2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2024, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6.exe
Size

163KB
MD5

e412b710126b8ce84feaf3c1e256a6b9
SHA1

7f5d5264ea2ec0805b0e7c666e3256578b494f7c
SHA256

2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6
SHA512

fe984c449d1a84cb1274c018c46a2af1baa263b33be9d88d7fe14340a7b7b6ee8521d3d6896c40a39a74567b167c33548f332771e812c1f6d587c73b8f2598cc
SSDEEP

3072:ZOAmCe9EaLymaScTPShd+Ba6ltOrWKDBr+yJb:Zr69pyiJhd+BXLOf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe

Detects executables built or packed with MPress PE compressor 41 IoCs

resource	yara_rule
behavioral2/memory/4556-5-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000a000000022d84-7.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00060000000231eb-15.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/636-21-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00060000000231ed-23.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00060000000231ef-31.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/224-32-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00060000000231f1-39.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00060000000231f3-47.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1388-49-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00060000000231f5-50.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2616-56-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00060000000231f7-63.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4488-65-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00060000000231f9-71.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3520-73-0x0000000000400000-0x0000000000453000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00060000000231fb-79.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00060000000231fd-87.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0006000000023200-95.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0006000000023202-103.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0006000000023204-111.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0006000000023206-119.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0006000000023208-127.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000600000002320a-135.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000600000002320c-143.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00080000000231e7-151.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000600000002320f-160.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0006000000023211-167.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0006000000023213-175.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0006000000023215-183.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0006000000023217-192.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0006000000023219-199.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000600000002321b-207.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000600000002321d-215.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000600000002321f-223.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0006000000023221-231.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0006000000023223-239.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0006000000023225-247.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0006000000023227-255.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000600000002324b-360.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000600000002326d-461.dat	INDICATOR_EXE_Packed_MPress

UPX dump on OEP (original entry point) 55 IoCs

resource	yara_rule
behavioral2/memory/4556-5-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/files/0x000a000000022d84-7.dat	UPX
behavioral2/files/0x00060000000231eb-15.dat	UPX
behavioral2/memory/636-21-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/files/0x00060000000231ed-23.dat	UPX
behavioral2/files/0x00060000000231ef-31.dat	UPX
behavioral2/memory/224-32-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/files/0x00060000000231f1-39.dat	UPX
behavioral2/files/0x00060000000231f3-47.dat	UPX
behavioral2/memory/1388-49-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/files/0x00060000000231f5-50.dat	UPX
behavioral2/memory/2616-56-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/files/0x00060000000231f7-63.dat	UPX
behavioral2/memory/4488-65-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/files/0x00060000000231f9-71.dat	UPX
behavioral2/memory/3520-73-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/files/0x00060000000231fb-79.dat	UPX
behavioral2/files/0x00060000000231fd-87.dat	UPX
behavioral2/files/0x0006000000023200-95.dat	UPX
behavioral2/files/0x0006000000023202-103.dat	UPX
behavioral2/files/0x0006000000023204-107.dat	UPX
behavioral2/files/0x0006000000023204-111.dat	UPX
behavioral2/files/0x0006000000023206-119.dat	UPX
behavioral2/files/0x0006000000023208-127.dat	UPX
behavioral2/files/0x000600000002320a-135.dat	UPX
behavioral2/files/0x000600000002320c-143.dat	UPX
behavioral2/files/0x00080000000231e7-151.dat	UPX
behavioral2/files/0x000600000002320f-160.dat	UPX
behavioral2/files/0x0006000000023211-167.dat	UPX
behavioral2/files/0x0006000000023213-175.dat	UPX
behavioral2/files/0x0006000000023215-183.dat	UPX
behavioral2/files/0x0006000000023217-192.dat	UPX
behavioral2/files/0x0006000000023219-199.dat	UPX
behavioral2/files/0x000600000002321b-207.dat	UPX
behavioral2/files/0x000600000002321d-215.dat	UPX
behavioral2/files/0x000600000002321f-223.dat	UPX
behavioral2/files/0x0006000000023221-231.dat	UPX
behavioral2/files/0x0006000000023223-239.dat	UPX
behavioral2/files/0x0006000000023225-247.dat	UPX
behavioral2/files/0x0006000000023227-255.dat	UPX
behavioral2/memory/3028-359-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/files/0x000600000002324b-360.dat	UPX
behavioral2/memory/2708-365-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/4920-371-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/5016-379-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/2400-383-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/4300-389-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/4728-395-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/3624-401-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/3604-407-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/744-413-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/4988-419-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/3016-425-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/memory/1084-431-0x0000000000400000-0x0000000000453000-memory.dmp	UPX
behavioral2/files/0x000600000002326d-461.dat	UPX

Executes dropped EXE 64 IoCs

pid	Process
2540	Iidipnal.exe
636	Ipnalhii.exe
4736	Ibmmhdhm.exe
224	Ijdeiaio.exe
2760	Iannfk32.exe
1388	Icljbg32.exe
2616	Iiibkn32.exe
4488	Ipckgh32.exe
3520	Ibagcc32.exe
4972	Iikopmkd.exe
4900	Iabgaklg.exe
1484	Ifopiajn.exe
3244	Iinlemia.exe
1076	Jpgdbg32.exe
3228	Jbfpobpb.exe
2936	Jiphkm32.exe
4576	Jibeql32.exe
4996	Jfffjqdf.exe
664	Jpojcf32.exe
1328	Jbmfoa32.exe
2296	Jkdnpo32.exe
4836	Jmbklj32.exe
1020	Jdmcidam.exe
1752	Jiikak32.exe
2284	Kaqcbi32.exe
3320	Kdopod32.exe
5036	Kpepcedo.exe
3152	Kinemkko.exe
4660	Kbfiep32.exe
4388	Kknafn32.exe
3356	Kagichjo.exe
5020	Kcifkp32.exe
2876	Kajfig32.exe
4224	Kdhbec32.exe
3772	Kgfoan32.exe
4436	Liekmj32.exe
4928	Lalcng32.exe
2108	Ldkojb32.exe
4724	Lcmofolg.exe
3860	Liggbi32.exe
1692	Laopdgcg.exe
1344	Lgkhlnbn.exe
1296	Lnepih32.exe
2120	Ldohebqh.exe
4304	Lgneampk.exe
2060	Laciofpa.exe
4908	Lcdegnep.exe
4004	Lklnhlfb.exe
3028	Laefdf32.exe
2708	Lcgblncm.exe
4920	Lknjmkdo.exe
5016	Mnlfigcc.exe
2400	Mdfofakp.exe
4300	Mgekbljc.exe
4728	Mnocof32.exe
3624	Mpmokb32.exe
3604	Mcklgm32.exe
744	Mjeddggd.exe
4988	Mamleegg.exe
3016	Mgidml32.exe
1084	Mncmjfmk.exe
4648	Mpaifalo.exe
4120	Mglack32.exe
2508	Mkgmcjld.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Icljbg32.exe	Iannfk32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jibeql32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kgfoan32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2900	860	WerFault.exe	166

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Icljbg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 2540	4556	2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6.exe	85
PID 4556 wrote to memory of 2540	4556	2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6.exe	85
PID 4556 wrote to memory of 2540	4556	2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6.exe	85
PID 2540 wrote to memory of 636	2540	Iidipnal.exe	86
PID 2540 wrote to memory of 636	2540	Iidipnal.exe	86
PID 2540 wrote to memory of 636	2540	Iidipnal.exe	86
PID 636 wrote to memory of 4736	636	Ipnalhii.exe	87
PID 636 wrote to memory of 4736	636	Ipnalhii.exe	87
PID 636 wrote to memory of 4736	636	Ipnalhii.exe	87
PID 4736 wrote to memory of 224	4736	Ibmmhdhm.exe	88
PID 4736 wrote to memory of 224	4736	Ibmmhdhm.exe	88
PID 4736 wrote to memory of 224	4736	Ibmmhdhm.exe	88
PID 224 wrote to memory of 2760	224	Ijdeiaio.exe	89
PID 224 wrote to memory of 2760	224	Ijdeiaio.exe	89
PID 224 wrote to memory of 2760	224	Ijdeiaio.exe	89
PID 2760 wrote to memory of 1388	2760	Iannfk32.exe	90
PID 2760 wrote to memory of 1388	2760	Iannfk32.exe	90
PID 2760 wrote to memory of 1388	2760	Iannfk32.exe	90
PID 1388 wrote to memory of 2616	1388	Icljbg32.exe	91
PID 1388 wrote to memory of 2616	1388	Icljbg32.exe	91
PID 1388 wrote to memory of 2616	1388	Icljbg32.exe	91
PID 2616 wrote to memory of 4488	2616	Iiibkn32.exe	92
PID 2616 wrote to memory of 4488	2616	Iiibkn32.exe	92
PID 2616 wrote to memory of 4488	2616	Iiibkn32.exe	92
PID 4488 wrote to memory of 3520	4488	Ipckgh32.exe	93
PID 4488 wrote to memory of 3520	4488	Ipckgh32.exe	93
PID 4488 wrote to memory of 3520	4488	Ipckgh32.exe	93
PID 3520 wrote to memory of 4972	3520	Ibagcc32.exe	94
PID 3520 wrote to memory of 4972	3520	Ibagcc32.exe	94
PID 3520 wrote to memory of 4972	3520	Ibagcc32.exe	94
PID 4972 wrote to memory of 4900	4972	Iikopmkd.exe	95
PID 4972 wrote to memory of 4900	4972	Iikopmkd.exe	95
PID 4972 wrote to memory of 4900	4972	Iikopmkd.exe	95
PID 4900 wrote to memory of 1484	4900	Iabgaklg.exe	96
PID 4900 wrote to memory of 1484	4900	Iabgaklg.exe	96
PID 4900 wrote to memory of 1484	4900	Iabgaklg.exe	96
PID 1484 wrote to memory of 3244	1484	Ifopiajn.exe	97
PID 1484 wrote to memory of 3244	1484	Ifopiajn.exe	97
PID 1484 wrote to memory of 3244	1484	Ifopiajn.exe	97
PID 3244 wrote to memory of 1076	3244	Iinlemia.exe	98
PID 3244 wrote to memory of 1076	3244	Iinlemia.exe	98
PID 3244 wrote to memory of 1076	3244	Iinlemia.exe	98
PID 1076 wrote to memory of 3228	1076	Jpgdbg32.exe	99
PID 1076 wrote to memory of 3228	1076	Jpgdbg32.exe	99
PID 1076 wrote to memory of 3228	1076	Jpgdbg32.exe	99
PID 3228 wrote to memory of 2936	3228	Jbfpobpb.exe	100
PID 3228 wrote to memory of 2936	3228	Jbfpobpb.exe	100
PID 3228 wrote to memory of 2936	3228	Jbfpobpb.exe	100
PID 2936 wrote to memory of 4576	2936	Jiphkm32.exe	101
PID 2936 wrote to memory of 4576	2936	Jiphkm32.exe	101
PID 2936 wrote to memory of 4576	2936	Jiphkm32.exe	101
PID 4576 wrote to memory of 4996	4576	Jibeql32.exe	102
PID 4576 wrote to memory of 4996	4576	Jibeql32.exe	102
PID 4576 wrote to memory of 4996	4576	Jibeql32.exe	102
PID 4996 wrote to memory of 664	4996	Jfffjqdf.exe	103
PID 4996 wrote to memory of 664	4996	Jfffjqdf.exe	103
PID 4996 wrote to memory of 664	4996	Jfffjqdf.exe	103
PID 664 wrote to memory of 1328	664	Jpojcf32.exe	104
PID 664 wrote to memory of 1328	664	Jpojcf32.exe	104
PID 664 wrote to memory of 1328	664	Jpojcf32.exe	104
PID 1328 wrote to memory of 2296	1328	Jbmfoa32.exe	105
PID 1328 wrote to memory of 2296	1328	Jbmfoa32.exe	105
PID 1328 wrote to memory of 2296	1328	Jbmfoa32.exe	105
PID 2296 wrote to memory of 4836	2296	Jkdnpo32.exe	106

C:\Users\Admin\AppData\Local\Temp\2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6.exe
"C:\Users\Admin\AppData\Local\Temp\2a3727841dcb5bda9c169df85c997ba814e4013e04fbd2e01bc9dba05e32a9a6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\SysWOW64\Iidipnal.exe
  C:\Windows\system32\Iidipnal.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\Ipnalhii.exe
    C:\Windows\system32\Ipnalhii.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Windows\SysWOW64\Ibmmhdhm.exe
      C:\Windows\system32\Ibmmhdhm.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4736
    - - C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
      - C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3320
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4224
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3624
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        58⤵
        Executes dropped EXE
        
        PID:3604
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4120
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        67⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        68⤵
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        70⤵
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        71⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3100
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1000
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        75⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4412
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4520
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1236
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        83⤵
        
        PID:860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 400
        84⤵
        Program crash
        
        PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 860 -ip 860
1⤵
PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
163KB

MD5
06972e69fda4f76c43e9fac614fd5a4d

SHA1
a6553c8cfc6a52ea526c9cb0bfc609b43c7c1665

SHA256
79841bbf1f328c8d610e2f0efa73f4e3b16a35ed9d032a27648612d8a58b506a

SHA512
decce14319086d5e51a766ff487b3af1338701f5c32c3047a106e248f14bfd96a0394ba7c521371b5e6589bcf07a117b5feb68553caeda1ee293476ef798f595

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
163KB

MD5
1d6e077c2463b1e883599be7d0f39df3

SHA1
1d5a2dd89085071d043ae9edcb7e248e57119c46

SHA256
a47fb5578258718e92938e802a7f65f44afc2ee793039c30b04b43cf6959a217

SHA512
b29c05ef722f9497192a0c2eeb2b037be9ebb4c345cf1fb60f4edcc6b93ddabf1490dd5cad3d259095b3779e03d07ed4c45db539778679491b7fb934f5abaf4d

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
163KB

MD5
acb8b830010be7c908a1de563700e216

SHA1
d48cdfa464553b90c0d45611d3cb13708dac3efa

SHA256
3c2b5a681acf9e4bc8b7fc47dd2b52eb0610c8ee684f2d2ddb25331a4a577497

SHA512
5b36136f5d571170ba2712109def40b7e4577966e9886ace01c6be05b654b867b710e36db5326882f9aa27ee146049945b73ceb4fa08d3c386eafd02b33bc779

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
163KB

MD5
38546600b4b8bd0287fe2c6b7f4d91e7

SHA1
2356e2571d52e61c6d25fd0325403631332b8c15

SHA256
c4c46ea35cf33dac9c11aa23a50608e0282e8797c0af5be334ac87c4ca52671f

SHA512
441004f3a9c894c337e499345cd70f3b2231ab55069fec71a88cb753bdb009e3575fd6af0355a507cba603be365fb91bd4f35af5513a3bc172c329d288b77b2e

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
163KB

MD5
c08e1d868f9fd05384b9f0f0d917f338

SHA1
fec53ca7b7c40fc3bebfae8e9fd817e22ce01416

SHA256
a09efbc0303df6cf232ffdbb953c04c23d53287cbd3a0d4be2a0e669904e5486

SHA512
d984dde165163aa68e0b10a6ed5289b1a5341cdb61576b5987b59c279536f0a0b1c9c9bad22baaefe948414ca4bfb526919e5ed6daf8363d54b3196cac4cc577

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
163KB

MD5
ae3102b37632e14af70b26c36cfbe88e

SHA1
c75b46dfeda2ce8df2725af38841324f84a3c95c

SHA256
9bf1ecb705cb162c12ab14c0b68638a2fed9f280661e321c15b771cdfbbc7c55

SHA512
b18c1b4d3a2c96f96e2201b3bad045fb4ee17af2fcf4c5a609b034f49604aa55070f9b38269c36a9b185ce3124ee73a612694a80398276f8b969e1507eed915a

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
163KB

MD5
0bb781a5feca583896d0d316a1940d64

SHA1
03b859321bc9d0c5a650e67b2243bc857820afed

SHA256
41cf96ce2d0056ee4f8f3eefbeaf5e378be69031408c4a4a2c759689192b698f

SHA512
6d13fd04c92ad6e9d71c6132a19ed2c492caab3273dad21bc6a595f8437df9ce5d016745dfd1f9a7b42fd09792600cf69dcde4bcad8bfcd1bd136b384da0efb6

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
163KB

MD5
c73ad5b5897bd698024d60644efa31d7

SHA1
bd863c230d3a133c7f5d1ecdca558059bbb5b21e

SHA256
31bbc7bc44acceefbbaed7c778caafe3ce0dfec7918f922f754fe70554992bcf

SHA512
7e009f8256505232974e564a803d33d5ddf83a846c84bc56bef14289b4c5347d2f46d05efbbe369040467366c603f966ee6a96718978de8cb45e7fc34c10e521

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
163KB

MD5
b93912321ccc8e42d56a5b1441cdda58

SHA1
d82ce3113d08bf3d6129fab079f96db2ceb65c94

SHA256
8e5b98e36b6b47a68332a953dc1cc26320c56e517a8144285999452cd944058d

SHA512
53e01a50c8610f901d2638d9d804611653043b12022ebbd3c4f7ba61f857e419bdb62116ea58baa0f7db28334669c150e01a19cb01bf4ca06c20d8476283d75a

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
163KB

MD5
e486f9eae4ad3f0311a832a339d7fbc9

SHA1
b304663e1ddabd2fdea2c60947a5f28624197e54

SHA256
569bcc1a8efcdb0f821d28e9a0498410e313d8dfb300992252024f7748736a2c

SHA512
d3ea0ac26c93ed796c9307a1446c5374508822251c132a632f7683d4f1ad51ac115a6c268f8bef89f9f7978151f8676f829b758691c353812e485443ed71f385

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
163KB

MD5
2444e4eab611dfb6cd544bf5cc023e2d

SHA1
f0656fc3892d7b012ce9012dc4959b273aaf7ff6

SHA256
890a6686c3f202ccae83fe5e4f1571bbe68c5952e6f6a2ae6274d9adb365e6d6

SHA512
dd8941375083687913b6cc658ae25cd8e4af3f0d4f2f458a7865fa5a2578d978209f040df8ca56c09af84b220dbeeb890241f1a65fc249551bcfce11bc956001

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
163KB

MD5
b3d58a287d7a38736675c60c655efb46

SHA1
e576e4d994637180ad8ada0741456d583c5afae5

SHA256
3a73e8a5ad576a597dc4de03582410ce3cd2708dbf46365142f021c8de4e91c1

SHA512
5b4df883deb16d476ba53cc50be5c0b04da8594e9c6df88a97ea5ee3423372009ee08f1bf430d24d7198429d9ee7bc319d61f0413351438ba9caf8a3018df282

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
163KB

MD5
eafc0a103ebcdb286718b349ab01b0ee

SHA1
9eda55a00174ed6ccdb48ac54137e968c785c791

SHA256
44f3478df51573cc4fc3625afe15494e6d608166ca336952f82a414ada05c142

SHA512
8366e1dba01eca4c7660ccb8fe74fbe879f26707d9a58583f623e4e549a63d39de4288a5428859e7d8366caed2514be19e3b47cdc951259d3267ebc2cd37e358

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
163KB

MD5
628d4791ce03216e7dcbc5be8bae17fa

SHA1
70a796c2fea53c5a87302e03bad418d5beb34ef5

SHA256
def586b79205b8e9ed677314a34a155459167f8cdfb393fedb7ea3f136fea892

SHA512
a82e157b2c5b4cd578851d581bd06bba00f786ac815281e46a1eb11e3026a3a721686710869367c8958f0cebeb14482301aedb7af7ad65d336452affa170c1e1

Download Submit
C:\Windows\SysWOW64\Jbmfoa32.exe

Filesize
163KB

MD5
3b183d28fbe4d4516360573b8dfedace

SHA1
85f5146f75504cd0b43edf64b7cc016125c8f262

SHA256
23ad25d3186f5672473434358e8b1b5662080a868dd77d23481cf749035cd802

SHA512
d8cac9e68037e8a2b2068089fae26aaf97961a5e61a527f1b4c66f7a4f3a5602e754fb3b05bf262ba8380ce6b784258228c57a82227f6aa882e692ba272d0173

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
163KB

MD5
d6ea729ff2e03d506032c8acad41ef98

SHA1
aa6eef17058ab26611737db1ae4bb3dc981dc744

SHA256
515960cfadc36abed031c8e799ea9da9d7cedae2a0c48fdb0d55f49a49270a59

SHA512
fb97a0e1442e4fb04e270e999c7b42f4afe6b8b51e29195cef7e6f06859a5bed04866c2dda658aff8261fd8f0cedf7ba8ae795bb7fa34b099253e822a4df1107

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
163KB

MD5
b03db2b5ff4e407a7b3d6526406d3c28

SHA1
10c87ab81f6c8dc85eb3751186b442cc5da18307

SHA256
8dfbc43fa18795925bfd64959df24e07f4af3081fcb42846629c5ae4650598e4

SHA512
231545eba609a140e3e81f64271784fa722ae7addda16b1c9e8088671a1104c39c982692a133c3a0fd504becf78f81cf63a860587ec9047d4226b8f03db28eb7

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
163KB

MD5
d72c936b64958fa5818ce453c6c2545b

SHA1
7793258aabe2321a4703c9582425f5072eca7de5

SHA256
4a27b38db69138160cdcd93e1ef790df1440c5657d52f07ea2205690502fb5e3

SHA512
d59ee76a9fa20e882c9392ed1cefe217cf11987996c60608579e1987379eb679d41343914e832925efb7a13d753890e30cfb637b0bd563d5142d33872c3cd4a5

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
163KB

MD5
8f704f7cdf00810bcd64cb86c30ce3ee

SHA1
c7b3ddde4aeef1c4dc5dba6e9ea7deeccb7b8428

SHA256
d0db247a5fe09c235bef77008d2faefc3f864c846513546f9c9d96df86c22af2

SHA512
6ae71e8b46732ecb85a6f4197c0cd607c9407cd29a054b4b4ad215db22618f08d2e01493d0e4da40cf9cdc63c23bf6155e17f8f3de4a365085b0d85334f50716

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
163KB

MD5
db65b9ff53c4633caf0340e47956f04c

SHA1
35ecb2bf7c0504c8efce8bb46def0fd0e47270d2

SHA256
786fa8b3a1512b6bc58525ed216448e5da8229177a992175caa025ef76e36a65

SHA512
12e52bc1f335f67d37dc883ecd0d42c9ca20c2d1e1e1b6bf6e31347d7d3f612e8f60780fec2398eabf3d44eec151e1f719c128e8b20e2a45d80377334f91ea63

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
163KB

MD5
eca76850568ca32a396e38e708457e78

SHA1
36e49fa84e6f6dc13cb5a77ccc94180021ad005d

SHA256
7a011bd3d460b124a93e45fd988f0a9114f1295605341a3d3df3ff586a1e4698

SHA512
a72aecea4aa95de03b8acdbfee78f62f115e356fc58c58b37dd9c1ae0d0cc589b71e3bc692337b011cf1f94600e406ced09c7b49e66783dea9baa1ca622cff46

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
163KB

MD5
14210f957c562db83df4b814e8a5915f

SHA1
f87be5e53d4784f7c2310766f1908bdb28e9e0bd

SHA256
4c7dce8a930c22b03e8acf7ec1fa20a097894c39dbe0574bb9284851774c4994

SHA512
f28bdde686d5c21fb7ea20f1cad0dbf139977659feda51987fc485a78369d008af8602bce8e5f06cb8b6ba6fa0fe17a0e2868a63e6821b1da0fac9aa9dd9d959

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
64KB

MD5
ea359520462d23a5266e64b9bbeab746

SHA1
df92838b9adb450bcf85974eeede274e343c3029

SHA256
65ce4c2ba89b5f9786ed2311cc7af0c4392fd4b5ea8df7a566680a3b973f4793

SHA512
d03e536bfd256e0babcd87192506af231f2f9cb8004dbddf840daff0cde666cb0145dd9584d8e36f12aa92b4eac6c8045ff042e27ddffc9d19296101bb65678a

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
163KB

MD5
34d955f19d712f624f353226fee15649

SHA1
32ecc29a5046c88839a87eaa013789966c72be79

SHA256
0bf12fd90907e21cc7c3065089e6e5956c3febc48c1f6aa7b4e5240a110af91f

SHA512
2dca1e7333a5c6478a8ad8d4a2863ce707394f3750f9c86870212dce2f3c23d5fe16da7eb1dd3ca11b08c7b9b537876f39b0ad918e4ab5a0ba7110d4a51ed9f3

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
163KB

MD5
96ab6ecd048ce44b9370d94fffbdd1b2

SHA1
e6612181bbb4b25e0fa2a8649c9ff5d91691a1f5

SHA256
c42728da8b6438068333c6382ea7f04737b5c39ae52397f072e6c9ab703d5e97

SHA512
508f8adbf9d1c34215cc7260a4ed3b92699faaa88d897cb9e6556cf7ce29cecf5c276e28f1297f36ad85ae10c3b19803040b51c0b14bb301eec4abdd8160037a

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
163KB

MD5
38cc9103265034f65444d3dbb309ef7d

SHA1
925165b665737cc49007cc68ab78548e78b74065

SHA256
c606641c017cb8351a95d4d202b9c6a73132c331a8a40e69e1002f6b78cf219a

SHA512
873e65a8e7b70c961a489864698414a80b94daf65436f938b8bec973cd01bdd61acd97c2a6db2e2f17c707310da9c1f67b7fd44681925d192c7f86610ee85c3d

Download Submit
C:\Windows\SysWOW64\Kaqcbi32.exe

Filesize
163KB

MD5
99ad85cb7ff7721f76bf30f2d513be62

SHA1
6521ac0f495be502fbaf642e0a6b96f058f45e33

SHA256
084ac9289948f4b8240cc0c3fab7e07402a3a71bc52532875e23a7a9fb323ea2

SHA512
a4b693367eed0bb7ef6f54f7c69c4a046426700e55762d5caba0281630b0881fbcdb8048ef0e43f90b6ae4419e316b84db0f76a7251d3d8a68eba0f551f3f661

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
163KB

MD5
3d67f21c419fb949a41a41dc694cf7b5

SHA1
fc433d3ebf8cd039311d14ba063db7a8ff172b0d

SHA256
12d759c623fd2454b45e665fb2278a6de55e48b5e979446cefc0366fc5718761

SHA512
c66305f8ca85b83d661efd0baec8ee7ecac02c573a1c8d465d5274c46da1666b982f9105e789ebb69c8ebb35648d6a5babea98aef6cee384a1d7802adfc638ca

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
163KB

MD5
105be363310c5e71b496a0af660d545a

SHA1
f69e4dbb209556fe77ce6ed660b1d25aaa97bbbb

SHA256
547f7a98cab4f77ed81230bea0557e84f66db8c76be5035e74f500c9cc759a84

SHA512
ca464c2f0c4f7fdbb2b44bfd4ad1263f2448e72c58351e4e153438d8a689b9bd182029e070af79b33cd2e7b77def48c414fea460bce0092bd12ba592a854b614

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
163KB

MD5
2980c406720f8b333e9f1fa1e464ff14

SHA1
efb3c88b44f08a9268c11698ea6b980930880e28

SHA256
9a26bc4f20944f86e0b768f285b21bf9694e779d55c5b2bff6a314e60e01a8ea

SHA512
a25c822e22e6be444628ce7d68a49ad05c5ce7f3e728f3616078dedc90df5080db0fc0a55c7eb2996ed1a01360b27fe3f2e97a63028ca2984776d3abfb403767

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
163KB

MD5
9925c88ea23416d960cb4ea09fb89695

SHA1
a4619a95a3585704a6318a3d0dad865f8df0a4f1

SHA256
fac2f9b0f396d3e20f1ca4132c880fcf8f683ae83717ea1cb5f3213a5d9fad1e

SHA512
8fe61825e3d7b0928916814267ab62a80cc78e31fb43a0928a92668a8342dbfcca98bbb9d8abd3caec32312d73231f1ae9f71c7eb7a492b2775989aa708a55cc

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
163KB

MD5
bb7626305deb0f8c0c3ef570f1ec4d20

SHA1
f824d6ff9198b3f45b6f3e12235e9c5f6fd08bb4

SHA256
5257e0f4303f45770503bf9ac8827b08d27d6125ac7a93b133a0b5fc0d88a493

SHA512
335fafc5352ba8b00573865eac837e63ccac266776aa1eaff8b5df3e3db01e6c879798d70ebba9500ea96a7a3b1f301e0a48f87820e74250f70ae82c4f4fa7d4

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
163KB

MD5
14177028f624cd689fcc845c12376e5f

SHA1
a63cc697dab9e891b2544b5f6751ab3747d5e698

SHA256
d28bbfc9089edc60577e9b9c810cf2395f40662fc1734d7106df8e4a0bc38d77

SHA512
bc1ac7bcdebc5c578cc683061ff2718117e1fa3027b785327bc4b3809207004a5eabf4c6503a2e4e2d3c1c72beaa3df872b75643ecad81503cf38636da37ae51

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
163KB

MD5
a9f7d48b54fe47423335fe259e80140c

SHA1
05bb4868cd653427c53641b741de35f66fbf8e86

SHA256
eb0bc2025cc461d2cd8adc72520738b70270fcfdd45a4e6984d27378171014ed

SHA512
41025f5aaad8356270e6ab681bdf99459142bdf6ed63be1870249aca6d30e374f1a42b67f83d0e21c201e2447b2760ca78ddff415cabc29a6f22e630a4fae2da

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
163KB

MD5
a12704146735b78f7ef8bf2d9f7e73d6

SHA1
cf42c5775285cb3d6943004def4a2e827f67a730

SHA256
139c8feabba3ea2ac40c568c57ba7af5cb26aac527e7cf05e910b3df972d30c8

SHA512
f5ba168dd8f9a6f89ad896f6f38b54efcc2cba7f8df4a22a30c9b66f3680cb6c5fcfb043aad357a57cff276a4ae4cc6622f3b851b0e06086d8404b693519128f

Download Submit
memory/224-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/636-21-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/664-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/744-413-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1020-185-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1076-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1084-431-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1296-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1328-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1344-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1388-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1484-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1692-315-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1752-193-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2060-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2108-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2120-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2284-201-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2296-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2400-383-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2540-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2616-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2708-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2760-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2876-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2936-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3016-425-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3028-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3152-224-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3228-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3244-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3320-208-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3356-249-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3520-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3604-407-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3624-401-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3772-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3860-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4004-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4120-442-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4224-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4300-389-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4304-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4388-241-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4436-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4488-65-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4556-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4556-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4556-5-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4576-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4660-237-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4724-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4728-395-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4736-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4836-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4900-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4908-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4920-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4928-291-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4988-419-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4996-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5016-379-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5020-256-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5036-216-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads