWOW64\Mgklge32.exe
Filesize
50KB

MD5
04a7ad35abc2ab5076d5bc56cbedfcaa

SHA1
389b4807eb6cebd91caca20f24943b4c0028a944

SHA256
499432cc2e9691a7bfacad1880ea34cb4d7d9250032dbb3c61b9ecfa616c8ab3

SHA512
e1096cd3244f50c5ffce27430933385e3231377e8ad55e3beeea1ce7779c43334320646ac053fb47ca817f46b55ed7b520fb6d950797ae0eb69ba4be10fef5ac

Download Submit
\Windows\SysWOW64\Mgklge32.exe
Filesize
50KB

MD5
04a7ad35abc2ab5076d5bc56cbedfcaa

SHA1
389b4807eb6cebd91caca20f24943b4c0028a944

SHA256
499432cc2e9691a7bfacad1880ea34cb4d7d9250032dbb3c61b9ecfa616c8ab3

SHA512
e1096cd3244f50c5ffce27430933385e3231377e8ad55e3beeea1ce7779c43334320646ac053fb47ca817f46b55ed7b520fb6d950797ae0eb69ba4be10fef5ac

Download Submit
\Windows\SysWOW64\Mgnime32.exe
Filesize
50KB

MD5
9153ff1e77e6b2e0036ea46373782680

SHA1
bca760dbad42a89652e4fc71e7dfa2f4348c528d

SHA256
b25883b982f16e1130d945c87cb188e66f2c29a176a1965baae12366b8451d67

SHA512
f9bd8d142ef4ba19dc459ea7f59062c2136dff4bde580b2fc948ea36058d5581a50f4882512fa93de3604fc664ef3177a25c51466d8449527504b6357b46ff97

Download Submit
\Windows\SysWOW64\Mgnime32.exe
Filesize
50KB

MD5
9153ff1e77e6b2e0036ea46373782680

SHA1
bca760dbad42a89652e4fc71e7dfa2f4348c528d

SHA256
b25883b982f16e1130d945c87cb188e66f2c29a176a1965baae12366b8451d67

SHA512
f9bd8d142ef4ba19dc459ea7f59062c2136dff4bde580b2fc948ea36058d5581a50f4882512fa93de3604fc664ef3177a25c51466d8449527504b6357b46ff97

Download Submit
\Windows\SysWOW64\Mmbkghna.exe
Filesize
50KB

MD5
5b693e5e5a5e868997e6094564e77262

SHA1
7020de4c5a033914d4fa29d2636a0d899a7298c1

SHA256
f0f4d9371e5040f9503825b2cfdef029d6bd494d8343fa19a1c6eef8352be8f7

SHA512
d01b7b41dd7c4569e4cf6f7a3c34658251597aa8cd21c9bc668055d22f93f133b4872b24b639fa824ec8a1e705d74aecd36a86abdeb4ad7cdc2786f7abe5e830

Download Submit
\Windows\SysWOW64\Mmbkghna.exe
Filesize
50KB

MD5
5b693e5e5a5e868997e6094564e77262

SHA1
7020de4c5a033914d4fa29d2636a0d899a7298c1

SHA256
f0f4d9371e5040f9503825b2cfdef029d6bd494d8343fa19a1c6eef8352be8f7

SHA512
d01b7b41dd7c4569e4cf6f7a3c34658251597aa8cd21c9bc668055d22f93f133b4872b24b639fa824ec8a1e705d74aecd36a86abdeb4ad7cdc2786f7abe5e830

Download Submit
\Windows\SysWOW64\Mneddpbm.exe
Filesize
50KB

MD5
fbebc6b0c6908f513323648a7c55b381

SHA1
ee3bef5ff0f72f617f22ca891c68abcf36e939da

SHA256
eacc81b9431fbe04203db4cca386588b09f2788535b313e80e30d0355def285e

SHA512
47575904420b1819ad84916df9fd5d3f358f20382b3a410fb15de60702e3d0df6ca53cb79e4096ea3e5f837376ab19fc85fca6c4d5881df88157e2d7fb107582

Download Submit
\Windows\SysWOW64\Mneddpbm.exe
Filesize
50KB

MD5
fbebc6b0c6908f513323648a7c55b381

SHA1
ee3bef5ff0f72f617f22ca891c68abcf36e939da

SHA256
eacc81b9431fbe04203db4cca386588b09f2788535b313e80e30d0355def285e

SHA512
47575904420b1819ad84916df9fd5d3f358f20382b3a410fb15de60702e3d0df6ca53cb79e4096ea3e5f837376ab19fc85fca6c4d5881df88157e2d7fb107582

Download Submit
\Windows\SysWOW64\Monkncoh.exe
Filesize
50KB

MD5
827ec22f1bf91341841bb92029cb8902

SHA1
63230bb3605f1d5abb9da9087e4297d33bc03051

SHA256
937b149f2a5c3351795267b4e2514d84df8ee2ed99cff674730ea9ac5de531d5

SHA512
b7031bab33a837607746bf86d3f782b71f594fc54153a78c47d5a6dda5218d0ffae7a4b6eb49432ad17b9da84ae3e44025e8521e1106d6969d7f022fe3eb8aa6

Download Submit
\Windows\SysWOW64\Monkncoh.exe
Filesize
50KB

MD5
827ec22f1bf91341841bb92029cb8902

SHA1
63230bb3605f1d5abb9da9087e4297d33bc03051

SHA256
937b149f2a5c3351795267b4e2514d84df8ee2ed99cff674730ea9ac5de531d5

SHA512
b7031bab33a837607746bf86d3f782b71f594fc54153a78c47d5a6dda5218d0ffae7a4b6eb49432ad17b9da84ae3e44025e8521e1106d6969d7f022fe3eb8aa6

Download Submit
\Windows\SysWOW64\Mqinmgjp.exe
Filesize
50KB

MD5
e2b72663c7cd792f4761d48346583538

SHA1
a94e07c514ff6dac9d7e2b3ef990bb0a9ec3bf08

SHA256
d163041d12bfa7c2f8bc41fabff82ca853e3cf5742ef8c9dfd22194866c99120

SHA512
7963732aeda715cc00c6bc2dacc87cfe8fe1fecd257b2479b460d0dcd2ba7419a1b5ac9bddddbd49332ed788ab6773bf1c6fb61dadef4a449ae7e0a9298a7fdb

Download Submit
\Windows\SysWOW64\Mqinmgjp.exe
Filesize
50KB

MD5
e2b72663c7cd792f4761d48346583538

SHA1
a94e07c514ff6dac9d7e2b3ef990bb0a9ec3bf08

SHA256
d163041d12bfa7c2f8bc41fabff82ca853e3cf5742ef8c9dfd22194866c99120

SHA512
7963732aeda715cc00c6bc2dacc87cfe8fe1fecd257b2479b460d0dcd2ba7419a1b5ac9bddddbd49332ed788ab6773bf1c6fb61dadef4a449ae7e0a9298a7fdb

Download Submit
\Windows\SysWOW64\Nnjnoo32.exe
Filesize
50KB

MD5
d7bc5e93a6289280a3b47f81a1ef5656

SHA1
45c445a1b584dfd30e640e5629420a7b256a26de

SHA256
b968a1667f81b0897baccc1f34267ef4c7e33ece266dc7c9df3971fa4d0d3df8

SHA512
f4b872c270d9f759348533b42e3935dc633fa8e7d913b91a8d0446929108dbb8ba3feab9087e2273ca5e4f3b8457af057c33d4f00e22d565e6cecacd3af5ec6a

Download Submit
\Windows\SysWOW64\Nnjnoo32.exe
Filesize
50KB

MD5
d7bc5e93a6289280a3b47f81a1ef5656

SHA1
45c445a1b584dfd30e640e5629420a7b256a26de

SHA256
b968a1667f81b0897baccc1f34267ef4c7e33ece266dc7c9df3971fa4d0d3df8

SHA512
f4b872c270d9f759348533b42e3935dc633fa8e7d913b91a8d0446929108dbb8ba3feab9087e2273ca5e4f3b8457af057c33d4f00e22d565e6cecacd3af5ec6a

Download Submit
memory/240-186-0x0000000000000000-mapping.dmp

Download
memory/272-217-0x0000000000000000-mapping.dmp

Download
memory/432-194-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/432-133-0x0000000000000000-mapping.dmp

Download
memory/520-86-0x0000000000000000-mapping.dmp

Download
memory/520-145-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/556-198-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/556-147-0x0000000000000000-mapping.dmp

Download
memory/612-192-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/612-127-0x0000000000000000-mapping.dmp

Download
memory/648-153-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/648-116-0x0000000000000000-mapping.dmp

Download
memory/664-156-0x0000000000000000-mapping.dmp

Download
memory/664-202-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/680-183-0x0000000000000000-mapping.dmp

Download
memory/748-182-0x0000000000000000-mapping.dmp

Download
memory/784-176-0x0000000000000000-mapping.dmp

Download
memory/816-212-0x0000000000000000-mapping.dmp

Download
memory/856-200-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/856-154-0x0000000000000000-mapping.dmp

Download
memory/880-188-0x0000000000000000-mapping.dmp

Download
memory/888-148-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/888-96-0x0000000000000000-mapping.dmp

Download
memory/932-220-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/932-219-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/932-161-0x0000000000000000-mapping.dmp

Download
memory/932-218-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/964-184-0x0000000000000000-mapping.dmp

Download
memory/984-179-0x0000000000000000-mapping.dmp

Download
memory/1020-213-0x00000000002A0000-0x00000000002D1000-memory.dmp

Filesize
196KB

Download
memory/1020-159-0x0000000000000000-mapping.dmp

Download
memory/1020-214-0x00000000002A0000-0x00000000002D1000-memory.dmp

Filesize
196KB

Download
memory/1020-211-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1044-237-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1044-238-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1044-170-0x0000000000000000-mapping.dmp

Download
memory/1052-222-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1052-223-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1052-221-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1052-162-0x0000000000000000-mapping.dmp

Download
memory/1108-242-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1108-244-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1108-243-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1108-172-0x0000000000000000-mapping.dmp

Download
memory/1140-191-0x0000000000000000-mapping.dmp

Download
memory/1176-136-0x00000000003C0000-0x00000000003F1000-memory.dmp

Filesize
196KB

Download
memory/1176-56-0x0000000000000000-mapping.dmp

Download
memory/1176-134-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1276-149-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1276-101-0x0000000000000000-mapping.dmp

Download
memory/1284-173-0x0000000000000000-mapping.dmp

Download
memory/1284-245-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1296-106-0x0000000000000000-mapping.dmp

Download
memory/1296-151-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1320-196-0x0000000000000000-mapping.dmp

Download
memory/1336-216-0x00000000002B0000-0x00000000002E1000-memory.dmp

Filesize
196KB

Download
memory/1336-160-0x0000000000000000-mapping.dmp

Download
memory/1336-215-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1372-209-0x0000000000000000-mapping.dmp

Download
memory/1404-175-0x0000000000000000-mapping.dmp

Download
memory/1456-174-0x0000000000000000-mapping.dmp

Download
memory/1468-81-0x0000000000000000-mapping.dmp

Download
memory/1468-144-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1492-138-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1492-61-0x0000000000000000-mapping.dmp

Download
memory/1500-208-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1500-158-0x0000000000000000-mapping.dmp

Download
memory/1500-210-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1500-207-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1536-178-0x0000000000000000-mapping.dmp

Download
memory/1552-195-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1552-140-0x0000000000000000-mapping.dmp

Download
memory/1604-189-0x0000000000000000-mapping.dmp

Download
memory/1644-177-0x0000000000000000-mapping.dmp

Download
memory/1692-205-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1692-157-0x0000000000000000-mapping.dmp

Download
memory/1692-206-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1692-203-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1704-150-0x0000000000000000-mapping.dmp

Download
memory/1704-199-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1708-190-0x0000000000000000-mapping.dmp

Download
memory/1724-235-0x0000000001B60000-0x0000000001B91000-memory.dmp

Filesize
196KB

Download
memory/1724-168-0x0000000000000000-mapping.dmp

Download
memory/1724-234-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1728-76-0x0000000000000000-mapping.dmp

Download
memory/1728-142-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1736-165-0x0000000000000000-mapping.dmp

Download
memory/1736-227-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1736-229-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download
memory/1736-228-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download
memory/1740-224-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1740-163-0x0000000000000000-mapping.dmp

Download
memory/1756-91-0x0000000000000000-mapping.dmp

Download
memory/1756-146-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1760-241-0x00000000001B0000-0x00000000001E1000-memory.dmp

Filesize
196KB

Download
memory/1760-239-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1760-171-0x0000000000000000-mapping.dmp

Download
memory/1760-240-0x00000000001B0000-0x00000000001E1000-memory.dmp

Filesize
196KB

Download
memory/1816-152-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1816-111-0x0000000000000000-mapping.dmp

Download
memory/1824-233-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1824-167-0x0000000000000000-mapping.dmp

Download
memory/1832-187-0x0000000000000000-mapping.dmp

Download
memory/1872-169-0x0000000000000000-mapping.dmp

Download
memory/1872-236-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1884-181-0x0000000000000000-mapping.dmp

Download
memory/1888-193-0x0000000000000000-mapping.dmp

Download
memory/1900-201-0x0000000000000000-mapping.dmp

Download
memory/1904-155-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1904-121-0x0000000000000000-mapping.dmp

Download
memory/1936-180-0x0000000000000000-mapping.dmp

Download
memory/1944-125-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1944-128-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1952-185-0x0000000000000000-mapping.dmp

Download
memory/1976-232-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1976-230-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1976-166-0x0000000000000000-mapping.dmp

Download
memory/1976-231-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1992-143-0x0000000000000000-mapping.dmp

Download
memory/1992-197-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2004-71-0x0000000000000000-mapping.dmp

Download
memory/2004-141-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2024-226-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2024-225-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2024-164-0x0000000000000000-mapping.dmp

Download
memory/2028-204-0x0000000000000000-mapping.dmp

Download
memory/2040-66-0x0000000000000000-mapping.dmp

Download
memory/2040-139-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads