604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c.exe
Size

96KB
MD5

823704f6ecc1931095d7c5a7e2b7b30a
SHA1

a79642a9f47711e6d3ba347ae5e572c07af10198
SHA256

604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c
SHA512

250bcb7ce4e1668f3ba4b1490432bda2e4cef6aaed6a0db692b3642d1eb470c374068b928487472c1389682ddd6c46290c9858d49e89cf9e000e4df3e7b7cb90
SSDEEP

1536:RfFbuUTS1OgMmUoJ1CLZ2LnsBMu/HCmiDcg3MZRP3cEW3AE:zjsHvJ1bna6miEo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe

Executes dropped EXE 64 IoCs

pid	Process
4260	Liggbi32.exe
2156	Laopdgcg.exe
940	Lgkhlnbn.exe
1692	Lkgdml32.exe
1032	Lnepih32.exe
3500	Lpcmec32.exe
640	Ldohebqh.exe
2216	Lgneampk.exe
2344	Lilanioo.exe
1276	Laciofpa.exe
3060	Ldaeka32.exe
4728	Lgpagm32.exe
1472	Lklnhlfb.exe
3944	Lnjjdgee.exe
2872	Laefdf32.exe
2624	Lcgblncm.exe
3676	Lgbnmm32.exe
2140	Mjqjih32.exe
4168	Mnlfigcc.exe
2364	Mpkbebbf.exe
5068	Mciobn32.exe
4000	Mkpgck32.exe
1556	Mnocof32.exe
1004	Majopeii.exe
4212	Mdiklqhm.exe
3828	Mgghhlhq.exe
4804	Mjeddggd.exe
3228	Mamleegg.exe
2468	Mdkhapfj.exe
3684	Mcnhmm32.exe
1580	Mgidml32.exe
2052	Mjhqjg32.exe
4028	Mncmjfmk.exe
1876	Mpaifalo.exe
2008	Mcpebmkb.exe
3904	Mglack32.exe
880	Mjjmog32.exe
3960	Mnfipekh.exe
4184	Maaepd32.exe
1624	Mpdelajl.exe
3212	Mcbahlip.exe
3496	Mgnnhk32.exe
3608	Njljefql.exe
1468	Nnhfee32.exe
3008	Nqfbaq32.exe
5084	Ndbnboqb.exe
1680	Ngpjnkpf.exe
4548	Nklfoi32.exe
2892	Nnjbke32.exe
1412	Nafokcol.exe
4920	Nddkgonp.exe
4468	Ngcgcjnc.exe
1460	Njacpf32.exe
1668	Nnmopdep.exe
1588	Nqklmpdd.exe
4896	Ncihikcg.exe
4948	Ngedij32.exe
1396	Nkqpjidj.exe
4720	Njcpee32.exe
724	Nbkhfc32.exe
2744	Nqmhbpba.exe
1132	Ncldnkae.exe
2100	Nggqoj32.exe
1648	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4032	1648	WerFault.exe	143

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 4260	2360	604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c.exe	80
PID 2360 wrote to memory of 4260	2360	604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c.exe	80
PID 2360 wrote to memory of 4260	2360	604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c.exe	80
PID 4260 wrote to memory of 2156	4260	Liggbi32.exe	81
PID 4260 wrote to memory of 2156	4260	Liggbi32.exe	81
PID 4260 wrote to memory of 2156	4260	Liggbi32.exe	81
PID 2156 wrote to memory of 940	2156	Laopdgcg.exe	82
PID 2156 wrote to memory of 940	2156	Laopdgcg.exe	82
PID 2156 wrote to memory of 940	2156	Laopdgcg.exe	82
PID 940 wrote to memory of 1692	940	Lgkhlnbn.exe	83
PID 940 wrote to memory of 1692	940	Lgkhlnbn.exe	83
PID 940 wrote to memory of 1692	940	Lgkhlnbn.exe	83
PID 1692 wrote to memory of 1032	1692	Lkgdml32.exe	84
PID 1692 wrote to memory of 1032	1692	Lkgdml32.exe	84
PID 1692 wrote to memory of 1032	1692	Lkgdml32.exe	84
PID 1032 wrote to memory of 3500	1032	Lnepih32.exe	85
PID 1032 wrote to memory of 3500	1032	Lnepih32.exe	85
PID 1032 wrote to memory of 3500	1032	Lnepih32.exe	85
PID 3500 wrote to memory of 640	3500	Lpcmec32.exe	86
PID 3500 wrote to memory of 640	3500	Lpcmec32.exe	86
PID 3500 wrote to memory of 640	3500	Lpcmec32.exe	86
PID 640 wrote to memory of 2216	640	Ldohebqh.exe	87
PID 640 wrote to memory of 2216	640	Ldohebqh.exe	87
PID 640 wrote to memory of 2216	640	Ldohebqh.exe	87
PID 2216 wrote to memory of 2344	2216	Lgneampk.exe	88
PID 2216 wrote to memory of 2344	2216	Lgneampk.exe	88
PID 2216 wrote to memory of 2344	2216	Lgneampk.exe	88
PID 2344 wrote to memory of 1276	2344	Lilanioo.exe	89
PID 2344 wrote to memory of 1276	2344	Lilanioo.exe	89
PID 2344 wrote to memory of 1276	2344	Lilanioo.exe	89
PID 1276 wrote to memory of 3060	1276	Laciofpa.exe	90
PID 1276 wrote to memory of 3060	1276	Laciofpa.exe	90
PID 1276 wrote to memory of 3060	1276	Laciofpa.exe	90
PID 3060 wrote to memory of 4728	3060	Ldaeka32.exe	91
PID 3060 wrote to memory of 4728	3060	Ldaeka32.exe	91
PID 3060 wrote to memory of 4728	3060	Ldaeka32.exe	91
PID 4728 wrote to memory of 1472	4728	Lgpagm32.exe	92
PID 4728 wrote to memory of 1472	4728	Lgpagm32.exe	92
PID 4728 wrote to memory of 1472	4728	Lgpagm32.exe	92
PID 1472 wrote to memory of 3944	1472	Lklnhlfb.exe	93
PID 1472 wrote to memory of 3944	1472	Lklnhlfb.exe	93
PID 1472 wrote to memory of 3944	1472	Lklnhlfb.exe	93
PID 3944 wrote to memory of 2872	3944	Lnjjdgee.exe	94
PID 3944 wrote to memory of 2872	3944	Lnjjdgee.exe	94
PID 3944 wrote to memory of 2872	3944	Lnjjdgee.exe	94
PID 2872 wrote to memory of 2624	2872	Laefdf32.exe	95
PID 2872 wrote to memory of 2624	2872	Laefdf32.exe	95
PID 2872 wrote to memory of 2624	2872	Laefdf32.exe	95
PID 2624 wrote to memory of 3676	2624	Lcgblncm.exe	96
PID 2624 wrote to memory of 3676	2624	Lcgblncm.exe	96
PID 2624 wrote to memory of 3676	2624	Lcgblncm.exe	96
PID 3676 wrote to memory of 2140	3676	Lgbnmm32.exe	97
PID 3676 wrote to memory of 2140	3676	Lgbnmm32.exe	97
PID 3676 wrote to memory of 2140	3676	Lgbnmm32.exe	97
PID 2140 wrote to memory of 4168	2140	Mjqjih32.exe	98
PID 2140 wrote to memory of 4168	2140	Mjqjih32.exe	98
PID 2140 wrote to memory of 4168	2140	Mjqjih32.exe	98
PID 4168 wrote to memory of 2364	4168	Mnlfigcc.exe	99
PID 4168 wrote to memory of 2364	4168	Mnlfigcc.exe	99
PID 4168 wrote to memory of 2364	4168	Mnlfigcc.exe	99
PID 2364 wrote to memory of 5068	2364	Mpkbebbf.exe	100
PID 2364 wrote to memory of 5068	2364	Mpkbebbf.exe	100
PID 2364 wrote to memory of 5068	2364	Mpkbebbf.exe	100
PID 5068 wrote to memory of 4000	5068	Mciobn32.exe	101

C:\Users\Admin\AppData\Local\Temp\604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c.exe
"C:\Users\Admin\AppData\Local\Temp\604e5afb7f0813880896a685cdc0478f1642a0fa4527c01760562317d9bda26c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\Liggbi32.exe
  C:\Windows\system32\Liggbi32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\SysWOW64\Laopdgcg.exe
    C:\Windows\system32\Laopdgcg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\Lgkhlnbn.exe
      C:\Windows\system32\Lgkhlnbn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3960
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        55⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:724
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2744
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1132
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        65⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 408
        66⤵
        Program crash
        
        PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1648 -ip 1648
1⤵
PID:3204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laciofpa.exe

Filesize
96KB

MD5
d0ea0b6873835a4fb8c1c1bcbe9d0e46

SHA1
9b7b5d041cc8eb5755b58ef71c9ded716413c882

SHA256
c0d3684faf13d4b2efb4e62d579dcf0a383b599be8cefbfa16bc39e17d9de195

SHA512
ff3023b0a68894d046e4c50049555ab440c87e9da634eca8be3c3dcc5e0b76a77a9f48c7a86e6c418ef69faf8f71381c4aa23bbb889acb66097090e180cdc4d8

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
96KB

MD5
3984fb6b674e8ef871ff332b5713af86

SHA1
bb673939069c8625b22f851116c104192f803e42

SHA256
f3e300325d5508773db661a5f1d6f21dc5c474790d8006b37e45745fe856ed96

SHA512
e25ccd4af52ce625e60800029fd957ee2ea2ce48a4e88cacacfa84c432f4d9d6433b8d583c948856ce85eb42026dc5a4deebe7a178085fa94e51d8f318d3a856

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
96KB

MD5
30976e27ee211fb561c36df61dd22b0d

SHA1
fe9696249d9ddc6206bc0cd0d2fad97f338e7801

SHA256
85c16a1faac111feeb39c457d1bb646ebaafc3f222ea06be55725deb4a5d4b6e

SHA512
92b633820a5a5ad5a9422bce4d07e3f1d817152193546836d9d38d1b522e88d41718bb466cb1b472565042e070a9b8a9afaa92bc8acc65d17f6345e9455f544a

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
96KB

MD5
d2793093f57b910ebd98bae25b1c5eb3

SHA1
5efb60e83db79c7ddc03d67b63617e7fbfe91400

SHA256
cd1a552c4a95fe9e372ef1bd382c4351b77e28c5c09e3db8db02824b3c6cce2f

SHA512
19a97b56fe691a3a18d45dc52e1ffd61d765d8471ca447df3e57a028b27ddfac1195ff5d2bb046c6b91fc2a44d59515f57bcf75bfca10959059b87ff80e3f745

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
96KB

MD5
fccb96d321e166a51ef05638a3637040

SHA1
5edf39fa2568c66782284053e2eb222da4e6641d

SHA256
1716fbcd00bfaa558228a85d5a4b21eed3d376e5414aa35659d03ec472050e7b

SHA512
1dcc68ca8a72570ebd2381a95241bde20769be8d9d0d80a9368e0f819036095ed0bd170c5c9be7ee6ab2a6571a6177a7673b561d6700521de3e8e160d9d04fdf

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
96KB

MD5
ff8958a7af35182242bfd04d17bcd343

SHA1
7e4dfbc797f82972260f85a3632dee43b3d016c1

SHA256
1f5495256b5f459c9ce30a411951554720078de30419f0db06d5355f55aa22e5

SHA512
79ad1e5e86dfea118cd250e77cd057e5375a1521b2443ba18e6bff40b105c0bb39338f43e211087930cd85d060f3266e73ac3c9d2fbd1f1e8e4ba505383b9220

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
96KB

MD5
13f5fb7fd3ba2ec3888ce49fa6d93c79

SHA1
29f36ad985ca61447f6b69890778799a6afe8cec

SHA256
2e5b360f3030d88af59c713e19c5ec6cee4a06eb31c1e03e0f0a5cf2c7db8a92

SHA512
b06d8dcdc504b9fca67ec3744534bfd027fe18d20482f57f09cf7de031b205f1795eed3e26df5af442e8bc559d31fdea984d6f06c5e6aafdbe224af5040ccf38

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
96KB

MD5
4a0fc5a27db427d342b71c35c65c8c71

SHA1
2805e7ac3b31566128de11d716b6d42952d00a03

SHA256
bb6d2c6d074070d1709edfc53f2284097b133f714cf63d2c6c9a5d84ecb1c1b6

SHA512
736154fb75b3a4183500077fd5da31916deb1524d42d75c2a62f2b1824a8859f3b33c6516b738b7434e3a111b18efaec81a4b37c20db1c6ce0586ab388fe9220

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
96KB

MD5
a512a77ac7d807c81d69861a6bfc1754

SHA1
92130c7d6efd467fb279f48990cf47d31862f62d

SHA256
dd995a6f66cb875a7809d196ec6e261029b6766f9a71a4dfd7cf085a9933f5c8

SHA512
0a325c598324cdd19d98262b2e59be56ed130115659cba37c57b940a169d51b8ea8a6967b9d10fb8748c6e0135f6e35206bd651399f00cf5b7d1dace1a1e0025

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
96KB

MD5
7e6b6752f9c1ad8bc96f08ba9ea4aaa0

SHA1
dede6acedb7a7ea77ad0038a6df96fa7dd086890

SHA256
b941d4cbc288569cff560b1b1c1835c3ecb6cb2262d7261a50664a628c1830ed

SHA512
b34b6773ff6a54d6c3f615bb5c7650a944382132fd7dfc09a8e5638055e16ed1821f5ea9ff01b9dcaf2a99a42d0d0d6ea026070c6cd5b5813bc43b860241e777

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
96KB

MD5
eb19b5d60534faa87c1d76184ab64025

SHA1
87b783030aca80d72d2157ae21cd338fb14cbc37

SHA256
59c5c0742eaddd44668de03fc9d7c87f316e87b14662a0dc481aa9f074cf816b

SHA512
ff22a9ae16f32d2bcc6100073ee1f5ed9709054ccd59b055bfe74da29f3bb7a40aa97bfa0762fa00430c631c1c4f26a4c2f676a19c5f1b719f82a9e62a574403

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
96KB

MD5
afb3899184df7c704589f3abeed6f5dc

SHA1
df6cf8c8a3458e2ba086c0cd1109cd390cc31902

SHA256
765a93ebce77bcee35e2b345c783cf8008feadbc5da16ace9a1452cc01c355d7

SHA512
5f9bc5f4d74992633f8b84caa21f942556e724553e14bfb26cb0351ded45eae8cc751445fb367d0ba2690fb04974b3753b32f7431c29ae38f65d12e43df74367

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
96KB

MD5
625c32199f863123fdea48e28b5007b3

SHA1
79c2b219e9469bb28add1f403ccece0b75595dd2

SHA256
942a6dc14709f3aedd899d7897970c8de865cea8e6cd3027aa8dc636087fc547

SHA512
49cd6736806f51ce3be164b8e11258a59422e580aac62aa3ad9f0ad26eacd9de5225c826a7e980d31b82813a58bc624f4cf0f4a95fb9b0d846067fced061182d

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
96KB

MD5
3f3dddfa75332305355fd7df37ae3423

SHA1
eee2be75895c9f6496cef254e948a8f82895708f

SHA256
6e4db4d66e21d69b7929b52b218a37121e7eb391f0f1a44f1074f3f7a89017c4

SHA512
7d25d953f2965ef9cc753baf3867fdcee66ab2c5316216cf140b145bc871eb8cd4433664c9e12a2048509ed17c7d81a6f0b61e32fd66022353f7fddbb72dd8a6

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
96KB

MD5
09b408c3a3917a096dd343a33aac3e0b

SHA1
775c44853d6dc08dcacd95a7a80b52a7827f20cc

SHA256
0cc3ac79a0b49c9515f963d916597a91630e26e6831a23fccda948479f1e7f1a

SHA512
13074c7e2a7b74cdf5ae3caaebce7a1eb5e839fbc4c12d65082a67ecbde201009cf95f65eb389b67dc9e77478dd5ea55c92f7b621de56e9be314c5ecc9ff1003

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
96KB

MD5
aa1bf3cb03de09463a68830dd5aad776

SHA1
4f2bc19eec105157d59a87899d248ffdc4e0de94

SHA256
2dc3d300dea5a7b1be8733f07a5abc52e4c81426ce67fb1788f0a444f5a1ae00

SHA512
0203126fa6c6c6e4abca7d70c288c4f1e4c329120da9bce22b03c0bf270f20d35f629b957ea13c5e20e5267f34ce3adc39fc9174b27954516c17bfe426e9dabf

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
96KB

MD5
fd887fbe5988fb926fd1969aa59c3a7f

SHA1
9461df53da1a27d3c56b32d508a528338bc5dcae

SHA256
a876f47b8fd4acc23828326304fd5cdf49236946961581eedf4baaf799ae3ce4

SHA512
c7693ffe3cfaba581e17d3109c2796ccba5c7419a69d0b3c831ef017f6669b11875c2c64dd9a4d2efb51843d2b14166a8eccebb29205b2031e78511e1eca60e9

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
96KB

MD5
134e666c141bf2779d64ecaf9af175cc

SHA1
23788665efa7261bca0a631b12c473c035c1b1e6

SHA256
a8953aacb3afec44b50d3f5f5ddf5410473dbb747d6e9afcffbe13e7c1419bfe

SHA512
318cb5559154fb20c161467c0473174111843bea8454c2d79f4e2f0209087916f6cd688167061d894c11e939a755e5aeb767613594c5e8b34df39c7c428e9b70

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
96KB

MD5
bc4fb4e97fb02c3d00c0756d3a4957c7

SHA1
b67b5b21913dab42f34ae279493477366577c59c

SHA256
fcbd02621239b7c31354219f4b6394ccb90bfc8c83fcad5d59f4e13ccc395643

SHA512
39dba99dbf361c8e5e26a186558d74defcd1c71511e59c02a8c487fa576a21a5dc4c881359f65bbe1442535f81d9141b06f2cb72bdb512b622bd6eaaaffb630d

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
96KB

MD5
7e709f51197487b28eeee3cb25577e52

SHA1
9567258fdfd3913e589cceae8bb0253dde7f7902

SHA256
acec85af6361e216b0e777c88d9bb0fbb4e65ec8aa789e53834b2f8ba762ff06

SHA512
d244c5aec8ab83c5d4b699702dfe26c6d2aacbfadf4f8d1c5dc7f7f2abc3732d78591ba8df0590c1e2cdb57e8e47b8e42a766d1572b62dc66406caa26a7a97be

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
96KB

MD5
d29494e3d038dc53e832ce4de8778ff1

SHA1
6f378d73ab655b5712fb38d7659768463d86345d

SHA256
190f1aab8384a2ca6225195f7ab4751761a0778b50dd84883b2cac4c239a561f

SHA512
fb7bb3485bbf9d57a06c21b9b10e60d0209cb0d327ee4c27093d7318ac04a067c6459e180a18e03b27735141514797fd99adc4d0c671e51c24d02a81672d5bdf

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
96KB

MD5
ae5a1fc1e74bb184281e537cb894973d

SHA1
54f5f5bb3a585d43de8b6d03144571f6f8a53000

SHA256
bbbdcae0f7d4a840a66a02371760f930f4c56cb9599d884018849263d656b3a2

SHA512
1b6e862a8d2a3faa486868e5cc74813ada5304ae5593f77bf12873b95daca4833ae979084bb1ed38ab832b3d89aff2657dd8ddc86c7a0e9a572be990304d69d0

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
96KB

MD5
9d988b836db4dbb4f8c357bf5cebc149

SHA1
68d3b6ff509bb5680ef5b135b5ec24c7038769d4

SHA256
61238f00683b454ec2e327cbad1788e4105e0458fb2f5c62f4a5ea5fb7a981a5

SHA512
741802b64c3ba149161173a73ee48c0a3e44833d8d796df19ff78b4f763033cccad66c9034c2bc5ac52064704d5024b542844f46a85b5781c6713fbac1b18dae

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
96KB

MD5
1a7677712cfc1406c9099e0aa8d51f7a

SHA1
59e78a7b18f95e5bc63cb267a1e7fbfc3836ed79

SHA256
4f2b25d2ecd4fcb9adb24457ef6459e46870a355cdad4db608dc1ba958cfc419

SHA512
2a2f91071e0691b1e9340da7eacec34ccf3d43d8ebcffcd7df7a57e4d1dfaae30cd721b4a7855cd4d6bbf110d9e9e203f14e6b15313f64b7c9309bcdea66d9e3

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
96KB

MD5
01c7f93d965b8f0a8f071369c2698341

SHA1
135e5e2cea27cb94c038a2be761403d8910e4b57

SHA256
718029c5be1d9b868d785454e799601bd3317309ab46a477012e52f3c079ac06

SHA512
05db3cea56a2ac91cd2884610444ac80ae607c2f35243fbca56cfa765e4d70ffed90ca91cb4b5c09f8d8b141e3fd79aff33113c11cc42277f226850b7571c0d6

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
96KB

MD5
db810a1ee8754aa2a6a5d2a7dc3f4cff

SHA1
e3d032931e249318eafa03ae3c70449e7f77316e

SHA256
38be36aa6e4b30c7db22850f8379b6a196494778f8f4e1f9e08a64845135a5de

SHA512
76d691d45b68bdea79842faf4f5ca801d45f4202c3309716d969cdb37fdf6176e673988e2566aee982c2019a49f6e498a37c43ee4e49b820592712648ad8dc80

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
96KB

MD5
23cf574606010f78e7ed6913faab4c2e

SHA1
55e0f2d8af6a564ed0502e060e4b04eba6b36569

SHA256
e5ddb558899fb0432450d3649517525161b6909717544098d685efe84dedcae7

SHA512
d7283c57a211c57a57c45b882128e09d709b526b74e28db6ff757f7a620505916c65fe39a1309e9914ca41f910f755415a572fccf7ff2a4ebd780ad6ccd95ca9

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
96KB

MD5
c2c5c099f583204e9def9dd72e06296b

SHA1
a829aa8a3f6661ebad36c0d50c10f1c38ae3b90d

SHA256
9044deda178f3bacfb57891bd31fe547c3c44329f472c3d3d88f72c5d007922a

SHA512
cfa602011a3cf7cdc7252c52965a7142311866bb273a9f430061175089fb795f45dfe733b9be4a55817c12e17206e792cde27295e203d687b94d0dcc22ce55c1

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
96KB

MD5
746a65c59231771d25c3258bb63ed3ad

SHA1
02d217cddb32ff71d872b080bd376d41f0381829

SHA256
8af623e7e5adb69e5581adc06ab8262d12ff8a4400cf693db1ba5971aa9d08df

SHA512
3ae4bb108b4f196fd7df2616823948d9d474e28c4e1b8b63fdb226a6d8bee7dd99135d20a65f3a08481bbeef7ce7896de7e5c1b07edc9124998441a1ce886d89

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
96KB

MD5
e6dab85e07df062eb245b2bc1c1df92d

SHA1
89bda3e296377fb741c47a731daa40af1015f9fa

SHA256
8ec107122fd5a80fd8f4b5feccbb02e6f3d62fac15ce10630f9b11a904d8a2ff

SHA512
fb563bdd5616a46dd1e5912e8bca4a8c89e5f8d1de7f2b0f50698104c6525750ff5865892caaefd3c98fe5ab6dca55d3e0beddb94f317da81e6c84dd5316bd11

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
96KB

MD5
dda073552ea62225c65d295d807a8aa0

SHA1
33d19195f252d9e934f0202019151d71ed657d01

SHA256
684eeb3426b9d1817277328c1cfc93ee3d20d796060e7f0e17e3f33d8922e449

SHA512
ef0c26091ffd77cd0168f0b61ec51bb5f1536482cefda69f3b968be9f1f2844c29bf493084b46aa5528ed3108276491c830d90c2714aa874d243568978a311ac

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
96KB

MD5
6ad9e035113e2616032d02cec7a2a8d8

SHA1
67697e5d2c7b7263d644161528f2a1def1ef87c4

SHA256
0f6a038812716153561d8bab0e35697253661d139282b7f597535b1b4325e078

SHA512
01b26565b5c0d0e03ff30f8968e094a97ae877edc4f8cf8b411f1b0c236f01b328519aa18816ea608babae40c790b34ec28c8d61c45e99331f5f1e3fbc9c25b3

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
96KB

MD5
3c06560bf4ee95b6848df9a6a9c13154

SHA1
12b8084e367361f1b7957ba401863c65fae48e78

SHA256
1a456bfb30862cf373ff969aed4f7414cdb0b0049fce0658f0ff899e517e460a

SHA512
1f38da2f27b3ebe7244c92a2840d2216c3104b09c1c06b0381d574e51dedf9e59e01658035219757bda015d4a681cdfd910f42ec4905f7024f6f29bafe76f377

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
96KB

MD5
8fdb4bef7a8d777d2d112a7a41e71fab

SHA1
e4d51bdb5d25b3b4d5bb8db6bd5585338dee7a42

SHA256
c827c9628e7539b7c87d319948e903430d3c13dfa390666a1b605178bdc82d98

SHA512
1e6ffdac844ac55d247e1319f937ca444efa238d4e20993a666646312155d7fef535be5c59541ffb563ed1a6b6ffe2973df11eb654ca4c483c7e118c03565905

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
96KB

MD5
e81347d2fb6d68c9060ae94755ec0780

SHA1
385eb6d8c91a8d73c7200e5043a55b21a373b131

SHA256
f109cb14a45cb5fe1c6e6de32b30cee25455a6263376231653d759b3da566068

SHA512
7ec179f15ed984188ba24c25f2716999775ca77af1929cb4f0ab1d29294a9779fa4ab906b6eeddd1b4931143fac72c96f8d89215773776a8599d9c118470e1f7

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
96KB

MD5
5ec3b22cbbb61f6164103776b3795031

SHA1
84a2068cc58d85dc92564b632bdac131730f3818

SHA256
70b1fbf070fed808d120066092ee655cda7342d772ff1793803dda97f4f1415a

SHA512
f20dacaa30cfd22f6af0b2efaf6773f7f00d33cd8fc44194e98b78d4e39ed8788bb2e3d991c206235ce7977e079e27ee3e5fa6c85f634867afac87edd8941c09

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
96KB

MD5
b10edd5c1440cab4dbd11fe8dd582c0e

SHA1
7d0f4487054bd79139ac8175c7044acbebc13696

SHA256
e8399dd69ff00f242520d11b8392d73602b361d7e93e62e9c1b5e13e6f864db4

SHA512
d39415551edc4baefc927e8582240534571133a5f0c09037cd0e1739741699f7dd3584f18e90fa50034273a41ecaaee32f24dde861c86bfd3b614df5675e53f2

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
96KB

MD5
29752b789cb569b939c322f9cf10f50d

SHA1
5111e39b99ccc29d769e9b49f0a8a8fb8b6960e2

SHA256
ce916ef8c813b140119009e6952c7aadb5ba2e660cf62fc72593ff40e42445d6

SHA512
7f2b1ba6171e6057bc77391e449a108c26908177118e14d7fc8ddd19a6df22d197e11db3241dd816fce8d7d2687ca6b46c463a9b509a9075cc8cf8b7428631e0

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
96KB

MD5
2865d2924fab781eb01423ae3adfdc4b

SHA1
aa1ad188064f258b4d8d8a47aeb133d6960e8bf4

SHA256
6db49825527d8da8bb26cc6c7dfcbf5b49464b34111fa2adbd9186bbcaf79b73

SHA512
0c708975ad9720db2ed084f561e9d899890a83e63b2d0049e9550a71584ec16c55e9deedc52102f6a63da278ac59d835116428deac39e03662300ed0f594586c

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
96KB

MD5
81f5159cb6f5f6c9c66329e182f0940e

SHA1
616e6d6358a826eef84d37bc2e98c1f1a14cd75d

SHA256
7c3f2dce70db7f4904abaf2bb49224348ba1ce66230be8adc7445429c2bfae82

SHA512
6e1bad84411005cae2b654d982ac03b370a255f89f280dd482fb8aaf94df98395fc1721399a82e548512500e8a5aa322538ab8eb3e9685b66f3c9a6b9ab0c62b

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
96KB

MD5
ea069c9fc90d83cf1c96236fb3b0a31a

SHA1
fd119a27acfe44b534e195509d89522894ac88e7

SHA256
57cdba903a8a02e9a8fd26d413b2642edb0c03022fc21256af07852696f474b5

SHA512
24ddfc9431dac9bc29fbab65fe6566459226d466853dda945ae4b1e3336f71186773d60e6c3698768aeddb65a6069780a278e710f82bd27117e3a6793de76b40

Download Submit
memory/640-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/724-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2364-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads