195c32abcdaeb92409275aab3f9de5c8917f4634a05883341fbbb46d58fc5086

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae04b85157bc8bdea5e356244b8f6d85.exe
Size

109KB
MD5

ae04b85157bc8bdea5e356244b8f6d85
SHA1

cd074f7f955e3b4e00175b1b7e96150138ba8b6c
SHA256

195c32abcdaeb92409275aab3f9de5c8917f4634a05883341fbbb46d58fc5086
SHA512

988e5e75302994bb2822c227e40baba97b76db9375871dd6a3c4fcb3232f6b61935ac51a94650e2f991e3929a2bd60865aaaf6b77b63676681322ca8dea635bb
SSDEEP

3072:Jmm29JNED2D/wtkqvRQ7uKlS8R07mHMX8fo3PXl9Z7S/yCsKh2EzZA/z:JpCD/wholS8R07mHMXgo35e/yCthvUz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	sihclient.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ae04b85157bc8bdea5e356244b8f6d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	mousocoreworker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	mousocoreworker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ae04b85157bc8bdea5e356244b8f6d85.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpappc32.exe

Executes dropped EXE 58 IoCs

pid	Process
4680	Kkbkamnl.exe
4784	Lmqgnhmp.exe
2004	Lalcng32.exe
4032	Ldkojb32.exe
5008	Lgikfn32.exe
1900	Liggbi32.exe
1848	sihclient.exe
4860	Lpappc32.exe
3484	Lcpllo32.exe
3304	Lgkhlnbn.exe
4828	Lijdhiaa.exe
2308	Lnepih32.exe
3852	Lpcmec32.exe
816	Lcbiao32.exe
1060	Lkiqbl32.exe
3364	Lilanioo.exe
4952	Laciofpa.exe
3056	Lpfijcfl.exe
1872	Lcdegnep.exe
1408	Lklnhlfb.exe
4980	Lcgblncm.exe
1860	Mjqjih32.exe
384	Mahbje32.exe
1996	Mciobn32.exe
4704	Mkpgck32.exe
5112	Mnocof32.exe
4148	Mpmokb32.exe
3496	Mcklgm32.exe
2748	Mkbchk32.exe
4272	Mpolqa32.exe
4500	Mcnhmm32.exe
4556	mousocoreworker.exe
1092	Mncmjfmk.exe
3796	Mpaifalo.exe
2644	Mcpebmkb.exe
4088	Mglack32.exe
460	Maaepd32.exe
2688	Mpdelajl.exe
4056	Mcbahlip.exe
3212	Nkjjij32.exe
4484	Nnhfee32.exe
3312	Nqfbaq32.exe
4772	Ndbnboqb.exe
1648	Ngpjnkpf.exe
3776	Nklfoi32.exe
736	Nafokcol.exe
3276	Nddkgonp.exe
1992	Ngcgcjnc.exe
4268	Nkncdifl.exe
5096	Nnmopdep.exe
3080	Nbhkac32.exe
4340	Ndghmo32.exe
2160	Nkqpjidj.exe
4528	Nnolfdcn.exe
3360	Nbkhfc32.exe
2604	Ndidbn32.exe
3588	Ncldnkae.exe
4732	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	ae04b85157bc8bdea5e356244b8f6d85.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	ae04b85157bc8bdea5e356244b8f6d85.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3832	4732	WerFault.exe	32

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ae04b85157bc8bdea5e356244b8f6d85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	ae04b85157bc8bdea5e356244b8f6d85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	sihclient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ae04b85157bc8bdea5e356244b8f6d85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 4680	3332	ae04b85157bc8bdea5e356244b8f6d85.exe	81
PID 3332 wrote to memory of 4680	3332	ae04b85157bc8bdea5e356244b8f6d85.exe	81
PID 3332 wrote to memory of 4680	3332	ae04b85157bc8bdea5e356244b8f6d85.exe	81
PID 4680 wrote to memory of 4784	4680	Kkbkamnl.exe	80
PID 4680 wrote to memory of 4784	4680	Kkbkamnl.exe	80
PID 4680 wrote to memory of 4784	4680	Kkbkamnl.exe	80
PID 4784 wrote to memory of 2004	4784	Lmqgnhmp.exe	79
PID 4784 wrote to memory of 2004	4784	Lmqgnhmp.exe	79
PID 4784 wrote to memory of 2004	4784	Lmqgnhmp.exe	79
PID 2004 wrote to memory of 4032	2004	Lalcng32.exe	78
PID 2004 wrote to memory of 4032	2004	Lalcng32.exe	78
PID 2004 wrote to memory of 4032	2004	Lalcng32.exe	78
PID 4032 wrote to memory of 5008	4032	Ldkojb32.exe	77
PID 4032 wrote to memory of 5008	4032	Ldkojb32.exe	77
PID 4032 wrote to memory of 5008	4032	Ldkojb32.exe	77
PID 5008 wrote to memory of 1900	5008	Lgikfn32.exe	76
PID 5008 wrote to memory of 1900	5008	Lgikfn32.exe	76
PID 5008 wrote to memory of 1900	5008	Lgikfn32.exe	76
PID 1900 wrote to memory of 1848	1900	Liggbi32.exe	161
PID 1900 wrote to memory of 1848	1900	Liggbi32.exe	161
PID 1900 wrote to memory of 1848	1900	Liggbi32.exe	161
PID 1848 wrote to memory of 4860	1848	sihclient.exe	74
PID 1848 wrote to memory of 4860	1848	sihclient.exe	74
PID 1848 wrote to memory of 4860	1848	sihclient.exe	74
PID 4860 wrote to memory of 3484	4860	Lpappc32.exe	71
PID 4860 wrote to memory of 3484	4860	Lpappc32.exe	71
PID 4860 wrote to memory of 3484	4860	Lpappc32.exe	71
PID 3484 wrote to memory of 3304	3484	Lcpllo32.exe	70
PID 3484 wrote to memory of 3304	3484	Lcpllo32.exe	70
PID 3484 wrote to memory of 3304	3484	Lcpllo32.exe	70
PID 3304 wrote to memory of 4828	3304	Lgkhlnbn.exe	69
PID 3304 wrote to memory of 4828	3304	Lgkhlnbn.exe	69
PID 3304 wrote to memory of 4828	3304	Lgkhlnbn.exe	69
PID 4828 wrote to memory of 2308	4828	Lijdhiaa.exe	68
PID 4828 wrote to memory of 2308	4828	Lijdhiaa.exe	68
PID 4828 wrote to memory of 2308	4828	Lijdhiaa.exe	68
PID 2308 wrote to memory of 3852	2308	Lnepih32.exe	66
PID 2308 wrote to memory of 3852	2308	Lnepih32.exe	66
PID 2308 wrote to memory of 3852	2308	Lnepih32.exe	66
PID 3852 wrote to memory of 816	3852	Lpcmec32.exe	63
PID 3852 wrote to memory of 816	3852	Lpcmec32.exe	63
PID 3852 wrote to memory of 816	3852	Lpcmec32.exe	63
PID 816 wrote to memory of 1060	816	Lcbiao32.exe	62
PID 816 wrote to memory of 1060	816	Lcbiao32.exe	62
PID 816 wrote to memory of 1060	816	Lcbiao32.exe	62
PID 1060 wrote to memory of 3364	1060	Lkiqbl32.exe	61
PID 1060 wrote to memory of 3364	1060	Lkiqbl32.exe	61
PID 1060 wrote to memory of 3364	1060	Lkiqbl32.exe	61
PID 3364 wrote to memory of 4952	3364	Lilanioo.exe	16
PID 3364 wrote to memory of 4952	3364	Lilanioo.exe	16
PID 3364 wrote to memory of 4952	3364	Lilanioo.exe	16
PID 4952 wrote to memory of 3056	4952	Laciofpa.exe	60
PID 4952 wrote to memory of 3056	4952	Laciofpa.exe	60
PID 4952 wrote to memory of 3056	4952	Laciofpa.exe	60
PID 3056 wrote to memory of 1872	3056	Lpfijcfl.exe	59
PID 3056 wrote to memory of 1872	3056	Lpfijcfl.exe	59
PID 3056 wrote to memory of 1872	3056	Lpfijcfl.exe	59
PID 1872 wrote to memory of 1408	1872	Lcdegnep.exe	58
PID 1872 wrote to memory of 1408	1872	Lcdegnep.exe	58
PID 1872 wrote to memory of 1408	1872	Lcdegnep.exe	58
PID 1408 wrote to memory of 4980	1408	Lklnhlfb.exe	57
PID 1408 wrote to memory of 4980	1408	Lklnhlfb.exe	57
PID 1408 wrote to memory of 4980	1408	Lklnhlfb.exe	57
PID 4980 wrote to memory of 1860	4980	Lcgblncm.exe	56

C:\Users\Admin\AppData\Local\Temp\ae04b85157bc8bdea5e356244b8f6d85.exe
"C:\Users\Admin\AppData\Local\Temp\ae04b85157bc8bdea5e356244b8f6d85.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\SysWOW64\Kkbkamnl.exe
  C:\Windows\system32\Kkbkamnl.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4680

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SysWOW64\Lpfijcfl.exe
  C:\Windows\system32\Lpfijcfl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3056

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5112
- C:\Windows\SysWOW64\Mpmokb32.exe
  C:\Windows\system32\Mpmokb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4148

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3796
- C:\Windows\SysWOW64\Mcpebmkb.exe
  C:\Windows\system32\Mcpebmkb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  PID:2644

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4056
- C:\Windows\SysWOW64\Nkjjij32.exe
  C:\Windows\system32\Nkjjij32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3212

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3312
- C:\Windows\SysWOW64\Ndbnboqb.exe
  C:\Windows\system32\Ndbnboqb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4772

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1648
- C:\Windows\SysWOW64\Nklfoi32.exe
  C:\Windows\system32\Nklfoi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  PID:3776
- - C:\Windows\SysWOW64\Nafokcol.exe
    C:\Windows\system32\Nafokcol.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:736
  - - C:\Windows\SysWOW64\Nddkgonp.exe
      C:\Windows\system32\Nddkgonp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      PID:3276

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1992
- C:\Windows\SysWOW64\Nkncdifl.exe
  C:\Windows\system32\Nkncdifl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4268

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5096
- C:\Windows\SysWOW64\Nbhkac32.exe
  C:\Windows\system32\Nbhkac32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3080

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4340
- C:\Windows\SysWOW64\Nkqpjidj.exe
  C:\Windows\system32\Nkqpjidj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:2160
- - C:\Windows\SysWOW64\Nnolfdcn.exe
    C:\Windows\system32\Nnolfdcn.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:4528

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3360
- C:\Windows\SysWOW64\Ndidbn32.exe
  C:\Windows\system32\Ndidbn32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2604

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3588
- C:\Windows\SysWOW64\Nkcmohbg.exe
  C:\Windows\system32\Nkcmohbg.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 412
    3⤵
    - Program crash
    PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4732 -ip 4732
1⤵
PID:5024

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4484

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2688

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:460

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4088

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1092

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
1⤵
PID:4556

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4500

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4272

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2748

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3496

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4704

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1996

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:384

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1860

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\SysWOW64\Lijdhiaa.exe
C:\Windows\system32\Lijdhiaa.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
1⤵
PID:1848

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\SysWOW64\Ldkojb32.exe
C:\Windows\system32\Ldkojb32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\SysWOW64\Lalcng32.exe
C:\Windows\system32\Lalcng32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4556

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv BOpvJ0BTB0SgLgCUu5d1ig.0.2
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dnkdikig.dll

Filesize
7KB

MD5
755baaa7d78a15275cf95051e5689477

SHA1
1f71199d7fbdd12dd4b40ada6a84c2920890e603

SHA256
347d5b5cd795fcbf36fb103e204db46b624a44cc4e5026a3952723ffa07b3df0

SHA512
86903a3063892a2ebe69f1f39f968400dce54a3364c57d2161cb3b84e688721b9d493b20c5710545280f555d191a6a3587dd929305b21553357298369264ae11

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
105KB

MD5
9bc180c28629050002a2ebc11bed10f9

SHA1
a4f177ee16ac31006fd889e98971ec7b754e378d

SHA256
89f7996bcf9597b0d12888e01725a779dce45173611bce7249bd9dd29a059d55

SHA512
2ccc21d27b57ab13b62b7a386bfc21e36b4ba1f4a4e47bff311f60104e2cceee38fb0c04d6537dde15ad0922cec5f45ca5f814a81b5de83e454e89e4f1a2cd6d

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
77KB

MD5
13c0e2f514145d2cb3a15a4c01abaa4d

SHA1
fbfd339453a4df228cbfa1c68a6ec5a99d5e9c21

SHA256
efd16160d93a426102db38beac79d12fe0703f190b3c6282311770cacb958a48

SHA512
1bb683364ce9e9a3e5803f8e8d9407556d706e4569064b6f8e7f85215d0adeff0fc02915dbbf1d131ee5240c503e3be8e60f2ab12e194d9335e3fa44a9cd3301

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
98KB

MD5
dc00429ff4d4b09fa8ef51f069241814

SHA1
defa3bd6b567e08019de4f7dea7acc1678bab8fe

SHA256
379ba73a4ebdde523d4088f9d309d51d508d5fef775b1be208da782d8ed2a820

SHA512
2ed535fb568f9ee785a49ef55262b7ba0b38d7da75cfa0ab13b722a5dc16976d32c1b6edf5e63179f94c63f9538a23d4ef865c1f4c2d7245cdd01c471d1edf0c

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
91KB

MD5
43a5b91aeba1cc9da5dc4fc83d84d620

SHA1
bc1e7b89f22b6c5afe48cb4aa966d0fda2550a00

SHA256
6c4479c7be957533455ef0ab15899a83e44d236599227bb949d3b007a8c65e8b

SHA512
7ee28f10222641a54d85f6b9dd8c93e229aed570dd1614e89801bda7091a8a1e7b479c1f71677276929c5bec15b105fda7f001f049d295a05ba14f27c2a0215f

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
39KB

MD5
29fb8090df8193abb08d3d4601ae2ab7

SHA1
82b85a8d89942be493762cd67cc3f94c0ca413a2

SHA256
71a10b876dba7235efb129bbec157882accec40116821a0938fa50bdf1aed936

SHA512
540a0764f8f26c02d4914839cdc41d2a4fbfbb6612d37df1826c4cbffb2aad759b0e154ed5159a08574ffef53063492cce0546bed15b0f134b530300f6555182

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
62KB

MD5
47ff8a36568df4bfb386800462f49d9d

SHA1
42b40b40664be2ecc305a1de00029dcab4c2ebe0

SHA256
05639573f001e2c8bca0eea97a292c3124dd4611d592ffde43b61f1f1f2081d1

SHA512
ac2baff5d6f177264a74610edc77bb7369312bde0da53fedb0cee987e84efa3337ffaa6a354c03a5fd8b3db241ff98ca4a688ea039fbb2ce65c003fb2ad3a309

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
31KB

MD5
46286c3f7623968ea3768da352f2f81b

SHA1
20a5df24c3b550c1fc69e562f9ba7ad77ab6497e

SHA256
9a3d66da274d3ed7a18b3c033245d8373a9c454ec7faacfb10d60e4fd5797732

SHA512
90435992bc14bc052732eab3b2cbe468dd012f2af331e985223675fab4d4fb54090347b62211317f429461852aef81c29c2604590e1e476ad47f4890be39105a

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
94KB

MD5
ab875d6ac21c07b7530b35261716f87c

SHA1
510d5c54683b2fff04c733f18f782be8354e2923

SHA256
fbddff11531935268b32406791c44727d45eb6d42e9d0a31ea6e2b88016b536f

SHA512
b06fea5f7dfe07c495120de6a0c2e0d7994628e04efa29cbd27637219659074412be2eb24af22945e11bd4e8b4e984683610770a0a5c84e09987152760479ddc

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
57KB

MD5
643f6b2c12097f5539473d84151a9622

SHA1
5e8a62ccc9f13040d6ce3afdede96f49f8a1a542

SHA256
e6abc8be4c4b5695fed3ee52c13c6519001dc64a0b741cc8a2b56b15dd31e3b3

SHA512
ae2ceef4f7a79b0af9fcf885484512543fda169c1b581b6e4eef344f5834d73a73ad0d1c64271d563260f2319cc66d6a24ecec0ace30661d084868a7b096f65a

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
35KB

MD5
49370779abd75bc6c267b45c84a18e5c

SHA1
208896fe33c12ff4243c374f1e92d0edd7c2c04b

SHA256
2eae193b303e7576135d64d7c4fb625ed65dd0e6eacfb227626c88037b7c7c76

SHA512
c24ab034c6c756f9e2a9c2fc6afd1904eb0268bb0105c17681e4a9cc764338d97ce8a4b4dc27aa022022c86e23fca8cf013973a379bff83d2c09bdbed94e7652

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
7KB

MD5
7a013eedb6f7485d268f7f38961d680a

SHA1
cd40eb55bf2472748ab1d18d0fd04a82bd301224

SHA256
e7bc8232a357cb398fac0e7b228301b736ed04527b17e7c57941bc0e9f617cb1

SHA512
a4bb0f73c8ea7ae44eaf6fd36a6d088ad95a4b3a6419821a43777c2e7c92a16d8cf4d5162caff3a76ca28dfd744d558c67bca806441336980f5967bbd2fe862f

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
71KB

MD5
8fc5e9ac0c6be6c5072c2748970675a1

SHA1
6e2bfe3d29ec98cc32c29218d1550908399b16e2

SHA256
735e36c5aa7d3df308553e499f61b319e871b05b412354d3c6bfaf7d1206672f

SHA512
26afc0b3fd0d563ff2272b2e92f69b1cb3537c62d13f466e606da8654d11b03ca92c78482f48cdf39751681b0bef6b85059a6bd09c0be97d1948f3ee888ef36b

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
76KB

MD5
8704987c704818897ab9f699e88cd250

SHA1
29ef7d2b4b83299c345cb994633c00c7bdbded95

SHA256
62e849ee98a7ddc88deed7cb616dd98c5dd9dd1452cc07ac3bafc6c316f90ab3

SHA512
e31f64eeed986195fb351221c51a088bb8d83a1507a1a99e9524c6592e2b2c9f3a10ab73fcf9fed78dec703a3f443c3ae73460e1c598a387b45b02f3e2dd8994

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
58KB

MD5
18eda75ad76ead64942c793ecccdc0df

SHA1
81e0de257212e060420bc4a8bf0d5ec193259be7

SHA256
b827f32bd1bf21db62a5a3fd11315d7e4d92982f0c5206d94e4a93f4efd815c4

SHA512
75ca49b8301d05f5ecd73c9a35d6758fd4b61b2a4395d52da79a8fea8fa33ea3b0bce444efba5b75b933d75cf09cd844ec37f8171929753088cccf2b9cf9c8b1

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
78KB

MD5
db71687cca864a92cebfe55d3be8afdd

SHA1
1942bf99fc50b7c3658bfa7bdc0a2f388d3f9cd9

SHA256
5da9992f22e7e415ecb93de5f5a1286e4c560cdbcf193d0e80493771b81481fc

SHA512
29b1b89deb7414c5355d06d2ecc4ab13af65f7fa3485bc33ed606919f9783a2176a38900324410ab9786c99a9910e3b7c8971141b9ca526d87e1c2fd96f246d7

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
85KB

MD5
f4183e2c88f976af7bbbd4cdfcf4e17b

SHA1
6f92a0514ff89d4609558e6ae19b298d88749dd0

SHA256
503b0123c81c8e49af6582d2417ec70cb6486d715898f2df39868fc7f8be3648

SHA512
ad29abe4ca12ad5a80e6fe2fb012589f5ea133b84ce1984798a63490839eb23ccbfdae1b45b7094077089e29d7e7d8e8d67a16d0a9091b13e9fa13d13b612d76

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
33KB

MD5
168f31284cd7af017a13d7f09062e1b7

SHA1
d8a1e5ddd6ebe7c09b161bd8ec0d1adff5f83be3

SHA256
deb2d16d879fadc330999511089368fced1b15cdfc9979dd74a5777accfe1489

SHA512
15e2c79ed490ced405afe6c7ea38ea698d4a8fd9cf73dbe650ba7914f3213a34b766441d6db32448eafb8eadbe17a77594ac6afda37f09324aa9ba96ca545767

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
109KB

MD5
8be27a59af872cabc2c833666669d181

SHA1
a9471186f62730fb4dea5914401412c92d4ef5f2

SHA256
ea91be6b529e8fa64012dfcda95a6edee73de6bdf1391cc4426d9b06525b8df7

SHA512
c1a0374a5e9a7e7c93850d9092cdba6ad57ae43aca0571032f2e1bc1f892d0a333cba8ee8aa4d873c1a67ba2128c8b8bc4e2fd068cd390316288a3072e64f729

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
100KB

MD5
5dc5f4f268f7964220a6a01d7a0ea4b7

SHA1
988569546c111781ecddd095d7e895e31ba8181a

SHA256
22f482afde81cfd30235177a08d4284e23582aacf3444660f04303d24dd6d9cd

SHA512
613bf43c113f7b409b7a541c12447fd25085fa447e02827e86486c3fff9180c721843c3c9900759d43ce3df54359687ca2d382be7ffc838758091704afab1570

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
79KB

MD5
069221ee3cc06a593af84ec5206ee7c3

SHA1
ea9fbca8b103ce9b82bd586869248e70d49e3771

SHA256
4b5c81a8309abafc94e446ad8760aea50ba5f0f9abff0a92a51d82a03c747d16

SHA512
039656603a1812213b1b345a883549840edeac3c146e06f006b7af3ccdca7b2ac1dbf361e388b6b667e9fc423d71a38c2b84d82cca2b67f567a9d38889583bf9

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
55KB

MD5
7e596d5268b864edbb7d00e4f871d50f

SHA1
02e3cd32621ce5bb8df19078d09f06e9b6369d52

SHA256
9c2f835b523af0608f702a0cc566737845706405ac44661ee9c4a6c385f81a93

SHA512
4dc53a25933593472cbf7940959b5014812de5314ed98fba09ff1672d2caffe13b7661525557a5f6e57d6f601575f27e1437368fb7d82ccebb570f4bff4bb3fd

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
19KB

MD5
19dda2128e9884eca80fec96d0fc0c12

SHA1
2e30bb8282c880c7f8152432b3a238a3f2172bc8

SHA256
c2c87af7c238f712fd63a9acb2ce9abda37eda0392f849d6a91fbfd07c5c7919

SHA512
0b40920ab47a8e3594eec86e67b75e5d805fc15563e14eab27ac9387a0acd4a136e47f3f58518747d03514ec11a97454cb69906a110f2f697744e614d1e02f7c

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
70KB

MD5
568431d9bdf5ca4fc8dd2e74d56e7a5b

SHA1
432dac9be40ebef70e8410f8620eb77882a9ed2f

SHA256
a5986ab2f929bd00802e772f3f1abc05756e2528b7fe95b930a12397b55dbf20

SHA512
c7167399096a39835346d6317929102c8d9dc70c9cfb9503ff568dc0b373ccdc3c8970d385ab872d7f5e270edbf1344ab5b47113cee2d34aa128383c87e27dea

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
62KB

MD5
61232a24737a286f1d54e9f365e4edd8

SHA1
8ae088d0f0d321d274ba27d954e082bb3e47e604

SHA256
e0df57b2aa69d7fef5a809d7b2ff063e46843e6b5b7d9e5a25f6729ee9ecc952

SHA512
d261de6c41c955e9a28a28ef0c16d7626c6899cf4e165dbfdc0aee458a56ea8e7cbeb57e61c55b729e36020a2c37d33c932382ff10f3040448e27f0d5344770f

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
82KB

MD5
4ac2b19413deac33a38802a2b2493a1f

SHA1
63f16edd2dd528af2274f51c562dbf2f247efd09

SHA256
29d521143eca9133124be196f2324e158d2b84568164e3089caa11710bd69eeb

SHA512
a196b7bf3b9e0a1d7bb3d1aefd65aad6bf4b89587939d84f3cb923b729841214486af2607ac5274d693e4d3d19159757fac08ac10857fa832efc8eda0fce84f9

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
41KB

MD5
660bfab227f71461cd5c5527c9fe61b1

SHA1
1ec7c1128ba36c876711c48773b9a9afcd215de8

SHA256
46f28a0f64ac5cb94ce361d3364bb1210a7e588b7d302bd32a54038b6e254bdf

SHA512
44ce36d826995dc59d067bde8d2b21cd26564ab2a7cfafdb7c1ea2426083cc4d6ccdf8b59bab045711a36566063a45c2b24a92d3859c63aa3eaa17317dab9bb8

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
53KB

MD5
4cc624c71addfd7410185b9438f9ebae

SHA1
a70639fe002e461e6b9637ee02dd88015c6e26cd

SHA256
2ed24658e95e0b09662619a3fb7bc1f55f49bc6bc497097c083a731887cdd69a

SHA512
dfff7d2db98336bd2d370dcfdc8e2ff1f7853c31d0f4ad668fb5fe661cbfe87dd779e113164c3cf9c30d865e4656ee2eec9494921e3b08b604bfcbd30cc394d8

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
73KB

MD5
74716391a08ff44711e81e4734232d51

SHA1
1da6b0af327179479515b9cce9a57d3041a6241f

SHA256
1e392eb9bc29b3ed03d4f56cb414005bfb4bebd81cccf7362337ebfc9535f477

SHA512
31b57ce484aaf12cd9b853b41b8b3435b918ee42f1666263b4b0e2e660a6f07b2f399c9ee8637f21f51ea2ddd1e8319e3a43cd6bd4e15012fbdaca6fcf051d87

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
96KB

MD5
9a93ea739ed1dd3cbe479af1e77a20fd

SHA1
82e39dc0fd9da775a6d692b4b11dd46d29a93e3c

SHA256
a04e12691c38ec9fa7d7e99a3b14c31c8f0309ea4a5cfdbac20c39bc9b7ad601

SHA512
58768329be9720fd05c57c14a5eddf70ac7c2372b3ed5caf2f9dde5e50918f79487b8e010e5115cb5becffd2e03c9f725d2d9103f759322818af6a97f323b036

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
83KB

MD5
7ae5d62dcfc36683e89d0ef0e4eb78b2

SHA1
919533b1604e808c2ed4cc1bb6e5426ccd61e25e

SHA256
35d4193e544cd6d7f40c2131c77032b6df4c16dda585afa8308c282039112e89

SHA512
0df08515a126244b22452d5d91643777f26db456019d27b4f85f735609aa13f9d2b5792279ca6e559a06a2ddd626156813dce60710e2f02c29c10db07c7a40a9

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
1KB

MD5
b544a38f48b75619dc594cb3a3ae9c4c

SHA1
665f9e869e7170284d291ab8a2c3161e98313098

SHA256
148cb411f4c5771f751d413c3fb03998c0c1393d4dd2cb26e7f5e90152d39412

SHA512
011573dc3fee0e6ab27d3dedcb6a1e6453504efa47342d31bc54e38f3c0619e0b0d6b0e84ac6cafde4a2381247bff3ae7c8b1062ad218a965da4a7764cd190c0

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
109KB

MD5
bfb24341d2a814f948d063bbeaefa250

SHA1
1ad54cd617fa17ac3af504e7ec637e789b5a04e9

SHA256
21fd110df04ff27eba1a68184e6ae28154c8e4975c56c22e9fc7ac0fd1bfd83d

SHA512
22d1a567f3a627179170149d515be0e3f1ef85663b9bcfe4a8a96498f40ad82e700a0fb1236de49b2f9a9c91b5ead9d5f9593e3fb2346f414d8eab88c28b6ca9

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
40KB

MD5
ee7e25fdda2f9d4ee80d4968a372caba

SHA1
8326dc88ae6945cc0f79c72bfe5d10395c5bf1cd

SHA256
83f3d881941a9ae1dbcacd0f20e60a1f4983ea3a47cffc79e9f5082a0920258f

SHA512
ce36fe37788df6a59af5b5db3e74347890344019d82399f8b355a3c8ad2803cef33c400131d214976e0b1efa11fc97379968979a63d911cd8a54078491226bb2

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
77KB

MD5
37ef8db458d03f3147b9c8387ebb3548

SHA1
866342bdedfdd644dad312309652c6c2759c166c

SHA256
a26dc2f23327c1a9fed00b8f0042ddb3653180a2025d05b546d0512b9940b562

SHA512
c790e02c7d6e6e407d7bccdfb31d1bdefb439264e937963d949b79431fbebeb3cfbdead37251bbf1e0da2612648b32608c1e95f01ff785d69016606d7d45a452

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
102KB

MD5
82af20a16f3bc039da0e78653593359c

SHA1
e0e02c927bf7228744157f372f2d3b72004a04ce

SHA256
2a59170088b5a338e6ff038ff9973452e03a781db7992de9b97efc8d4b4804e3

SHA512
1aa4a6cac6be5ad86d1197a63a49e2dbbd6f0abf8a944a96c368cefae773f51d28e7c6c656f4fa7e3c387b320fad7e39fdaa2cb4dda6bd52b08a06addbe31ff0

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
80KB

MD5
61f56851277620bf163619f83818a52b

SHA1
6549a023fea2c6c606308abe54c77867195f6eec

SHA256
5b198cb98a3c138769a01028635b1e8760157f425e1af089c14427f7192032c3

SHA512
d22e767c3938fca64ceb19993fa2f4e6a9d2e0372cb1d893e32aa43acde5ccf973e7893cb0516f5e774ce925ba893c707019df51f968f62467ca23141f9db433

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
29KB

MD5
d1696a139cadaa360b864004710c53bd

SHA1
452003facd287ba839f0d06bada0e72e52ac4175

SHA256
cf88c9e816139d8ca8553921e890f1cc50ebf49d9f9aade7e3a5adfdea0d9f74

SHA512
431371412ddaa3c5580660fb1b45af18d04f64a7cee750e408b6f8ad6e2a65ac784fcbfb0242a7c57c0ee670d148acd3b4be6d25a3e8cce040c64ace919b0a91

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
36KB

MD5
28f257990d8c485a6b448c53d36da02e

SHA1
5322b0c9dd328688edd4bc8bcefe3c15f7d10350

SHA256
40de38563968de61a558fdc67e16e0368e79a01009211fa225fb9548972fda65

SHA512
9bd11924a9329d59b9f900d0c766fb0cc39332cf71ef115ba7898629a13e2c92c99b774f974d70114d1f62686f7ad239fce4e5eae2f3e44a793419f3836e39af

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
65KB

MD5
db572603b09b115cb049a81aa0359b7c

SHA1
d9cc0593c3386f072c24f69b1a9dd3b3de171223

SHA256
087c47b46612d11de2bee00c10ff6518c23290c11bab280b4e5a8368c0d094ce

SHA512
0b38006d56562074ac349c6c66cafe79434a8982a7266839aaac098d6cadd1a9f4d1fce24826f0752735b7c8ca0c78cb03ebf1deb42668bb0cf6333bf20fe096

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
63KB

MD5
ee5744010b62976514ecd0a9dc0a7d04

SHA1
793b914140bcdc883784996fb029ffe610919355

SHA256
5865b0c9d3ef5c9f36b7807c9fa544394c0d1225d121fbff2f8747d95bb98ce4

SHA512
349fc6a64cf72735badc98fbfe4a8b0d5ab7e4ee1bde8960cc9e199d4d3f7e4f1c211040bb1165b6ce9440f21c0ff50332cc23b62a172d50803c0789bd7c0f89

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
34KB

MD5
30d96369527eaae36532339b5b5993d9

SHA1
bbc6aa72bb414113cd8473c3569d319804f7120f

SHA256
82f14a5d7e6214b6a85dd70da12112e5aa085290ae453650ea3d4ba8e7aafbfb

SHA512
339a26017c4206746436a5a49bf467dc3e1ee6e04187a5e91ff61683845fdf481c5684d5d6335a03ece0c3e1b2fc6f82fa52a382cceaa74febf62660662ee70e

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
67KB

MD5
247e9a9176b778cde31fa5c605f18d20

SHA1
6520c8f22648ecd603ab45ad836e0be0da69b31f

SHA256
02da73b21ee2d9ede5fdbb9ea1477e2c6546b9cc44b056eefce7bf5949dfd821

SHA512
a620b526ea9b0d11db6b27085366cf20a5f9143834936db387832fa3bdc3de8ccdee60f12fdba8e4e27312a8be8b2389de2a37d460d847b1f650ab4131ecf41c

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
34KB

MD5
43c090f1edda54b6b4723ef75b20e30f

SHA1
d4863c36d684c77dbcc2da73990d1b87c4c8437a

SHA256
a3eb78ebb8768f311813dd1235f20c215248793edf2ef80ecc926feacff6d025

SHA512
8fb5603fcd8fdcb93d7e41af85496559a7384bbcd6fa633d4d66c059831306d9d0dfff2319f219b0894d6ab8ab7cfdcfeff38b7bf7e480ff41cdc017b51cc170

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
9KB

MD5
95d2d36bf7ad6da3f42a4c2fa89585b7

SHA1
d8a4cddad386e02ef4482c829eb61d75df88eddd

SHA256
d5af05fc75abf4aa3970ab6ac907dae56921785ca19deb14a2c5695797e23dd9

SHA512
64d043435a2e737ef0671c6187a624b6857ccb3c87397d7b1c02591dd3157320381e3fb4c0b8c49b4ca7a46be9949a870027df93bdb4bc6c9a8ff1f638e3c02c

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
109KB

MD5
bc85e7c5f91a112c112aac7790516c0f

SHA1
fb64b3d35bebd0eb5bd36d7b32da3633b356c6cb

SHA256
660b16e29a2a5b52cd382f2112d0a74e2c59298aa283ae2a48f33957c68bcfe6

SHA512
db5eb392505f9c2382a793c82383c1e1d99c76e01916aa27594620bdd37f11d0271eef2dbe9a5365b0846bb3ec8cc353ae5d3103936a4a867f49c5e57a6438f4

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
109KB

MD5
9a857768b92a553dbe62d5edb50451c6

SHA1
d5f6d14340b775978a81182a1181cd92d58788a8

SHA256
5cd0eca25fe92c641fce6a9e24f917ef240359cabd86b39945c5b0208f0eb001

SHA512
eb5c73ca68b2866c6632517de8e1477e73870355936022ef9c515795ff59b5c444b861ecf9dffe433c1429f237c0d691bd05331d11c0c13a065ec17b6fc1c723

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
109KB

MD5
d4ccc6991f9843459262f243ea300904

SHA1
411d6c171ad468948b89cf69207bbd43a2781502

SHA256
b62927df88d859042ea440b6f00bbfae555f7e7ee8545aa1246060bb8b516f61

SHA512
7824115b10985edc90e07649faa5b267c06c750d1e025dc143f2af51993cd3f2e736c1e6bd8b2b32b60ec0b72246c26d30c7235c4507112bc82968c971bd9bdf

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
5KB

MD5
4a53015c4ee8ab400a353cf3a76fb7db

SHA1
1d2ca73bce528ba25c2c18de04c91a8cb10338f3

SHA256
4322c6353d98e2647dab4289e3ec6667711f347b1d8df888df7e56e46db0536e

SHA512
e615dbf6378c2c43ac29044fe9d9d82ed42e91eb30b17248fb4e897106d66062014e2569c4b04e167b8f9f7fef63d9580f19a8438e129ea08c5d9ace5a86bd4c

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
41KB

MD5
475c5ff847de67207767d21d4e15189e

SHA1
a3f17603b189ab32cec1d1e758772a879c5ae87b

SHA256
ae05f046a26a897b47ef88d08017e80738b107071069fb945849418a347e3bb5

SHA512
4085b856038c2e3a9eac47a7aaaf891fabb8c201f88824fb500a1556406c76bec17c1bdd10384f25046964a3e1bfb9545b47faf1548f0d4ef05f5fefe0b8f5e8

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
109KB

MD5
416fae34a80cd4cc2333ea4efaa29ea0

SHA1
cccdbcdcc90e614023fda7b786400452103a447c

SHA256
1ef0331f3809d810fa0d6a68855c32d0f6a10587307ee84c1cfc6e201660a9d9

SHA512
b579782e1936a556ac0aac05dfb1382454a13b4473e5a1c4fb7c7ca60fe19e51bd8503a94b4603215e7aeb25fc39b6b4095386ee70c620e01300fabb32a4c8bc

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
39KB

MD5
2a5196f8e104f40ea2a013b6d350e8da

SHA1
33fb2c706a009c47fcc0c06e808cc59e07262d7d

SHA256
9ac91c35836892794c017a9d64a3215eb5613a0afa179497007795d8e11bd942

SHA512
c142d64f07958835e200672247d45fc12f5bd8eedd6c8dd280686bce11e5a2fcf23b09c781d717a7ed4824fe4b21ba8343d4e19cb9407474be2adceef9965c2c

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
42KB

MD5
e409396e910496b89ad54f43ee7f7c2e

SHA1
667e7042778f422a2ac14e01e6474c4c0a05992a

SHA256
c93d6564422dd1db5d59559e58608ea04377e7af11d15b768001b29ed22e4477

SHA512
92ff7b60c6e89fe803dd20c78fbe49f6fd750f851e3fa2d488bb0969064526057afd246059d6d7cbdb7b1e3449589be219fa7dbb58f4b366b3f577675c27e36e

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
82KB

MD5
c67335efe346d7b0bbce9db5dd1d2c88

SHA1
02950f2e5c6a47205df38e7e1e0cc88e51818b66

SHA256
bc2f04cf9f08ef9288f00168c696c4a82aff7d1ee65e4d8c5b91620f05e76585

SHA512
613deaf4ffb3d4bb1a942f6015451a36979eed780b8e80011ef6c91d76a0b2216a279f86d2712d1ada65db4057c38d6b5994dc59037eeb80dc670da5078043ee

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
85KB

MD5
ad13ca2815e859afb2212f6d29adfaf2

SHA1
1b79d548dce382e8a2a256f0f7923ff7e4fdfa31

SHA256
2af86c756a058d046ffbf75b2f8b5443f7bfe33c355d88e487d5bc81b690661d

SHA512
eac975a78aab8746619ebe4ffb095e8fa671afd982fe94b38e0671f2401370002286295a8dfeeb7d416e7355b644f20cdb4b58e3c0f5779616d71059df869031

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
26KB

MD5
84955241db55f414e8483993c17a7607

SHA1
f1f2e9488d2e980bf7b39bcb1c6074809494ad74

SHA256
7e20fbb2e3f52b992b2d59000ca3580bfc558997efeaa46c7c9c475324affac3

SHA512
44960074237553bc87df817812513fe6c2f20238c27849d9ca72ccf0d5652f143ce39f60d4c4ac2c0285756b5e9e402f49536f60eed863d369154a8651ab1751

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
109KB

MD5
904d132ca34f9b7e5f3e22aa05750c26

SHA1
e8e252087fb181ace4b56ef271053b132a5c9c83

SHA256
5c36652a807551045210193a01369cfb73e4f85956a6745da5ba789d1a1eb206

SHA512
c4f1b7acf120e05f2129d596d4a4520f78e14311c5a07811d10e030a917f3cc1d280695b5808600a49737a0c954f004390f5d632f5e0f463663f1cd22ad91bd0

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
56KB

MD5
bc14bcb1c2d01d35bce757673ffe42bd

SHA1
db00e14c4eb882e7c6b3ea7ef75477bffab228f4

SHA256
5ea0afa73cca595444f38fa5cb924b7bb2d84a604df94adfa215770c94550b15

SHA512
9e6d05cac12505039daef1d90ea41dc8e5e0cb2aad4d9b621f54da621c8a2b511a49c1825eac2fa6bf9925b6d6ba2f941c57a65b86a272d2af34340fb03213b5

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
109KB

MD5
1aab1935ec10f898feb5d9fabff5148b

SHA1
8b71ed5ce30d4b55ef685f47c2cdb1d8ab7748c0

SHA256
8cd08021dd74c536ac2c329d923afa8eee1f02b43b4de1e325965065aeca3f95

SHA512
8f48e6b9c735cd183b30b3c198d6d2ddb7d2bc15235d1738c4855c628cb070c043ffdb1ba7cda42890c2751c49e7759d839cea405c84ee93cbebc1625086162f

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
109KB

MD5
a25f42c87d6b694582f348b3488178c6

SHA1
212e24facf57063d679c9101c5a49ec65f38ed99

SHA256
2675de838a0fd4dd4da39c93a111d005f059cb298548b1b3e5c88529f07a36c9

SHA512
3d8f3a3e57d92e4b7ebbddad7b1593675cae18bd9a54b81cb93b38137ef3047d3c30149cf2af108e247e13b0a7eb05f86d61d4049906117439ec6aa171b90e32

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
109KB

MD5
0c0ec805f9c9fef525353cadfe9b248b

SHA1
55f8e2a83362ff6cbe1fb8f98f8900c9bca9c8e8

SHA256
f049344b71f078a53eabdc925a1cc4a613de864cb2ef479ce5ea633f5264f62e

SHA512
bc0e34b511086a575b2265ab28c79f9608d2640adb45d3cd3292ea365ce41d26f2449ba60a2e74b93421dc15e9a4ae4aad0ceeab02490797003867ef1da47292

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
109KB

MD5
7e097d07d4c752cb2cd43f9d8a2be361

SHA1
2722665fd3f8b8d0793978c88be14384c59688f1

SHA256
f8d1ccff37678fada937a2abb527693e68669ea82ba4e9e3ca5f5c09c292e02f

SHA512
13e7912f4e5a563a4875add701b1eaa2e52edd6aa283c68779d5ad4585c4a155822bbc06b19d0f9976c69d8787be5e93143f32bd10abb52b5d360d6701703213

Download Submit
memory/384-198-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/460-309-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/816-121-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1060-126-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1060-210-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1092-279-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1092-342-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1408-254-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1408-169-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1848-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1848-142-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1860-272-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1860-185-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1872-165-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1900-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1900-134-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1996-289-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1996-202-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2004-107-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2004-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2308-103-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2644-297-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-311-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2748-317-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2748-246-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3056-237-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3056-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3212-324-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3304-85-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3312-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3332-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3332-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3364-219-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3364-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3484-76-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3496-242-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3796-291-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3852-193-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3852-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4032-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4032-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4056-318-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4088-299-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4148-233-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4272-259-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4484-330-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4500-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4556-277-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4680-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4680-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4704-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4704-211-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4784-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4784-98-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4828-164-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4828-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4860-68-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4952-228-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4952-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4980-267-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4980-177-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5008-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5008-125-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5112-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads